Salesforce Shield alert on anomaly event

salesforce

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect when Salesforce Shield generates an anomaly- or security-related alert.

Strategy

Using logs generated by Salesforce Shield, this rule monitors for the following events:

  • ApiAnomalyEventStore
  • CredentialStuffingEventStore
  • GuestUserAnomalyEventStore
  • LoginAnomalyEventStore
  • ReportAnomalyEventStore
  • SessionHijackingEventStore

To learn more, see the Salesforce Shield documentation.

Triage and response

  • Examine the associated user id and triggering security event within the Salesforce audit logs.
  • Determine if the type of anomaly event and pivot to related logs.
  • If alert detected suspicious or malicious behavior, revoke permissions and review audit logs for access events. If external access events occurred, initiate your incident response plan.