Aggressive AD Event Log Fowarding

Copper Contributor


in the past few the we noticed that the DC's send something like 30GB of SecurityEvenet  to Azure Sentinel.

the normal usage in the last year is 8-10 GB and now is over the 30GB!!!

my question is, if the audit log for Defender for Identity can  causing that?



1 Reply

@ArielBen Probably not MDI to blame.


But you can do some quick KQL queries in Sentinel to see which EventID is causing the most noise:


| summarize count() by EventID

| sort by count_ desc



| summarize count() by Computer

| sort by count_ desc


Once you have identified the source of the noise, and you are sure you don't need the specific logs - then you can either disable the logging locally or use transformations to filter it at ingest time:


Hope that helps.