Azure Audit Logs Coming In Late

Liam Eisenhaur 26 Reputation points
2021-08-18T13:02:38.583+00:00

I created a console application to pull azure audit logs for a team to look over in real time. I keep track of all the IDs for the unique logs that come in so as to not get any duplicates. The issue is, when I rerun a previous time interval I used, I should get 0 new logs, however there are a few cases where new logs are in fact discovered. I am trying to figure out how/why these logs are coming in late. The only idea I have right now, is that Microsoft reports chunks of logs to a time stamp, so when I query that time stamp, it's possible not all the logs have been reported at that time, leading to logs that don't get pulled.

Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,926 Reputation points Microsoft Employee
    2021-08-19T21:50:43.257+00:00

    Audit logs generally have a latency ranging from 2 minutes to an hour, and sign-in activity logs can take from 15 minutes to up to 2 hours for some records.

    It's unlikely, but there can be greater delays if there was a service outage on a particular day. Some of the Security and Compliance audit logs can take 24 hours to appear. There's a table here that lists the potential lags: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#PickTab=BYB

    So it is definitely possible that some of these are getting delayed. How much of a latency are you seeing?


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.