Event to Log Workspace Delays

%3CLINGO-SUB%20id%3D%22lingo-sub-1290164%22%20slang%3D%22en-US%22%3EEvent%20to%20Log%20Workspace%20Delays%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1290164%22%20slang%3D%22en-US%22%3E%3CP%3EGuys%2C%20is%20their%20a%20delay%2Flatency%20in%20say%20the%20export%20of%20sign-in%20logs%20from%20AzureAD%20into%20a%20log%20analytics%20workspace%3F%20My%20security%20team%20have%20asked%20for%20real-time%20alerts%20on%20certain%20account%20sign%20ins.%20Should%20I%20look%20at%20Event%20hubs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1290164%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1291182%22%20slang%3D%22en-US%22%3ERe%3A%20Event%20to%20Log%20Workspace%20Delays%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291182%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F534442%22%20target%3D%22_blank%22%3E%40shocko%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20lists%20the%20latency%20details.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-ingestion-time%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-ingestion-time%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20measure%20it%20with%20the%20queries%20in%20the%20link%20or%20via%20my%20Usage%20Workbook%2C%20which%20has%20a%20whole%20Tab%20(page)%20for%20latency%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusage-reporting-for-azure-sentinel%2Fba-p%2F1267383%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusage-reporting-for-azure-sentinel%2Fba-p%2F1267383%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOther%20solutions%20may%20decrease%20latency%2C%20but%20you%20need%20to%20weigh%20that%20against%20complexity%20and%20costs%20etc...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1295522%22%20slang%3D%22en-US%22%3ERe%3A%20Event%20to%20Log%20Workspace%20Delays%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1295522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThanks!%20We%20are%20using%20a%203rd%20party%20SIEM%20so%20we%20don't%20have%20Azure%20Sentinel.%20Specifically%20for%20the%20AzureAD%20sign%20in%20logs%2C%20would%20an%20event%20hub%20have%20less%20latency%20than%20a%20LA%20workspace%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Guys, is their a delay/latency in say the export of sign-in logs from AzureAD into a log analytics workspace? My security team have asked for real-time alerts on certain account sign ins. Should I look at Event hubs?

2 Replies
Highlighted

@shocko 

This lists the latency details.

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time

 

You can measure it with the queries in the link or via my Usage Workbook, which has a whole Tab (page) for latency  https://techcommunity.microsoft.com/t5/azure-sentinel/usage-reporting-for-azure-sentinel/ba-p/126738... 

 

Other solutions may decrease latency, but you need to weigh that against complexity and costs etc...

Highlighted

@Clive Watson Thanks! We are using a 3rd party SIEM so we don't have Azure Sentinel. Specifically for the AzureAD sign in logs, would an event hub have less latency than a LA workspace?