Azure Sentinel Workbook Displays Old Data Due To Caching

New Contributor

I have created a KQL and using that plotted a Tile view in the workbook. The data in the Tile is supposed to change based on the Timerange filter I have added. This is working fine unless new events are received. So let's say I have selected "Last 24 hours" at 12 PM and the count in tile is "2". Now I keep the session idle for a few minutes and at 12:10 PM, a new event arrives. Thereafter when I change the Timerange filter to "Last 5 minutes", I see the new event, but when I again change the Timerange filter to "Last 24 hours", the count still will be "2" instead of "3". 

However, when I refresh the entire web page, the count will be updated. Is there any way to overcome this? I think the results are being cached by Azure and reused, but is there a way to disable this?

4 Replies

@ronakshah Have you tested to make sure it's not the web browser caching the content? Try running the Workbook in an inPrivate Window to test.

@rodtrent 

 

Yes, I tried and the issue seems to be with browser cache, but shouldn't that be handled in some way by Azure Platform as with this user will not be able to see the latest events?

@ronakshah Can I ask which browser you are using? 

 

Some browsers, due to additional plugins (and other factors) can be pretty aggressive with local cache to provide a faster web experience. Those should be configurable.

@rodtrent 

 

This can also be due to ago(24hrs) or ago(1d) which people use a lot.  What you are saying is look back from now (the moment you press the enter key) to 24hrs ago.  So at 12:00 you may get 2 events, at 12:15 only 1 (if the 2nd event happened between 12:00-12:15 the previous day.

 

I try and use (if you can) startofday(ago(1d)) in time queries as you get the data from a fixed point in time [midnight].  Also see endofday().

 

See: https://docs.microsoft.com/en-us/azure/kusto/query/startofdayfunction

 

Event
| where TimeGenerated  between (startofday(ago(2d)) .. startofday(ago(1d)) )
| summarize mintime = min(TimeGenerated), maxtime = max(TimeGenerated)

Go to Log Analytics and run query

mintime maxtime
2020-03-25T00:01:08.23Z

2020-03-25T23:59:55Z

 

 

 

 

 

Thanks Clive