How InfraSOS collects events for Office 365 monitoring

We collect events via Microsoft Graph API endpoints for our M365 monitoring. Currently, all supported policies are based on Microsoft Entra ID Directory Audit Logs and Sign-In Audit Logs.

In approximately 99% of cases, we expect events to be collected within 1 minute after they appear in Microsoft Entra ID Audit Logs. In some cases, collection time may be longer due to complex configured filters. Additionally, Microsoft Entra ID Audit Logs themselves can experience inherent latency.

The following latency information is taken from Microsoft:

Report Latency (95th percentile) Latency (99th percentile)
Audit logs 2 mins 5 mins
Sign-ins 2 mins 5 mins

Latency (95th percentile) refers to the time by which 95% of logs are reported, while Latency (99th percentile) refers to the time by which 99% of logs are reported.

Latency (99th percentile) refers to the time by which 99% of the logs will be reported.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us