Forum Discussion

ArielBen's avatar
ArielBen
Copper Contributor
Dec 19, 2022

Aggressive AD Event Log Fowarding

Hi,

in the past few the we noticed that the DC's send something like 30GB of SecurityEvenet  to Azure Sentinel.

the normal usage in the last year is 8-10 GB and now is over the 30GB!!!

my question is, if the audit log for Defender for Identity can  causing that?

THX

Ariel

1 Reply

  • andre4000's avatar
    andre4000
    Copper Contributor
    Jan 04, 2023

    ArielBen Probably not MDI to blame.

     

    But you can do some quick KQL queries in Sentinel to see which EventID is causing the most noise:

     

    SecurityEvent
    | summarize count() by EventID

    | sort by count_ desc

     

    or 


    SecurityEvent
    | summarize count() by Computer

    | sort by count_ desc

     

    Once you have identified the source of the noise, and you are sure you don't need the specific logs - then you can either disable the logging locally or use transformations to filter it at ingest time: https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/data-collection-transformations

     

    Hope that helps.