How does Defender XDR work?

It´s not easy to compose the right question to get the answers you are looking for. Defender XDR is getting me crazy.

I used a simple kql query to figure out which Windows machines in my network perform LDAP queries via Powershell. The result was: empty.

DeviceEvents

| where InitiatingProcessFileName == "powershell.exe" or InitiatingProcessFileName == "pwsh.exe"

| where RemotePort == "389" or RemotePort == "636"

| project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId

Then I queried LDAP via Powershell from three machines and after that the hunting was successfull. Not instantly, it took some time until "not security relevant information" found it´s way to the timelines of the machines. No chance for "near realtime detection". 

Last week I created a series of firewall rules in intune to block Powershell.exe from communication on remote ports 389 and 636 and applied this rules to a group of machines.

I fired the earlier mentioned kql query again today. I didn´t expect to get another result than last week, but exactly those machines that have the new firewall rules applied shine up in my results for querying LDAP via Powershell. I had also built a custom detection rule for starting an automatted investigation and it says: 

It looks a little bit weird for me. Any ideas?