Merge pull request Azure#13067 from Azure/v-kasghosh_salesforceServiceCloud_AnalyticRuleBugsfixing

v-atulyadav · web-flow · commit e69115f9a069 · 2025-11-11T12:06:34.000+05:30
Update analytic rules and bump solution to v3.0.8 for Salesforce Service Cloud
diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -158,6 +158,7 @@
   "RubrikSecurityCloudAzureFunctions",
   "SailPointIdentityNow",
   "SalesforceServiceCloud",
+  "SalesforceServiceCloudCCPDefinition",
   "SAP",
   "SAPBTPAuditEvents",
   "SAPLogServ",
diff --git a/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml b/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml
@@ -6,7 +6,7 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: SalesforceServiceCloud
+  - connectorId: SalesforceServiceCloudCCPDefinition
     dataTypes:
       - SalesforceServiceCloud
 queryFrequency: 1h
@@ -48,5 +48,5 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: User
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
diff --git a/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-PasswordSpray.yaml b/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-PasswordSpray.yaml
@@ -5,7 +5,7 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: SalesforceServiceCloud
+  - connectorId: SalesforceServiceCloudCCPDefinition
     dataTypes:
       - SalesforceServiceCloud
 queryFrequency: 1h
@@ -21,6 +21,7 @@ query: |
   SalesforceServiceCloud
   | where EventType =~ 'Login' and  LoginStatus != 'LOGIN_NO_ERROR'
   | where LoginStatus  in~ ('LOGIN_ERROR_INVALID_PASSWORD', 'LOGIN_ERROR_SSO_PWD_INVALID')
+  | extend TimestampDerived = todatetime(TimestampDerived)
   | summarize UserCount=dcount(UserId), Users = make_set(UserId,100) by ClientIp, bin(TimestampDerived, 5m)
   | where UserCount > FailureThreshold
 customDetails:
@@ -30,5 +31,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIp
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
diff --git a/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-SigninsMultipleCountries.yaml b/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-SigninsMultipleCountries.yaml
@@ -5,7 +5,7 @@ description: |
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: SalesforceServiceCloud
+  - connectorId: SalesforceServiceCloudCCPDefinition
     dataTypes:
       - SalesforceServiceCloud
 queryFrequency: 1h
@@ -25,6 +25,7 @@ query: |
   | project TimeGenerated, TimestampDerived, ClientIp, UserId, User, UserType ;
   UsersLocation
   | extend Dummy=1
+  | extend TimestampDerived = todatetime(TimestampDerived)
   | summarize count() by Hour=bin(TimestampDerived,30m), ClientIp,User, Dummy
   | partition by Hour(
                   lookup (Countrydb|extend Dummy=1) on Dummy
@@ -37,5 +38,5 @@ entityMappings:
     fieldMappings:
       - identifier: AadUserId
         columnName: User
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
diff --git a/Solutions/Salesforce Service Cloud/Data/Solution_TSalesforceCloudtemplateSpec.json b/Solutions/Salesforce Service Cloud/Data/Solution_TSalesforceCloudtemplateSpec.json
@@ -18,7 +18,7 @@
     "Workbooks/SalesforceServiceCloud.json"
   ],
   "BasePath": "C:\\NewCodeBase\\Azure-Sentinel\\Solutions\\Salesforce Service Cloud",
-  "Version": "3.0.7",
+  "Version": "3.0.8",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false
diff --git a/Solutions/Salesforce Service Cloud/Package/3.0.8.zip b/Solutions/Salesforce Service Cloud/Package/3.0.8.zip
diff --git a/Solutions/Salesforce Service Cloud/Package/mainTemplate.json b/Solutions/Salesforce Service Cloud/Package/mainTemplate.json
@@ -55,29 +55,29 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Salesforce Service Cloud",
-    "_solutionVersion": "3.0.7",
+    "_solutionVersion": "3.0.8",
     "solutionId": "azuresentinel.azure-sentinel-solution-salesforceservicecloud",
     "_solutionId": "[variables('solutionId')]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.3",
+      "analyticRuleVersion1": "1.0.4",
       "_analyticRulecontentId1": "5a6ce089-e756-40fb-b022-c8e8864a973a",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5a6ce089-e756-40fb-b022-c8e8864a973a')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5a6ce089-e756-40fb-b022-c8e8864a973a')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5a6ce089-e756-40fb-b022-c8e8864a973a','-', '1.0.3')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5a6ce089-e756-40fb-b022-c8e8864a973a','-', '1.0.4')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.3",
+      "analyticRuleVersion2": "1.0.4",
       "_analyticRulecontentId2": "64d16e62-1a17-4a35-9ea7-2b9fe6f07118",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '64d16e62-1a17-4a35-9ea7-2b9fe6f07118')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('64d16e62-1a17-4a35-9ea7-2b9fe6f07118')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','64d16e62-1a17-4a35-9ea7-2b9fe6f07118','-', '1.0.3')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','64d16e62-1a17-4a35-9ea7-2b9fe6f07118','-', '1.0.4')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.3",
+      "analyticRuleVersion3": "1.0.4",
       "_analyticRulecontentId3": "3094e036-e5ae-4d6e-8626-b0f86ebc71f2",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3094e036-e5ae-4d6e-8626-b0f86ebc71f2')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3094e036-e5ae-4d6e-8626-b0f86ebc71f2')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3094e036-e5ae-4d6e-8626-b0f86ebc71f2','-', '1.0.3')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3094e036-e5ae-4d6e-8626-b0f86ebc71f2','-', '1.0.4')))]"
     },
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
     "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
@@ -112,7 +112,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Salesforce-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.7",
+        "description": "Salesforce-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.8",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -140,10 +140,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "SalesforceServiceCloudCCPDefinition",
                     "dataTypes": [
                       "SalesforceServiceCloud"
-                    ],
-                    "connectorId": "SalesforceServiceCloud"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -154,18 +154,18 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "columnName": "User",
                         "identifier": "FullName"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ],
                 "customDetails": {
-                  "EventStartTime": "FailureStartTime",
                   "EventEndTime": "SuccessEndTime",
+                  "EventStartTime": "FailureStartTime",
                   "IPAddresses": "IpAddresses"
                 }
               }
@@ -221,7 +221,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Salesforce-PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7",
+        "description": "Salesforce-PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.8",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -238,7 +238,7 @@
                 "description": "This query searches for failed attempts to log in from more than 15 various users within a 5 minutes timeframe from the same source. This is a potential indication of a password spray attack.",
                 "displayName": "Potential Password Spray Attack",
                 "enabled": false,
-                "query": "let FailureThreshold = 15;  \nSalesforceServiceCloud\n| where EventType =~ 'Login' and  LoginStatus != 'LOGIN_NO_ERROR'\n| where LoginStatus  in~ ('LOGIN_ERROR_INVALID_PASSWORD', 'LOGIN_ERROR_SSO_PWD_INVALID')\n| summarize UserCount=dcount(UserId), Users = make_set(UserId,100) by ClientIp, bin(TimestampDerived, 5m)\n| where UserCount > FailureThreshold\n",
+                "query": "let FailureThreshold = 15;  \nSalesforceServiceCloud\n| where EventType =~ 'Login' and  LoginStatus != 'LOGIN_NO_ERROR'\n| where LoginStatus  in~ ('LOGIN_ERROR_INVALID_PASSWORD', 'LOGIN_ERROR_SSO_PWD_INVALID')\n| extend TimestampDerived = todatetime(TimestampDerived)\n| summarize UserCount=dcount(UserId), Users = make_set(UserId,100) by ClientIp, bin(TimestampDerived, 5m)\n| where UserCount > FailureThreshold\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -249,10 +249,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "SalesforceServiceCloudCCPDefinition",
                     "dataTypes": [
                       "SalesforceServiceCloud"
-                    ],
-                    "connectorId": "SalesforceServiceCloud"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -263,13 +263,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "columnName": "ClientIp",
                         "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ],
                 "customDetails": {
@@ -328,7 +328,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Salesforce-SigninsMultipleCountries_AnalyticalRules Analytics Rule with template version 3.0.7",
+        "description": "Salesforce-SigninsMultipleCountries_AnalyticalRules Analytics Rule with template version 3.0.8",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -345,7 +345,7 @@
                 "description": "This query searches for successful user logins from different countries within 30 mins.",
                 "displayName": "User Sign in from different countries",
                 "enabled": false,
-                "query": "let threshold = 2;\nlet Countrydb = externaldata(Network:string, geoname_id:string, continent_code:string, continent_name:string, country_iso_code:string, country_name:string)\n[@\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\"];\nlet UsersLocation = SalesforceServiceCloud\n| where EventType =~ 'Login' and LoginStatus=~'LOGIN_NO_ERROR'\n| project TimeGenerated, TimestampDerived, ClientIp, UserId, User, UserType ;\nUsersLocation\n| extend Dummy=1\n| summarize count() by Hour=bin(TimestampDerived,30m), ClientIp,User, Dummy\n| partition by Hour(\n                lookup (Countrydb|extend Dummy=1) on Dummy\n              | where ipv4_is_match(ClientIp, Network)\n              )\n| summarize NumOfCountries = dcount(country_name) by User, Hour\n| where NumOfCountries >= threshold\n",
+                "query": "let threshold = 2;\nlet Countrydb = externaldata(Network:string, geoname_id:string, continent_code:string, continent_name:string, country_iso_code:string, country_name:string)\n[@\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\"];\nlet UsersLocation = SalesforceServiceCloud\n| where EventType =~ 'Login' and LoginStatus=~'LOGIN_NO_ERROR'\n| project TimeGenerated, TimestampDerived, ClientIp, UserId, User, UserType ;\nUsersLocation\n| extend Dummy=1\n| extend TimestampDerived = todatetime(TimestampDerived)\n| summarize count() by Hour=bin(TimestampDerived,30m), ClientIp,User, Dummy\n| partition by Hour(\n                lookup (Countrydb|extend Dummy=1) on Dummy\n              | where ipv4_is_match(ClientIp, Network)\n              )\n| summarize NumOfCountries = dcount(country_name) by User, Hour\n| where NumOfCountries >= threshold\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -356,10 +356,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "SalesforceServiceCloudCCPDefinition",
                     "dataTypes": [
                       "SalesforceServiceCloud"
-                    ],
-                    "connectorId": "SalesforceServiceCloud"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -370,13 +370,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "columnName": "User",
                         "identifier": "AadUserId"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   }
                 ]
               }
@@ -2949,7 +2949,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SalesforceServiceCloud Data Parser with template version 3.0.7",
+        "description": "SalesforceServiceCloud Data Parser with template version 3.0.8",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -3081,7 +3081,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SalesforceServiceCloud Workbook with template version 3.0.7",
+        "description": "SalesforceServiceCloud Workbook with template version 3.0.8",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -3165,7 +3165,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.7",
+        "version": "3.0.8",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Salesforce Service Cloud",
diff --git a/Solutions/Salesforce Service Cloud/ReleaseNotes.md b/Solutions/Salesforce Service Cloud/ReleaseNotes.md
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.8       | 04-11-2025                     | Resolved bugs in **Analytic rules** related to TimestampDerived field.         |
 | 3.0.7       | 02-11-2025                     | Updated CCF Data Connector polling config to v65.0.                |
 | 3.0.6       | 17-10-2025                     | Updated KQL transformation logic to map USER_NAME to the UserEmail column instead of USER_EMAIL.|
 | 3.0.5       | 20-08-2025                     | Moving Salesforce Service cloud **CCF Data Connector** to GA.		|
