Forum Discussion

james1987's avatar
james1987
Copper Contributor
Mar 16, 2023

Not all network events are on DeviceNetworkEvents table

Anyone know how network event are being collected in MS Defender for Endpoint. Look like DeviceNetworkEvents does not have all network events. We did a testing using nslookup. Do a nslookup to domain 1. Another hour later do a nslookup to domain 2. Then another hour later do a nslookup to domain 3.


DeviceNetworkEvents only have record for the first nslookup. It did not collect the network events for the second and third nslookup.


DeviceProcessEvents did have all these three nslookup process.

 

Thanks

  • HA13029's avatar
    HA13029
    Copper Contributor
    Hi,
    Do you find a solution ? Same issue for me...

    Regards,

    HA
  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    MDE isn't a 100% complete record, MS has to balance bandwidth and storage costs. End result is some events get dropped, particularly if they are similar to previous events or have no security value. 'host made a DNS request' gets logged elsewhere anyway so there is little value in logging every single DNS lookup as a network event. That's just a guess though, as far as I know there is no official documentation on the event selection process. But take a look at Olaf Hartung's excellent series probing into MDE Internals: https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347
    • HA13029's avatar
      HA13029
      Copper Contributor
      Hello,

      First, thanks a lot for your help.
      I also find that without Real time protection/RTP enabled, most of the traffic is not logged...

      Regards,

      HA
      • jbmartin6's avatar
        jbmartin6
        Iron Contributor
        OH, that is interesting, we haven't noticed that. It might explain some weird things we saw in the lab though, I will check it out.
    • hukel's avatar
      hukel
      Copper Contributor
      What about the first time a Powershell process sends an LDAP query directly to a DC - surely that should be collected (but in my current investigation, I can't find a trace of it). Are these limits published anywhere?
      • am1357's avatar
        am1357
        Brass Contributor
        As mentioned by jbmartin already, this blog series looks into this "issue" much more detailed than Microsoft is explaining in their docs (I don't think they do) ... https://medium.com/falconforce/mdeinternals/home.

        In summary: Not all events are logged locally. Not all events are being sent from the device to the Defender XDR portal. There is a discrepancy between events in the device timeline vs Advanced Hunting.

Resources