Sep 17 2019 04:30 PM
While recently trying to trace events I notice that the date and time stamp in the audit log search results and in the Investigation results only show timestamps at HH:MM:SS. No milliseconds and I'm finding events that I can correlate are showing out of order in the search results from the audit search and investigate searches to what order events occurred in that I know happened. Im talking baout events within the same second-seconds (fact clicking).
Only event I can find that has milliseconds is a Logon event.
Is there a way to enable milliseconds for all events or maybe there is an event ID or some other number in the logs that I can sort in order to get the true sequence of events?
Thanks.
Sep 23 2019 01:50 AM
@lfk73 thanks for your question.
Can you please give me some examples of activities you see without the milliseconds ?
The data should be available in raw events and used by MCAS to order them.
Thanks
Sep 23 2019 09:07 PM
For the sake of security I've omitted some details from the Raw Log but the key item is the Time stamp.
This is an example of a failed logon. You see the time stamp goes down to milliseconds (23:50:12.0098591)
"ApplicationName": "Office 365 Exchange Online",
"SasStatus": null,
"TimeStamp": "2019-09-23T23:50:12.0098591Z",
"HomeTenantUserObjectId": "XXX",
"MfaRequired": true,
However another event that comes after this does not have millisecond accuracy (23:52:20.0000000)
"OrganizationName": "XXX",
"OrganizationId": "XXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T23:52:20.0000000Z",
"Workload": "Exchange",
"RecordType": 2,
As a result I have found when there are a large enough number of events occurring at the same time down to the second they sometimes appear out of order based on the order I know they occurred in.