Forum Discussion
james1987
Mar 16, 2023Copper Contributor
Not all network events are on DeviceNetworkEvents table
Anyone know how network event are being collected in MS Defender for Endpoint. Look like DeviceNetworkEvents does not have all network events. We did a testing using nslookup. Do a nslookup to domain 1. Another hour later do a nslookup to domain 2. Then another hour later do a nslookup to domain 3.
DeviceNetworkEvents only have record for the first nslookup. It did not collect the network events for the second and third nslookup.
DeviceProcessEvents did have all these three nslookup process.
Thanks
- HA13029Copper ContributorHi,
Do you find a solution ? Same issue for me...
Regards,
HA - jbmartin6Iron ContributorMDE isn't a 100% complete record, MS has to balance bandwidth and storage costs. End result is some events get dropped, particularly if they are similar to previous events or have no security value. 'host made a DNS request' gets logged elsewhere anyway so there is little value in logging every single DNS lookup as a network event. That's just a guess though, as far as I know there is no official documentation on the event selection process. But take a look at Olaf Hartung's excellent series probing into MDE Internals: https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347
- HA13029Copper ContributorHello,
First, thanks a lot for your help.
I also find that without Real time protection/RTP enabled, most of the traffic is not logged...
Regards,
HA- jbmartin6Iron ContributorOH, that is interesting, we haven't noticed that. It might explain some weird things we saw in the lab though, I will check it out.
- hukelCopper ContributorWhat about the first time a Powershell process sends an LDAP query directly to a DC - surely that should be collected (but in my current investigation, I can't find a trace of it). Are these limits published anywhere?
- am1357Brass ContributorAs mentioned by jbmartin already, this blog series looks into this "issue" much more detailed than Microsoft is explaining in their docs (I don't think they do) ... https://medium.com/falconforce/mdeinternals/home.
In summary: Not all events are logged locally. Not all events are being sent from the device to the Defender XDR portal. There is a discrepancy between events in the device timeline vs Advanced Hunting.