Forum Discussion
DeviceNetworkEvents table, UDP and IGMP events
Does DeviceNetworkEvents table get all network events or are there any caveats.
Want to know if Defender Agents on the Machines collect all the TCP/UDP/ICMP/IGMP events or there are any specific events which are collected or not collected.
We don't see most of UDP events. For example, we have a server listening on UDP, and when a client makes UDP connection to the server, we expect to see UDP connection events in the DeviceNetworkEvents table. We only see mostly DNS UDP events.
Same thing with ICMP and IGMP. We don't see IGMP events at all.
Can somebody throw light on how these things work.
1 Reply
As you already suspect, it does not log every network event. In order to conserve bandwidth and storage space, there is some sort of logic to drop repeat, uninteresting, or extremely common events. I don't know of any source that details the specific of that logic though, I imagine it can change from time to time as MS implements different detections.
