Forum Discussion
Custom data collection in MDE - what is default?
DeviceNetworkEvents collection mode is always On and captures Standard network telemetry: TCP/UDP connections, DNS lookups, connection successes/failures and process attribution while DeviceCustomNetworkEvents only captures events you explicitly define with same schema structure, but scoped by your filters.
Additional information on this
DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn
Azure Monitor Logs reference - DeviceCustomNetworkEvents - Azure Monitor | Microsoft Learn
MicrosoftDeviceNetworkEvents collection mode is always On and captures Standard network telemetry: TCP/UDP connections, DNS lookups, connection successes/failures and process attribution while DeviceCustomNetworkEvents only captures events you explicitly define with same schema structure, but scoped by your filters.
Additional information on this
DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn
Azure Monitor Logs reference - DeviceCustomNetworkEvents - Azure Monitor | Microsoft Learn