Defender for Endpoint/Identity not logging eventid 4625

During some on-prem pen-testing password-sprays were conducted and defender did not alert in any way and even digging in the advanced hunting did not show enough indication of this attack.

We were also ingesting the logs(Eventid 4624 and 4625) from a domain-controller which made it possible to create an SIEM-rule to  detect the behavior but the question is what is missing for Defender to pick this up or atleast log the events to make custom detection an option?

The Domaincontroller that generated the SIEM-logs was onboarded with a type of "domain controller", defender for identity is also enabled.

Does any users have this experience with Defender is missing pen-test activities?