I developped this rule to detect incorrectly synchronized devices. Rule is based on a timediff between end time and manager receipt time.
A few notes :
- The acceptable time needed to get an event in the manager from a device can vary depending on the network location or connector type. So it could be useful to create several rules with different timediff.
- Results can sometimes not be perfectly accurate. For instance, if your connector is emptying its cache, the timediff for older events will be higher than your threshold and the device will be considered as being out of sync which is not necessary the case. To circumvent this issue, you can exclude from the rule events coming from connector emptying its cache. ( see http://forum.arcsight.com/showthread.php?t=1453 ) for more info.
Even if not always 100% accurate, I found this indicator to be very useful when used in conjunction with a report to pinpoint time synchronization problems.