You can overcome this by combining list, like blacklist1 and 2 can combine to 1 like this. blacklist1 = EventCode="566|4662" Message="Object Type:\s+(?!groupPolicyContainer)" ... View more

@DJAXX03 - Were you able to test out jkat54 solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks! ... View more

Hi, we noticed that in the code the timestamp (largest_partition_key) is initialized to 0. When the query return no entities (by the fact that we are analyzing a limited time range without any security event), the timestamp is not updated and remain equal to 0. What we have done, as I workaround, is comment on the following part in the code: [row 369 - save_checkpoint(checkpoint_dir, checkpoint_file_name, json.dumps(jsonMarker))], in order to avoid that a timestamp=0 will be saved as a checkpoint. The checkpoint is updated only when the query collects some events and return the last timestamp read. ... View more