Is there any way to filter out specified security event ID from Sentinel

vivek8647 41 Reputation points
2022-03-26T11:26:32.077+00:00

We ingest security log to sentinel. Is there any way to filter out event ID 4662 from Sentinel ?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,232 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,019 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 29,341 Reputation points Microsoft Employee
    2022-03-28T03:09:57.077+00:00

    @vivek8647

    Thank you for reaching out to us.

    AMA agent allows to make filtering with DCR rules. need to use Windows Security Events connector and configure collection according to the needs.

    Refer to this article:
    https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369

    Let me know if you have any questions.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee
    2022-03-26T15:46:57.103+00:00

    There are a few options. You can set your data collection tier to minimal. You can also update your local audit policies.

    I assume you are seeing a high volume of object access events on file servers. You could use DCR rules with the new AMA agent filter specific events. This rule could also be scoped to the file servers. Lastly there is a new ingestion-time filtering option that may work.

    https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
    https://learn.microsoft.com/en-us/azure/azure-monitor/logs/ingestion-time-transformations

    0 comments No comments