Aggressive AD Event Log Fowarding

Copper Contributor

Hi,

in the past few the we noticed that the DC's send something like 30GB of SecurityEvenet  to Azure Sentinel.

the normal usage in the last year is 8-10 GB and now is over the 30GB!!!

my question is, if the audit log for Defender for Identity can  causing that?

THX

Ariel

1 Reply

@ArielBen Probably not MDI to blame.

 

But you can do some quick KQL queries in Sentinel to see which EventID is causing the most noise:

 

SecurityEvent
| summarize count() by EventID

| sort by count_ desc

 

or 


SecurityEvent
| summarize count() by Computer

| sort by count_ desc

 

Once you have identified the source of the noise, and you are sure you don't need the specific logs - then you can either disable the logging locally or use transformations to filter it at ingest time: https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/data-collection-transformations

 

Hope that helps.