Not all network events are on DeviceNetworkEvents table

Question

Anyone know how network event are being collected in MS Defender for Endpoint. Look like DeviceNetworkEvents does not have all network events. We did a testing using nslookup. Do a nslookup to domain 1. Another hour later do a nslookup to domain 2. Then another hour later do a nslookup to domain 3.

DeviceNetworkEvents only have record for the first nslookup. It did not collect the network events for the second and third nslookup.

DeviceProcessEvents did have all these three nslookup process.

Thanks

ha13029 · Answer

Hi,Do you find a solution ? Same issue for me...Regards,HA

jbmartin6 · Answer

MDE isn't a 100% complete record, MS has to balance bandwidth and storage costs. End result is some events get dropped, particularly if they are similar to previous events or have no security value. 'host made a DNS request' gets logged elsewhere anyway so there is little value in logging every single DNS lookup as a network event. That's just a guess though, as far as I know there is no official documentation on the event selection process. But take a look at Olaf Hartung's excellent series probing into MDE Internals: https://medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347

ha13029 · Answer

Hello,First, thanks a lot for your help.I also find that without Real time protection/RTP enabled, most of the traffic is not logged...Regards,HA

jbmartin6 · Answer

OH, that is interesting, we haven't noticed that. It might explain some weird things we saw in the lab though, I will check it out.

hukel · Answer

What about the first time a Powershell process sends an LDAP query directly to a DC - surely that should be collected (but in my current investigation, I can't find a trace of it). Are these limits published anywhere?

Forum Discussion

Not all network events are on DeviceNetworkEvents table

Share

Resources