I've enabled auditing on my Windows Domain Controllers, but now the Security log is getting overwhelmed with Event IDs 5156, 5157, and 5158, logging about 50 events per second! This rapid filling is causing issues with our SOC by blowing up SIEM storage and running into EPS limits. Before I start making changes randomly, I'd like to get some insights from those who have managed this in real-world scenarios. Is it advisable to disable these audit events on Domain Controllers? If we turn them off, will we create significant detection gaps, or are these just excess noise that can be monitored through EDR? Any advice would be greatly appreciated!
1 Answer
It really depends on your situation. Are you monitoring a single server or multiple? Your security team should clarify what their expectations are. If they need the SIEM to log connections and port bindings, they must ensure their infrastructure can handle that volume.
For example, Event ID 5158 logs a bind to a local port. You may see things like a process getting permitted for connections, which can be quite frequent if it’s a necessary service.