Forum Discussion
Not all network events are on DeviceNetworkEvents table
Anyone know how network event are being collected in MS Defender for Endpoint. Look like DeviceNetworkEvents does not have all network events. We did a testing using nslookup. Do a nslookup to domain...
MDE isn't a 100% complete record, MS has to balance bandwidth and storage costs. End result is some events get dropped, particularly if they are similar to previous events or have no security value. 'host made a DNS request' gets logged elsewhere anyway so there is little value in logging every single DNS lookup as a network event. That's just a guess though, as far as I know there is no official documentation on the event selection process. But take a look at Olaf Hartung's excellent series probing into MDE Internals: https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347
What about the first time a Powershell process sends an LDAP query directly to a DC - surely that should be collected (but in my current investigation, I can't find a trace of it). Are these limits published anywhere?
- As mentioned by jbmartin already, this blog series looks into this "issue" much more detailed than Microsoft is explaining in their docs (I don't think they do) ... https://medium.com/falconforce/mdeinternals/home.
In summary: Not all events are logged locally. Not all events are being sent from the device to the Defender XDR portal. There is a discrepancy between events in the device timeline vs Advanced Hunting.
