Forum Discussion
Not all network events are on DeviceNetworkEvents table
Anyone know how network event are being collected in MS Defender for Endpoint. Look like DeviceNetworkEvents does not have all network events. We did a testing using nslookup. Do a nslookup to domain...
MDE isn't a 100% complete record, MS has to balance bandwidth and storage costs. End result is some events get dropped, particularly if they are similar to previous events or have no security value. 'host made a DNS request' gets logged elsewhere anyway so there is little value in logging every single DNS lookup as a network event. That's just a guess though, as far as I know there is no official documentation on the event selection process. But take a look at Olaf Hartung's excellent series probing into MDE Internals: https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347
Hello,
First, thanks a lot for your help.
I also find that without Real time protection/RTP enabled, most of the traffic is not logged...
Regards,
HA
First, thanks a lot for your help.
I also find that without Real time protection/RTP enabled, most of the traffic is not logged...
Regards,
HA