Brute Force Attack activity populates CloudSOC shortly after the incident, however, the alert and logs (as well as logs to a SIEM agent, if in use) take 24 hours to arrive. 

This is working as designed. The reason is to overcome an inconsistency between how different SaaS apps communicate through the API. If we did not allow for this inconsistency, there would be false negatives. 

Data-at-rest (Securlets), always have a delay in processing incidents, depending on the type of event, and brute force attack delay is set at 24 hours. The recommendation is to evaluate using Data-in-Motion (Gateway) to monitor any incident inline, as it is happening. Securlets are meant to monitor and make changes on data resting in the cloud, Gatelets are meant to enforce policy on traffic during the activity.