Dec 19 2022
in the past few the we noticed that the DC's send something like 30GB of SecurityEvenet to Azure Sentinel.
the normal usage in the last year is 8-10 GB and now is over the 30GB!!!
my question is, if the audit log for Defender for Identity can causing that?
Jan 04 2023
@ArielBen Probably not MDI to blame.
But you can do some quick KQL queries in Sentinel to see which EventID is causing the most noise:
SecurityEvent| summarize count() by EventID
| sort by count_ desc
SecurityEvent| summarize count() by Computer
Once you have identified the source of the noise, and you are sure you don't need the specific logs - then you can either disable the logging locally or use transformations to filter it at ingest time: https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/data-collection-transformations
Hope that helps.