Forum Discussion
Azure Sentinel Workbook Displays Old Data Due To Caching
Microsoftronakshah Have you tested to make sure it's not the web browser caching the content? Try running the Workbook in an inPrivate Window to test.
Yes, I tried and the issue seems to be with browser cache, but shouldn't that be handled in some way by Azure Platform as with this user will not be able to see the latest events?
- Rod_Trent
ronakshah Can I ask which browser you are using?
Some browsers, due to additional plugins (and other factors) can be pretty aggressive with local cache to provide a faster web experience. Those should be configurable.
This can also be due to ago(24hrs) or ago(1d) which people use a lot. What you are saying is look back from now (the moment you press the enter key) to 24hrs ago. So at 12:00 you may get 2 events, at 12:15 only 1 (if the 2nd event happened between 12:00-12:15 the previous day.
I try and use (if you can) startofday(ago(1d)) in time queries as you get the data from a fixed point in time [midnight]. Also see endofday().
See: https://docs.microsoft.com/en-us/azure/kusto/query/startofdayfunction
Event | where TimeGenerated between (startofday(ago(2d)) .. startofday(ago(1d)) ) | summarize mintime = min(TimeGenerated), maxtime = max(TimeGenerated)Go to Log Analytics and run query
mintime maxtime 2020-03-25T00:01:08.23Z 2020-03-25T23:59:55Z
Thanks Clive
