We have been having issues surrounding the o365.audit Integration within Elastic.
We are running this integration on multiple machines and tenants and are having massive delays in logs being created on 365 before we see them in the SIEM.
We see a delay between the audit creation and ingestion timestamp, which has ranged from a couple of minutes to 12+ hours.
This impacts our rule running ability as logs come in outwith the rule running times.
Has anyone else experienced this issue with this integration?