Salesforce Service Cloud: Critical Detection Rule Fixes for TimestampDerived Field

November 11, 2025 · Microsoft Sentinel Changelog

Type Detections

Rating Medium

Action Update

View PR on GitHub

What Changed

Fixed critical bugs in Salesforce Service Cloud analytic rules preventing proper deployment and execution.

Detection Logic Fixes

Timestamp conversion issue resolved: Added explicit todatetime(TimestampDerived) conversion in PasswordSpray and SigninsMultipleCountries rules
Connector ID updates: Corrected connectorId references from SalesforceServiceCloud to SalesforceServiceCloudCCPDefinition across all three rules
All three rules affected: Brute Force, Password Spray, and Multiple Countries signin detection rules

Security Impact (Visibility & Fidelity)

Critical deployment fix: Detection rules were failing to create due to timestamp field handling errors:

TimestampDerived field was not properly converted to datetime type causing KQL query failures
Rules could not be deployed through Content Hub or ARM templates
Fix restores detection capabilities for Salesforce authentication threats including brute force attacks, password spray campaigns, and impossible travel scenarios

Affected Files

Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml
Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-PasswordSpray.yaml
Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-SigninsMultipleCountries.yaml
(packaging artefacts: mainTemplate.json, 3.0.8.zip)