Event to Log Workspace Delays
Guys, is their a delay/latency in say the export of sign-in logs from AzureAD into a log analytics workspace? My security team have asked for real-time alerts on certain account sign ins. Should I look at Event hubs?
Forum Discussion
- CliveWatson
Microsoft
This lists the latency details.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time
You can measure it with the queries in the link or via my Usage Workbook, which has a whole Tab (page) for latency https://techcommunity.microsoft.com/t5/azure-sentinel/usage-reporting-for-azure-sentinel/ba-p/1267383
Other solutions may decrease latency, but you need to weigh that against complexity and costs etc...
CliveWatson Thanks! We are using a 3rd party SIEM so we don't have Azure Sentinel. Specifically for the AzureAD sign in logs, would an event hub have less latency than a LA workspace?
