I'm trying to get a first_seen_time for MAC address assets in a rule, but finding that a majority of the derived_context asset entities have entity.asset.first_seen_time set as 1 second after epoch. Motivation being to create a rule similar to the one in John Stoner's blog here, except using mac instead of hostname.

Using something like this to just look at MAC assets' entity info.

rule testing_first_seen_mac {
meta:
    description = "test"
events:
    $connection.metadata.event_type = "NETWORK_CONNECTION"
    $connection.principal.mac = $mac

    $entity.graph.metadata.source_type = "DERIVED_CONTEXT"
    $entity.graph.entity.asset.mac = $mac
match:
    $mac over 24h
outcome:
    $entity_first_seen = array_distinct($entity.graph.entity.asset.first_seen_time.seconds)
condition:
    $connection and $entity
}

Nearly all of the mac assets I look at have entity information identical to below:

metadata.collected_timestamp: "1970-01-01T00:00:01Z"
metadata.entity_type: "ASSET"
metadata.interval.start_time: "1970-01-01T00:00:01Z"
metadata.interval.end_time: "9999-12-31T00:00:00Z"
metadata.source_type: "DERIVED_CONTEXT"
entity.mac[0]: "xx:xx:xx:xx:xx:xx"
entity.asset.mac[0]: "xx:xx:xx:xx:xx:xx"
entity.asset.first_seen_time: "1970-01-01T00:00:01Z"

I have seen a few rare occasions where it actually has a real date, but most of the time it looks like the above. Same results across multiple tenants.

Documentation here makes it sound like entities describing assets such as a MAC address should have first_seen_time populated. Am I looking at the wrong place or is there a reason for this almost always being inaccurate?