cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Increasing scheduled analytic frequency

pemontto
Brass Contributor

‎Mar 10 2020 07:24 AM

‎Mar 10 2020 07:24 AM

Increasing scheduled analytic frequency

We've seen a number of template analytics with search frequency set to 1d. We have some use cases where we'd like to be notified much sooner than the incident + ~1d. What we're struggling with is understanding the ingestion latency for certain log sources. Particularly OfficeActivity where we'd like to know about malicious behaviour within 1-2hrs, but we're seeing ingest latency fluctuations up to 90 minutes based on the query we're looking at which deviates from the data ingestion time documentation:

// Calculate the latency of each log type
union withsource = tt *
| project TimeGenerated, Type
| extend latency = ingestion_time() - TimeGenerated
| where latency > 0s
| summarize
max = max(latency)/1m,
min = min(latency)/1m,
avg = avg(latency)/1m,
p50 = totimespan(percentiles(latency, 50)[0])/1m,
p95 = totimespan(percentiles(latency, 95)[0])/1m by Type
| order by Type asc

 

Are there any absolute time guarantees for Azure cloud service logs?

707 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Rod_Trent (Microsoft)
CliveWatson

‎Mar 10 2020 08:06 AM

‎Mar 10 2020 08:06 AM

Solution

Re: Increasing scheduled analytic frequency

@pemontto 

 

The link you provided discussed the push from O365 to Sentinel:

"Office 365 solution polls activity logs using the Office 365 Management Activity API, which currently does not provide any near-real time latency guarantees.". 

I'm sure you see from your own query that many tables have acceptable latency.  Its an area always under review and being optimised.

 

 

 

 

1 Like
Reply
pemontto

‎Apr 02 2020 08:32 AM

‎Apr 02 2020 08:32 AM

Re: Increasing scheduled analytic frequency

@CliveWatson thanks! And thanks for the workbook that wraps everything up nicely, including latency!

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Rod_Trent (Microsoft)
CliveWatson

‎Mar 10 2020 08:06 AM

‎Mar 10 2020 08:06 AM

Solution

Re: Increasing scheduled analytic frequency

@pemontto 

 

The link you provided discussed the push from O365 to Sentinel:

"Office 365 solution polls activity logs using the Office 365 Management Activity API, which currently does not provide any near-real time latency guarantees.". 

I'm sure you see from your own query that many tables have acceptable latency.  Its an area always under review and being optimised.

 

 

 

 

View solution in original post

1 Like
Reply