Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reduce the noise out of Security EventCodes..

AL3Z
Builder
‎10-23-2023 08:45 AM

Hi,

I'm trying to reduce the noise out of these EventCodes which we can exclude in the enterprise security point of view.
Below are my stats of EventCodes, Could any one pls guide me in this 

EventCode count
4624 25714108
4799 12271228
5140 4180598
4672 2896823
4769 2871064
4776 2177516
4798 1771003
4768 1149826
4662 919694
4793 667396
4627 428382
4771 344400
4702 261942
4625 229393
4698 131404
4699 107254
5059 92679
4611 86837
5379 74950
4735 55988
4770 31850
4946 31586
4719 30067
4688 27561
4948 26952
4945 19959
4648 17191
4825 17016
4697 13155
6416 6977

Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-24-2023 07:10 AM

That's not really a Splunk or ES-related question. It's related to your data and your use-cases. If you filter out some data, you don't have it. And if you don't have events, you can't base your searches (and thus use-cases) on them. As simple as that.

It's more a windows-related question to your admins to help you review the use cases you want to enable.

0 Karma
Reply

fredclown
Builder
‎10-23-2023 02:30 PM

There are a number of event codes that have static descriptions of the event in each iteration of the event. This page shows how to trim off the event descriptions on ingest. This can save a lot of data.

https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration

Reply

AL3Z
Builder
‎10-25-2023 02:59 AM

Hi @fredclown ,

It will be there by default, no need of defining again !

0 Karma
Reply

fredclown
Builder
‎10-25-2023 09:05 AM

The event code description trimming is not turned on by default. You need to specifically turn it on in a local props.conf.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2023 09:55 AM

Please give us your definition of "noise".

Do none of your other questions on the same topic address this, too?

Have you considered using Ingest Actions to avoid indexing unwanted data?  See https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_in_Splu...and https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/DataIngest

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...