Office 365 Event Latency

Because the AlienApp for Office 365 data queries must rely on information as provided by the Microsoft Office 365 Management Activity API, you may see non-sequential events as well as delayed timestamps for retrieved events and generated alarms. This is beyond the control of AT&T Cybersecurity. You can observe the latency by comparing the Time Received ISO8601 and Time Created ISO8601 fields of an Office 365 event in USM Anywhere.

The Office 365 Management Activity API aggregates actions and events into tenant-specific content binary large objects (BLOBs). It creates these BLOBs by collecting and aggregating actions and events across multiple servers and data centers. Because of this distributed process, the actions and events contained in the BLOBs do not necessarily appear in the order in which they occur. Also, the timestamp for logs stored in these BLOBs are based on the BLOB creation, not the events. See the Working with the Office 365 Management Activity API page for more information about log collection and aggregation by the Microsoft Activity API.

Additionally, the Management Activity API incorporates mechanisms designed to ensure that customers have access to logs through service interruptions. This can result in a time delay of up to 30 minutes, and sometimes 24 hours or more, after an event occurs for the corresponding audit log entry to be collected and provided by the API. See the Search the audit log in the compliance center page for a table listing the time delays of different services in Office 365. However, if you observe delays to be more than 5 days, it could indicate a potential issue. On the Office 365 Management Activity API FAQs and troubleshooting page, Microsoft advises to check the Service Health Dashboard or open a ticket with Microsoft support.