Forum Discussion
Aggressive AD Event Log Fowarding
Hi, in the past few the we noticed that the DC's send something like 30GB of SecurityEvenet to Azure Sentinel. the normal usage in the last year is 8-10 GB and now is over the 30GB!!! my question...
ArielBen Probably not MDI to blame.
But you can do some quick KQL queries in Sentinel to see which EventID is causing the most noise:
SecurityEvent
| summarize count() by EventID
| sort by count_ desc
or
SecurityEvent
| summarize count() by Computer
| sort by count_ desc
Once you have identified the source of the noise, and you are sure you don't need the specific logs - then you can either disable the logging locally or use transformations to filter it at ingest time: https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/data-collection-transformations
Hope that helps.