We recently added Exchange 2016 to our Exchange environment and moved all mailboxes/pubic folders to it.
We have an universal forwarder installed on it and are getting a lot more security events forwarded to Splunk than the old Exchange 2010 server (from 4k per hour to 191k).
98% of the events from the security log of the Exchange 2016 server are Event Codes 4624, 4634 and 4672.
Should I be blacklisting at least a portion of these codes so I can drop it down to a reasonable number? This traffic is pushing me over my license limit and I need to address it.
The audit policies and blacklist on the Exchange 2010 and 2016 servers seem to be the same so I am not sure why the new server is so much more noisier.
Okay, so I'd check a few things before answering.
First, VALIDATION: has the update to the 2016 caused a real increase of activity? For instance, is Exchange 2016 polling ten times as often, or chattering in some way? Are the connections dropping, and if so, is that by design? In other words, first make sure that you are not detecting a misconfiguration issue that should be resolved at the other end.
Second, EFFICIENCY: have you already installed transforms to drop the "wordiness" of Microsoft Event Codes? Literally 80% of a Microsoft event is redundant wording describing what the event is, that should have been presented in a table somewhere instead of written in each event. There are various add ons that can rip out all the redundant data while leaving the unique stuff.
Third, USE CASE: what is the purpose of your Splunk installation, and will that purpose be met if you don't have all the logons and logoffs of that type?
After you get past the above questions, You will be able to make a valid decision regarding data truncation.
I'd suggest that you are more interested in failed logons than real ones, and that it might be possible to truncate more of the logoffs before ingestion, since there is always a prior logon with the details, but those are nits compared with the results of the first two questions.
I am not sure I have great answers but here it goes...
Validation: No misconfiguration afaik. Followed Microsoft procedures. We upgraded to Outlook 2019 at the same time which did cause issues but have been addressed (autodiscovery issues, encryption plug-in).
Efficiency: We have the same props file as the old Exchange server that uses SEDCMD
Use Case: We have Splunk alerts and Reports for various purposes (security mainly). From monitoring who is using VPN to changes to changes to local admin groups to file/folder auditing. Would blacklisting something like computer account logins over the network break any of my alerts or reports? Highly doubtful but I am always hesitant in blacklisting items that may be useful down the road.
Example: what if another report or alert notified me of a security breach but when I started looking thru logs, I discovered I had a need for something blacklisted? Kind of late at that point. Sometimes I log things not for everyday usage but if I need it for an investigation of some kind. So, in general, I need to be fairly comfortable it won't be useful in the future.
regarding Event Code 4624:
is it safe to blacklist 4624 logon type 3 if the user is the computer account?