Why would IBM Host Protection for Windows not be creating network-based events, but is creating OS audit events?
The Host Protection for Windows agent uses an inline driver that connects to the Base Filtering module. If the service that controls this is disabled or not running, network traffic will bypass the agent's network driver. The agent will continue to function and report audit events, but it will not see network traffic.
Verify that the following service is running in Windows Services:
Base Filtering Engine