Splunk Enterprise Security

Reduce the noise out of Security EventCodes..

AL3Z
Builder

Hi,

I'm trying to reduce the noise out of these EventCodes which we can exclude in the enterprise security point of view.
Below are my stats of EventCodes, Could any one pls guide me in this 

EventCode count
4624 25714108
4799 12271228
5140 4180598
4672 2896823
4769 2871064
4776 2177516
4798 1771003
4768 1149826
4662 919694
4793 667396
4627 428382
4771 344400
4702 261942
4625 229393
4698 131404
4699 107254
5059 92679
4611 86837
5379 74950
4735 55988
4770 31850
4946 31586
4719 30067
4688 27561
4948 26952
4945 19959
4648 17191
4825 17016
4697 13155
6416 6977

Thanks

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

That's not really a Splunk or ES-related question. It's related to your data and your use-cases. If you filter out some data, you don't have it. And if you don't have events, you can't base your searches (and thus use-cases) on them. As simple as that.

It's more a windows-related question to your admins to help you review the use cases you want to enable.

0 Karma

fredclown
Contributor

There are a number of event codes that have static descriptions of the event in each iteration of the event. This page shows how to trim off the event descriptions on ingest. This can save a lot of data.

https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration

AL3Z
Builder

Hi @fredclown ,

It will be there by default, no need of defining again !

0 Karma

fredclown
Contributor

The event code description trimming is not turned on by default. You need to specifically turn it on in a local props.conf.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please give us your definition of "noise".

Do none of your other questions on the same topic address this, too?

Have you considered using Ingest Actions to avoid indexing unwanted data?  See https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_in_Splu...and https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/DataIngest

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...