Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Bug: Custom Date Searches v 30d option

Copper Contributor

We are getting vastly different results depending on how we search Incidents using Lighthouse Multi-Tenant View. 

Scenario:

A) Set filters to pre-built 30d search, filter the workspace we are working on to be the only checked, set filter to look for New/Active. It results in 51 Incidents.

B) Using the same filters except using Custom Date Range for the same 30d only specific start end times, and the results are 429 New/Active Incidents. (ie: june 2, 2020 12p to july 2, 2020 12p)

 

This is a huge discrepancy with the only variable that changes being the prebuilt timerange and the custom set timerange. 

 

Thoughts?

1 Reply

@caseytuohey 

 

This may be a option (if not can you share your query example), did you do this? 

 

| where TimeGenerated > ago(30d) 

Then it will run from the time you press return (so maybe 10:04 - my current time).  If you need a whole day, then try this, which is from midnight 30days ago.

| where TimeGenerated > startofday(ago(30d))

You may want to combine this with a between to capture.  This reminds me I have prepared a Blog on this topic, which I need to finish!  There is an endofday option as well..