Introduction
This document describes how Cache in SecureX Tiles works.
Is the Information in SecureX Live Data?
The answer to that question is No. This is because in SecureX each integration and each Tile is subjected to a certain Cache.
The expiration time varies, based on the integration and the Tile itself.
For example, you can use Secure Endpoint (CSE) and SecureX Integration.
First, validate that the integration is valid and works, then navigate to Integration Modules > My Integration Modules
.
Search for your Secure Endpoint Module and confirm it is integrated and does not show an error.
Integration check
Then, trigger a Quarantine Event in your CSE console.
Console event
Navigate back to SecureX, check the tile that corresponds to Quarantines and you can notice that there is no Data.
SecureX No Data
As shown in the image, at least 2 minutes have passed since the event occurred in the CSE console.
Time of query
To better understand why no data appears in your dashboard, navigate to the Quarantines Tile, and click the ellipsis (...) > Information.
SecureX Quarantine
This information shows you the Valid_time value that is hardcoded for this specific Tile in SecureX.
Navigate to data and expand the section that says valid_time.
API Information
Regardless of the time you query it, the difference between start_time and end_time is always 5 minutes.
Notice that as previously mentioned, this start_time and end_time difference depends on the integration and Tile itself.
Navigate back to SecureX, after at least 5 minutes have elapsed, and now, you can see the event.
Quarantine Event
Post cache time
The information refreshes itself, however, if you want more information, you can capture HTTP Archive Format (HAR) logs during your Troubleshoot session.
Note: It is suggested to use Persistent Har logs, they weigh more but survive across redirections, and the page refreshes.
If you collect HAR logs and open them, you can see the Valid time for when the event occurred and correlate the time of the detection in Secure Endpoint Console and SecureX.
Valid time
Notice that the start_time is 19:30:00 UTC. If you see the event in the Secure Endpoint console, the Quarantine occurred at 19:31:20 UTC.
However, in SecureX, by the time you look for the information (at around 19:33:26 UTC/13:33:26 CST), the end_time has not finished, so the Cache has not expired.
Still, you can see that the Telemetry was Posted to SecureX.
API information
You can see in the HAR logs that the Cache expires and a new start_time begins.
Note: In the API information of SecureX, you can see the URL used, so you can check your HAR logs and compare.
Example of Cache Expiration
- Secure Client - Computer Summary: Almost Instant
- FMC - Event Summary: 1 minute
- SMA - Incoming Mail Summary: 5 minutes
- Umbrella - Security Blocks by Category (General): 5 minutes