Forum Discussion

RobYoung's avatar
RobYoung
Iron Contributor
Aug 25, 2023

Missing data from the Office Activity logs

I run a query on a daily basis that uses the OfficeActivity table and filters the term Send within the operation field.  I started to notice that my results were decreasing so I ran a summary for the past month and noticed a huge decrease in OfiiceActivity capturing the send activity.  Any thoughts on what would be the cause of this?

PS it is not sentinel missing data, because when I check the activity in Defender for cloud, the results are the same.

Here is the query I ran:
OfficeActivity
| where TimeGenerated > ago(30d)
| where Operation contains "Send"
| summarize count() by bin(TimeGenerated, 1d)

 

And here are the results:

 
TimeGenerated [UTC]count_
8/25/2023417
8/24/202366
8/23/202393
8/22/202377
8/21/202373
8/20/202316
8/19/202317
8/18/2023326
8/17/20232978
8/16/20233175
8/15/20234106
8/14/20233632
8/13/2023466
8/12/2023527
8/11/20232516
8/10/20233187
8/9/20233143
8/8/20233289


Now today it is looking like it is starting to climb back but I need to rely on this data so I wouldn't mind knowing why it stopped for almost a week.  (no changes that would impact our environment were made btw)

 

 

  • G_Wilson3468's avatar
    G_Wilson3468
    Iron Contributor

    RobYoung There could be a few things going on here. If you are not missing data then I would look at sampling data issues. For example, your time range is large. 30 days of processing will involve more data to process and can result in less accurate results. I suggest you reduce the "TimeGenerated" to 15 days and then set your aggregation to 7 days instead of 1. This will also reduce the whole number of data points, doing so take a greater load off the processing and can help with sampling accuracy. 

    Hope this helps

     

    G. 

    • RobYoung's avatar
      RobYoung
      Iron Contributor
      This issue magically fixed itself shortly after posting. The sampling I usually due on a 24 hour bases, it was only for the purpose of the post above to show how it fluctuated from day to day. Thanks for the follow up though

Resources