This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 79%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Hi!
We are using Log Analytics Agents to collect and store date in a Log Analytics workspace. I wanted to test adjusting the log levels for security events. Current level is "All Events" - I wanted to try to reduce this, as we see a lot of informational events (8002 AppLocker for example) that we would like to stop ingesting to our workspace.
First I went to Sentinel and 'Data connectors' and 'Security Events via Legacy Agent' (Lots of SecurityEvents received). On the connector page the option to change events to stream is greyed out. The settings is set to 'none'. A message reads: "Security Events tier configuration is shared with Microsoft Defender for Cloud and was already configured there for this workspace. Change the tier in Microsoft Defender for Cloud and it will apply for Microsoft Sentinel as well. Note that Security events will be collected once and used in both solutions.".
In Defender for Cloud - Environmental Settings - "Example Subscription" for component Log Analytics agent: Security events: All Events.
After pressing "Edit configuration" there is a drop down menu with the setting All Events selected. The menu is greyed out. A message reads:
To help audit, investigate, and analyze threats, you can collect raw events, logs, and additional security data and save it to your Log Analytics workspace. Select the level of data to store for this workspace. Charges will apply for all settings other than “None”. Available for premium tier only.
Question: Which premium tier is that referencing?
Is it possible to change this setting to reduce the number of SecurityEvents? If we want to exclude a specific EventID - is this possible ?
The Log Analytics Agents will be replaced with AMA, but wanted to change the current settings if possible.
Thanks in advance. -S
Thank you for your post!
I understand that you're using the Log Analytics agent to collect data from Microsoft Defender for Cloud, and when adjusting the number of events collected to help reduce your overall volume, you're running into some issues. To ensure I fully understand your issue and hopefully help point you in the right direction, I'll share a summary along with my findings below.
Summary:
Security Events via Legacy Agent connector. Within the Connector page you noticed the setting is set to "none" and a message directing you to change the tier within Microsoft Defender for Cloud.Findings:
Note: Navigating to the workspace itself should provide you with a more detailed message specific to that workspace as shown in my screenshot below.
Additional Links:
I hope this helps! If you're still having issues and would like to work with our support team through a one-time free technical support request, please let me know.
Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Hi James,
Thank you for this! Yes, your understanding of the issue is correct. I was not aware that I could access resources within the subscriptions from the environment settings menu. From the environment settings menu, after selecting the workspace, I'm able to view and edit the data collection settings. (have not tried to change yet but the save button is not greyed out). Thanks!