The Timestamp data used in Salesforce Analytic Rule Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml is incorrect.
Current Rule uses TimeGenerated data for FailureStartTime, FailureEndTime, SuccessStartTime, and SuccessEndTime. TimeGenerated data shows time of log message ingestion to Sentinel, not the time of the activity recorded by Salesforce.
As per previous change to Salesforce-PasswordSpray.yaml Rule, the use of TimeGenerated should be replaced with TimestampDerived/timestamp_derived_t.
An example of the difference between the timestamp data in these logs is displayed in the attached screenshot.
The Timestamp data used in Salesforce Analytic Rule Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml is incorrect.
Current Rule uses TimeGenerated data for FailureStartTime, FailureEndTime, SuccessStartTime, and SuccessEndTime. TimeGenerated data shows time of log message ingestion to Sentinel, not the time of the activity recorded by Salesforce.
As per previous change to Salesforce-PasswordSpray.yaml Rule, the use of TimeGenerated should be replaced with TimestampDerived/timestamp_derived_t.
An example of the difference between the timestamp data in these logs is displayed in the attached screenshot.