I have tried the following to send the included windows event to null but it does not work I have tried the props.conf and transform.conf in system\local and apps\"appname"\local raw event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-22T16:39:16.083750800Z'/><EventRecordID>18650882160</EventRecordID><Correlation/><Execution ProcessID='2496' ThreadID='3780'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>site-wec.site.lan</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2023-02-22 16:39:16.081</Data><Data Name='ProcessGuid'>{4bf925e4-0d0b-63e5-4100-000000002000}</Data><Data Name='ProcessId'>2688</Data><Data Name='Image'>C:\Windows\system32\svchost.exe</Data><Data Name='TargetObject'>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions\Sysmon\EventSources\site-wec.site.lan\Bookmark</Data><Data Name='Details'>&lt;BookmarkList&gt;&lt;Bookmark Channel="Microsoft-Windows-Sysmon/Operational" RecordId="18650811531" IsCurrent="true"/&gt;&lt;/BookmarkList&gt;</Data><Data Name='User'>NT AUTHORITY\NETWORK SERVICE</Data></EventData></Event>   props.conf [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmark transforms.conf [sysmon13-Bookmark] REGEX = (<EventID>13<\/EventID>).+Bookmark DEST_KEY = queue FORMAT = nullQueue ... View more