This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 90%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
We ingest security log to sentinel. Is there any way to filter out event ID 4662 from Sentinel ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Thank you for reaching out to us.
AMA agent allows to make filtering with DCR rules. need to use Windows Security Events connector and configure collection according to the needs.
Refer to this article:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369
Let me know if you have any questions.
There are a few options. You can set your data collection tier to minimal. You can also update your local audit policies.
I assume you are seeing a high volume of object access events on file servers. You could use DCR rules with the new AMA agent filter specific events. This rule could also be scoped to the file servers. Lastly there is a new ingestion-time filtering option that may work.
https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/ingestion-time-transformations