Custom data collection in MDE - what is default?

Question

So you just announced the preview of "Custom data collection in Microsoft Defender for Endpoint (Preview)" which lets me ingest custom data to sentinel.

Is there also an overview of what is default and what I can add?

e.g. we want to examine repeating disconnects from AzureVPN clients
(yes, it's most likely just Microsoft's fault, as the app ratings show 'everyone' is having them)
How do I know which data I can add to DeviceCustomNetworkEvents which isnt already in DeviceNetworkEvents?

ckyalo · Answer

DeviceNetworkEvents collection mode is always On and captures Standard network telemetry: TCP/UDP connections, DNS lookups, connection successes/failures and process attribution while DeviceCustomNetworkEvents only captures events you explicitly define with same schema structure, but scoped by your filters.
Additional information on this
DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn
Azure Monitor Logs reference - DeviceCustomNetworkEvents - Azure Monitor | Microsoft Learn
Custom data collection in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

Forum Discussion

Custom data collection in MDE - what is default?

1 Reply