Custom data collection in MDE - what is default?

DeviceNetworkEvents collection mode is always On and captures Standard network telemetry: TCP/UDP connections, DNS lookups, connection successes/failures and process attribution while DeviceCustomNetworkEvents only captures events you explicitly define with same schema structure, but scoped by your filters.

Additional information on this

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn

Azure Monitor Logs reference - DeviceCustomNetworkEvents - Azure Monitor | Microsoft Learn

Custom data collection in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn