Forum Discussion
Log timestamp accuracy
While recently trying to trace events I notice that the date and time stamp in the audit log search results and in the Investigation results only show timestamps at HH:MM:SS. No milliseconds and I'm finding events that I can correlate are showing out of order in the search results from the audit search and investigate searches to what order events occurred in that I know happened. Im talking baout events within the same second-seconds (fact clicking).
Only event I can find that has milliseconds is a Logon event.
Is there a way to enable milliseconds for all events or maybe there is an event ID or some other number in the logs that I can sort in order to get the true sequence of events?
Thanks.
Sebastien MolendijkMicrosoft
lfk73 thanks for your question.
Can you please give me some examples of activities you see without the milliseconds ?
The data should be available in raw events and used by MCAS to order them.
Thanks
For the sake of security I've omitted some details from the Raw Log but the key item is the Time stamp.
This is an example of a failed logon. You see the time stamp goes down to milliseconds (23:50:12.0098591)
"ApplicationName": "Office 365 Exchange Online",
"SasStatus": null,
"TimeStamp": "2019-09-23T23:50:12.0098591Z",
"HomeTenantUserObjectId": "XXX",
"MfaRequired": true,However another event that comes after this does not have millisecond accuracy (23:52:20.0000000)
"OrganizationName": "XXX",
"OrganizationId": "XXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T23:52:20.0000000Z",
"Workload": "Exchange",
"RecordType": 2,As a result I have found when there are a large enough number of events occurring at the same time down to the second they sometimes appear out of order based on the order I know they occurred in.
