I’m trying to stop the Windows Insight Agent from collecting eventID 5145, since it generates so much data. Turning the logging policy off isn’t an option.
Found an article on the KB that should help (InsightIDR - Event Code Exclusion | Insight Agent Documentation) but whatever i try, i still get the friggin logs. I got it to work once, but when i tried documenting my steps, and redoing what i did, it doesnt work anymore. I’m at a loss, this generates so much data.
This is what my C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\config\agent.jobs.windows.ui_realtime.json looks like right now (omitted some numbers).
Any suggestions?