Log timestamp accuracy

%3CLINGO-SUB%20id%3D%22lingo-sub-860089%22%20slang%3D%22en-US%22%3ELog%20timestamp%20accuracy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-860089%22%20slang%3D%22en-US%22%3E%3CP%3EWhile%20recently%20trying%20to%20trace%20events%20I%20notice%20that%20the%20date%20and%20time%20stamp%20in%20the%20audit%20log%20search%20results%20and%20in%20the%20Investigation%20results%20only%20show%20timestamps%20at%20HH%3AMM%3ASS.%26nbsp%3B%20No%20milliseconds%20and%20I'm%20finding%20events%20that%20I%20can%20correlate%20are%20showing%20out%20of%20order%20in%20the%20search%20results%20from%20the%20audit%20search%20and%20investigate%20searches%20to%20what%20order%20events%20occurred%20in%20that%20I%20know%20happened.%26nbsp%3B%20Im%20talking%20baout%20events%20within%20the%20same%20second-seconds%20(fact%20clicking).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnly%20event%20I%20can%20find%20that%20has%20milliseconds%20is%20a%20Logon%20event.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20enable%20milliseconds%20for%20all%20events%20or%20maybe%20there%20is%20an%20event%20ID%20or%20some%20other%20number%20in%20the%20logs%20that%20I%20can%20sort%20in%20order%20to%20get%20the%20true%20sequence%20of%20events%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-860089%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-869863%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20timestamp%20accuracy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-869863%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400114%22%20target%3D%22_blank%22%3E%40lfk73%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20question.%3C%2FP%3E%0A%3CP%3ECan%20you%20please%20give%20me%20some%20examples%20of%20activities%20you%20see%20without%20the%20milliseconds%20%3F%3C%2FP%3E%0A%3CP%3EThe%20data%20should%20be%20available%20in%20raw%20events%20and%20used%20by%20MCAS%20to%20order%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-871364%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20timestamp%20accuracy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-871364%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20sake%20of%20security%20I've%20omitted%20some%20details%20from%20the%20Raw%20Log%20but%20the%20key%20item%20is%20the%20Time%20stamp.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20an%20example%20of%20a%20failed%20logon.%26nbsp%3B%20You%20see%20the%20time%20stamp%20goes%20down%20to%20milliseconds%20(%3CSTRONG%3E23%3A50%3A12.0098591)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22ApplicationName%22%3A%20%22Office%20365%20Exchange%20Online%22%2C%3CBR%20%2F%3E%22SasStatus%22%3A%20null%2C%3CBR%20%2F%3E%22TimeStamp%22%3A%20%3CSTRONG%3E%222019-09-23T23%3A50%3A12.0098591Z%3C%2FSTRONG%3E%22%2C%3CBR%20%2F%3E%22HomeTenantUserObjectId%22%3A%20%22XXX%22%2C%3CBR%20%2F%3E%22MfaRequired%22%3A%20true%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20another%20event%20that%20comes%20after%20this%20does%20not%20have%20millisecond%20accuracy%20(%3CSTRONG%3E23%3A52%3A20.0000000)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22OrganizationName%22%3A%20%22XXX%22%2C%3CBR%20%2F%3E%22OrganizationId%22%3A%20%22XXX%22%2C%3CBR%20%2F%3E%22ExternalAccess%22%3A%20false%2C%3CBR%20%2F%3E%22CreationTime%22%3A%20%22%3CSTRONG%3E2019-09-23T23%3A52%3A20.0000000Z%3C%2FSTRONG%3E%22%2C%3CBR%20%2F%3E%22Workload%22%3A%20%22Exchange%22%2C%3CBR%20%2F%3E%22RecordType%22%3A%202%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20result%20I%20have%20found%20when%20there%20are%20a%20large%20enough%20number%20of%20events%20occurring%20at%20the%20same%20time%20down%20to%20the%20second%20they%20sometimes%20appear%20out%20of%20order%20based%20on%20the%20order%20I%20know%20they%20occurred%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

While recently trying to trace events I notice that the date and time stamp in the audit log search results and in the Investigation results only show timestamps at HH:MM:SS.  No milliseconds and I'm finding events that I can correlate are showing out of order in the search results from the audit search and investigate searches to what order events occurred in that I know happened.  Im talking baout events within the same second-seconds (fact clicking).

 

Only event I can find that has milliseconds is a Logon event.

 

Is there a way to enable milliseconds for all events or maybe there is an event ID or some other number in the logs that I can sort in order to get the true sequence of events?

 

Thanks.

 

 

2 Replies

@lfk73 thanks for your question.

Can you please give me some examples of activities you see without the milliseconds ?

The data should be available in raw events and used by MCAS to order them.

 

Thanks

@Sebastien Molendijk

 

For the sake of security I've omitted some details from the Raw Log but the key item is the Time stamp.

 

This is an example of a failed logon.  You see the time stamp goes down to milliseconds (23:50:12.0098591)

 

"ApplicationName": "Office 365 Exchange Online",
"SasStatus": null,
"TimeStamp": "2019-09-23T23:50:12.0098591Z",
"HomeTenantUserObjectId": "XXX",
"MfaRequired": true,

 

However another event that comes after this does not have millisecond accuracy (23:52:20.0000000)

 

"OrganizationName": "XXX",
"OrganizationId": "XXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T23:52:20.0000000Z",
"Workload": "Exchange",
"RecordType": 2,

 

As a result I have found when there are a large enough number of events occurring at the same time down to the second they sometimes appear out of order based on the order I know they occurred in.