Office 365 events appear out of order or delayed
Last Modified: 2022-10-19 07:15:05 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Office 365 events appear out of order or delayed
Technical Articles ID:
KB89874
Last Modified: 2022-10-19 07:15:05 Etc/GMT Environment
SIEM Enterprise Event Receiver (Receiver) 11.x SIEM Enterprise Security Manager 11.x Problem
After you add an Office 365 data source, new events contain delayed time stamps and might be received out of order. The time stamps indicate that the events are anywhere from a few minutes to a few hours old.
Solution
The API used to pull the Office 365 events has some product limitations, and one of them has to do with latency. When the data source collects data to send to SIEM through API calls, it must gather information from several different sources at the same time. When information is gathered in this way, it can lead to inconsistent event times because some files are newer and others are older. Rather than a stream arriving to SIEM in chronological order, they can be a mix of old and new logs. NOTE: This delay isn't caused by any defect in the SIEM. It's being sent with this delay by the Microsoft API. Trellix and Microsoft are working together to determine the best way forward for our shared customers. We've provided data explaining the problem to Microsoft and are waiting for Microsoft to complete their evaluation before determining the next steps to be taken. The following information is sourced from the Microsoft API release notes: When a subscription is created, it can take up to 12 hours for the first content blobs to become available for that subscription. The content blobs are created by collecting and aggregating actions and events across multiple servers and data centers. As a result of this distributed process, the actions and events contained in the content blobs don't necessarily appear in the order in which they occur. One content blob can contain actions and events that occurred before the actions and events contained in an earlier content blob. We're working to decrease the latency between the occurrence of actions and events, and their availability in a content blob. But, we can't guarantee that they'll appear sequentially.
More information is available on the Microsoft website for Office 365 under the Office 365 API section.Affected ProductsLanguages:This article is available in the following languages: |
|