WORKAROUND
There is no way to restrict the AD Queries that are gathered by the Source IP. There are, however, a few other restrictions that might be useful, depending on how the environment operates.
By default, the following settings are enabled:
- Exclude any auditing of the Schema, RootDSE and Configuration containers
- Discard query results less than "0" records, meaning don't discard any based on this criteria
- Discard queries taking less than "20" milliseconds, meaning any query that is faster than that won't be captured
- Discard duplicate queries occurring within "15" minutes, meaning that there will be a delay in the queries being reported, as the Agent caches them, and then compares any new ones with the ones in the cache to see if they're the same. If they are the same, then a counter is increased on the first query, and the subsequent one is discarded
- AD Queries are enabled on the Default Configuration.
With the above in mind, there are a few things that could be tweaked to filter out the noise.
- If the queries cared about are only going to be directed at a sub-set of DCs, turn off the AD Query Auditing on the other DCs. Do this by creating a new Configuration for these Agents, and turn on AD Queries, and then turn it off on the other existing Configurations
- If the queries cared about are always going to return a large number of results, and/or run for a long time (50 milliseconds or more), increase the values on "Discard Query" options
- If the queries cared about are only going to be against a specific container (or subset of containers), set up exclusions for everything else
STATUS
Enhancement request TF00434256 has been submitted for consideration in a future release of Change Auditor.