OpsMgr ACS SecureVantage Noise Filter (Combined)

This post was written by stephen on November 10, 2009
Posted Under: Microsoft, SCOM

As many of you know collecting all security events on a server using the Audit Collection Service (ACS) can get very “noisy”. Thankfully SecureVantage has come up with a list of noise filters, unfortunately they are all separate queries. I took the time to combine all the queries and thought I would share to save anyone else the trouble…


Sponsors... Article continues below.

SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE '%$%') OR (EventId=627 AND HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') OR ((EventId = 538 or EventId = 540) AND (String01 = '3') AND HeaderUser like '%$%') OR ((EventId > 671 and EventId < 678) and ClientUser LIKE '%$%') OR ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 680)))

To input the query into ACS use the AdtAdmin.exe tool:

AdtAdmin.exe /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE '%$%') OR (EventId=627 AND HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') OR ((EventId = 538 or EventId = 540) AND (String01 = '3') AND HeaderUser like '%$%') OR ((EventId > 671 and EventId < 678) and ClientUser LIKE '%$%') OR ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 680)))"

Confirm the query is in place:

AdtAdmin.exe /getquery

If you cannot run AdtAdmin.exe from the command prompt you either 1) Don't have Audit Collection Services installed. or 2) you don't have C:\Windows\System32\Security\AdtServer in your %PATH% variable. For 2) just simply CD over to C:\Windows\System32\Security\AdtServer and you should be good to go.

To see a list of the queries that were combined please reference SecureVantage's noise filter list PDF.

  • Share/Bookmark

Reader Comments

This is great, thank you. If, like me, you couldn’t get it to work with a copy and paste try typing in the first be then paste the query as this worked. Pasting the whole lot resulted in a cannot find file or path error.

#1 
Written By Alex on January 28th, 2010 @ 5:10 am

Hi Alex,

Thanks for the tip! I fixed the post so when folks copy it wont copy the line breaks as well.

Cheers,
Stephen

#2 
Written By stephen on January 31st, 2010 @ 2:00 am

Add a Comment

required, use real name
required, will not be published
optional, your blog address

Next Post:
Previose Post: