Providers send aggregate reports at varying times. Many come at midnight UTC, but some providers like Microsoft often send hourly reports. Forensic reports come in neartime, usually about 5-10 minutes after the failing message hit the ISP's front end inbound mailers.
You can tell RUA from RUF reports apart pretty easily. An aggregate, or RUA report typically starts like:
--report_section
Content-Type: text/plain;
This is a DMARC aggregate report for yourdomain.com
generated at Mon Mar 23 03:53:50 UTC 2015
while a forensic or RUF report generall starts like:
--61204608-60BE-4D26-9E07-F450C5B0D826
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
This is an email abuse report for an email message received from IP 10.10.10.10 on Mon Mar 23 04:01:02 UTC 2015.
The message below did not meet the sending domain's authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
--61204608-60BE-4D26-9E07-F450C5B0D826
Content-Type: message/feedback-report
You will also notice that an RUA report has (often gzipped) XML as an attachment, while the attachment for a RUF report is actual MIME. Few people try to manually read or verify either type of report. Services like Agari and Dmarcian are specifically built to interpret DMARC reporting.