Ingestion of Security Events

Eugene Golovanyuk 0 Reputation points
2024-06-10T20:35:10.7766667+00:00

Good afternoon,

Was not sure if anyone else has seen this before. We have a few clients that are getting abnormal ingestion of security events coming from the DC. Event ID 4661 in this case. We don't want to disable the event as it is important but we do not want azure to ingest this event as it drives up costs dramatically. Does anyone know of a way to disable ingestion for just a certain event?

Thank you!

Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
581 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,766 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. akinbade abiola 5,870 Reputation points
    2024-06-10T22:06:55.27+00:00

    Hello Eugene,

    Thanks for your question.

    You can pick a granular auditing by using “Advance Audit Policy – Audit Object Access”.

    You can stop Audit logging for SAM task category by using the below command:

    auditpol /set /subcategory:"SAM" /success:disable /failure:disable

    See:

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events

    Regards,

    You can mark it 'Accept Answer' if this helped.


  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more