Log timestamp accuracy


While recently trying to trace events I notice that the date and time stamp in the audit log search results and in the Investigation results only show timestamps at HH:MM:SS.  No milliseconds and I'm finding events that I can correlate are showing out of order in the search results from the audit search and investigate searches to what order events occurred in that I know happened.  Im talking baout events within the same second-seconds (fact clicking).


Only event I can find that has milliseconds is a Logon event.


Is there a way to enable milliseconds for all events or maybe there is an event ID or some other number in the logs that I can sort in order to get the true sequence of events?





2 Replies

@lfk73 thanks for your question.

Can you please give me some examples of activities you see without the milliseconds ?

The data should be available in raw events and used by MCAS to order them.



@Sebastien Molendijk


For the sake of security I've omitted some details from the Raw Log but the key item is the Time stamp.


This is an example of a failed logon.  You see the time stamp goes down to milliseconds (23:50:12.0098591)


"ApplicationName": "Office 365 Exchange Online",
"SasStatus": null,
"TimeStamp": "2019-09-23T23:50:12.0098591Z",
"HomeTenantUserObjectId": "XXX",
"MfaRequired": true,


However another event that comes after this does not have millisecond accuracy (23:52:20.0000000)


"OrganizationName": "XXX",
"OrganizationId": "XXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T23:52:20.0000000Z",
"Workload": "Exchange",
"RecordType": 2,


As a result I have found when there are a large enough number of events occurring at the same time down to the second they sometimes appear out of order based on the order I know they occurred in.