Excluding specific events from log analytics agent (Windows)

%3CLINGO-SUB%20id%3D%22lingo-sub-2466874%22%20slang%3D%22en-US%22%3EExcluding%20specific%20events%20from%20log%20analytics%20agent%20(Windows)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2466874%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20in%20phase%20of%20creating%20a%20PoC%20to%20possibly%20replace%20our%20SIEM.%20So%20far%20I%20believe%20we%20have%20done%20a%20good%20job%20presenting%20capabilities%20of%20Sentinel.%20However%2C%20there%20is%20one%20main%20issue%20for%20us%20right%20now%2C%20which%20is%20not%20being%20able%20to%20find%20a%20solution%20to%20log%20noise.%20We%20have%20Log%20Analytic%20Agents%20deployed%20on%20our%20on-prem%20servers%20and%20workstations.%20Installation%20was%20really%20straight%20forward%20and%20we%20have%20chosen%20the%20%22common%22%20events%20filter%20instead%20of%20all%20events.%20We%20have%20tried%20all%20events%20but%20AppLocker%20events%20were%20too%20noisy%20to%20handle%20(increasing%20the%20cost%20as%20well)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20since%20we%20have%20deployed%20agents%20into%20another%20network%20zone%2C%20we%20have%20seen%20a%20single%20windows%20event%20constantly%20triggering%20(90%25%20of%20the%20log%20usage%20is%20coming%20from%20this%20one%20event).%20I%20have%20tried%20looking%20at%20the%20documentation%20to%20see%20if%20we%20are%20able%20to%20exclude%20specific%20events%20from%20being%20collected%20but%20I%20no%20luck%20so%20far.%20Although%20I%20did%20see%20you%20can%20do%20this%20with%20agents%20installed%20on%20azure%20VMs%2C%20nothing%20about%20on-prem%20s%3CSPAN%3Eervers.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebelow%20is%20the%20event%20we%20would%20like%20to%20exclude%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22example.PNG%22%20style%3D%22width%3A%20826px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F290350i2C77717373C12833%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22example.PNG%22%20alt%3D%22example.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2467054%22%20slang%3D%22en-US%22%3ERe%3A%20Excluding%20specific%20events%20from%20log%20analytics%20agent%20(Windows)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2467054%22%20slang%3D%22en-US%22%3ETo%20filter%20at%20the%20client%2C%20you'll%20need%20to%20use%20the%20new%20AMA%20client.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-azure-monitor-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fdata-collection-rule-azure-monitor-agent%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20on-prem%20installations%2C%20the%20system%20must%20have%20Azure%20Arc%20installed%20and%20enabled.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello everyone,

 

We are in phase of creating a PoC to possibly replace our SIEM. So far I believe we have done a good job presenting capabilities of Sentinel. However, there is one main issue for us right now, which is not being able to find a solution to log noise. We have Log Analytic Agents deployed on our on-prem servers and workstations. Installation was really straight forward and we have chosen the "common" events filter instead of all events. We have tried all events but AppLocker events were too noisy to handle (increasing the cost as well) 

 

However, since we have deployed agents into another network zone, we have seen a single windows event constantly triggering (90% of the log usage is coming from this one event). I have tried looking at the documentation to see if we are able to exclude specific events from being collected but I no luck so far. Although I did see you can do this with agents installed on azure VMs, nothing about on-prem servers.

 

below is the event we would like to exclude 

example.PNG

 

 

3 Replies
To filter at the client, you'll need to use the new AMA client.

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent

For on-prem installations, the system must have Azure Arc installed and enabled.
I believe this only applies to VM's on azure. I was talking about the on-premise servers. I checked your link but all I see is Azure Virtual Machines being mentioned.
Yes, but if you read deeper, it talks about working for on-premises servers, but Azure Arc is required to be installed. I call it out a bit better at the bottom of my blog post: https://azurecloudai.blog/2021/06/14/how-to-limit-what-azure-sentinel-collects-from-windows-systems/