Anyone know how network event are being collected in MS Defender for Endpoint. Look like DeviceNetworkEvents does not have all network events. We did a testing using nslookup. Do a nslookup to domain 1. Another hour later do a nslookup to domain 2. Then another hour later do a nslookup to domain 3.

DeviceNetworkEvents only have record for the first nslookup. It did not collect the network events for the second and third nslookup.

DeviceProcessEvents did have all these three nslookup process.

Thanks