OpsMgr ACS SecureVantage Noise Filter (Combined)
As many of you know collecting all security events on a server using the Audit Collection Service (ACS) can get very “noisy”. Thankfully SecureVantage has come up with a list of noise filters, unfortunately they are all separate queries. I took the time to combine all the queries and thought I would share to save anyone else the trouble…
Sponsors, article continues below...
SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE '%$%') OR (EventId=627 AND HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') OR ((EventId = 538 or EventId = 540) AND (String01 = '3') AND HeaderUser like '%$%') OR ((EventId > 671 and EventId < 678) and ClientUser LIKE '%$%') OR ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 680)))
To input the query into ACS use the AdtAdmin.exe tool:
AdtAdmin.exe /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE '%$%') OR (EventId=627 AND HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') OR ((EventId = 538 or EventId = 540) AND (String01 = '3') AND HeaderUser like '%$%') OR ((EventId > 671 and EventId < 678) and ClientUser LIKE '%$%') OR ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 680)))"
Confirm the query is in place:
AdtAdmin.exe /getquery
If you cannot run AdtAdmin.exe from the command prompt you either 1) Don't have Audit Collection Services installed. or 2) you don't have C:\Windows\System32\Security\AdtServer in your %PATH% variable. For 2) just simply CD over to C:\Windows\System32\Security\AdtServer and you should be good to go.
To see a list of the queries that were combined please reference SecureVantage's noise filter list PDF.
This is great, thank you. If, like me, you couldn’t get it to work with a copy and paste try typing in the first be then paste the query as this worked. Pasting the whole lot resulted in a cannot find file or path error.
Hi Alex,
Thanks for the tip! I fixed the post so when folks copy it wont copy the line breaks as well.
Cheers,
Stephen