Dec 19 2022 02:23 AM
Hi,
in the past few the we noticed that the DC's send something like 30GB of SecurityEvenet to Azure Sentinel.
the normal usage in the last year is 8-10 GB and now is over the 30GB!!!
my question is, if the audit log for Defender for Identity can causing that?
THX
Ariel
Jan 04 2023 07:01 AM
@ArielBen Probably not MDI to blame.
But you can do some quick KQL queries in Sentinel to see which EventID is causing the most noise:
SecurityEvent
| summarize count() by EventID
| sort by count_ desc
or
SecurityEvent
| summarize count() by Computer
| sort by count_ desc
Once you have identified the source of the noise, and you are sure you don't need the specific logs - then you can either disable the logging locally or use transformations to filter it at ingest time: https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/data-collection-transformations
Hope that helps.