Log timestamp accuracy

Brass Contributor

While recently trying to trace events I notice that the date and time stamp in the audit log search results and in the Investigation results only show timestamps at HH:MM:SS.  No milliseconds and I'm finding events that I can correlate are showing out of order in the search results from the audit search and investigate searches to what order events occurred in that I know happened.  Im talking baout events within the same second-seconds (fact clicking).

 

Only event I can find that has milliseconds is a Logon event.

 

Is there a way to enable milliseconds for all events or maybe there is an event ID or some other number in the logs that I can sort in order to get the true sequence of events?

 

Thanks.

 

 

2 Replies

@lfk73 thanks for your question.

Can you please give me some examples of activities you see without the milliseconds ?

The data should be available in raw events and used by MCAS to order them.

 

Thanks

@Sebastien Molendijk

 

For the sake of security I've omitted some details from the Raw Log but the key item is the Time stamp.

 

This is an example of a failed logon.  You see the time stamp goes down to milliseconds (23:50:12.0098591)

 

"ApplicationName": "Office 365 Exchange Online",
"SasStatus": null,
"TimeStamp": "2019-09-23T23:50:12.0098591Z",
"HomeTenantUserObjectId": "XXX",
"MfaRequired": true,

 

However another event that comes after this does not have millisecond accuracy (23:52:20.0000000)

 

"OrganizationName": "XXX",
"OrganizationId": "XXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T23:52:20.0000000Z",
"Workload": "Exchange",
"RecordType": 2,

 

As a result I have found when there are a large enough number of events occurring at the same time down to the second they sometimes appear out of order based on the order I know they occurred in.