OpsMgr ACS SecureVantage Noise Filter (Combined)

As many of you know collecting all security events on a server using the Audit Collection Service (ACS) can get very “noisy”. Thankfully SecureVantage has come up with a list of noise filters, unfortunately they are all separate queries. I took the time to combine all the queries and thought I would share to save anyone else the trouble…


Sponsors, article continues below...

SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE '%$%') OR (EventId=627 AND HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') OR ((EventId = 538 or EventId = 540) AND (String01 = '3') AND HeaderUser like '%$%') OR ((EventId > 671 and EventId < 678) and ClientUser LIKE '%$%') OR ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 680)))

To input the query into ACS use the AdtAdmin.exe tool:

AdtAdmin.exe /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE '%$%') OR (EventId=627 AND HeaderUser='System' AND ClientUser like '%$%' And TargetUser = 'TsInternetUser') OR ((EventId = 538 or EventId = 540) AND (String01 = '3') AND HeaderUser like '%$%') OR ((EventId > 671 and EventId < 678) and ClientUser LIKE '%$%') OR ((HEADERUSER LIKE '%ADM_%' OR HEADERUSER LIKE '%SYS_%') AND (EventID = 528 OR EventID = 540 OR EventID = 680)))"

Confirm the query is in place:

AdtAdmin.exe /getquery

If you cannot run AdtAdmin.exe from the command prompt you either 1) Don't have Audit Collection Services installed. or 2) you don't have C:\Windows\System32\Security\AdtServer in your %PATH% variable. For 2) just simply CD over to C:\Windows\System32\Security\AdtServer and you should be good to go.

To see a list of the queries that were combined please reference SecureVantage's noise filter list PDF.

This entry was posted in Microsoft, SCOM.

One Response to OpsMgr ACS SecureVantage Noise Filter (Combined)

  1. Alex says:

    This is great, thank you. If, like me, you couldn’t get it to work with a copy and paste try typing in the first be then paste the query as this worked. Pasting the whole lot resulted in a cannot find file or path error.

Leave a Reply