Forum Discussion
Not all network events are on DeviceNetworkEvents table
Anyone know how network event are being collected in MS Defender for Endpoint. Look like DeviceNetworkEvents does not have all network events. We did a testing using nslookup. Do a nslookup to domain...
What about the first time a Powershell process sends an LDAP query directly to a DC - surely that should be collected (but in my current investigation, I can't find a trace of it). Are these limits published anywhere?
As mentioned by jbmartin already, this blog series looks into this "issue" much more detailed than Microsoft is explaining in their docs (I don't think they do) ... https://medium.com/falconforce/mdeinternals/home.
In summary: Not all events are logged locally. Not all events are being sent from the device to the Defender XDR portal. There is a discrepancy between events in the device timeline vs Advanced Hunting.
In summary: Not all events are logged locally. Not all events are being sent from the device to the Defender XDR portal. There is a discrepancy between events in the device timeline vs Advanced Hunting.