Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1671-cloud-application-integration

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Salesforce logins from third party applications which have not been previously observed in the environment.

Strategy

This rule monitors Salesforce LoginEvent login events that include an @application field. The LoginEvent type is only available through Salesforce’s Real Time Event Monitoring logging tier.

Using the new value detection method, a signal is generated to identify when an application successfully authenticates to the Salesforce environment that has not been previously observed in audit logs. New applications accessing Salesforce may indicate legitimate business expansion, new integrations, or potentially malicious applications attempting unauthorized access.

Triage & Response

• Examine the application name and details for {{@application}} to determine if it represents a legitimate business application or potentially malicious software. The @login_sub_type field provides more context on how the application authenticates to Salesforce.
• Review recent IT change requests and application deployments to verify if the new application was authorized and expected.
• Analyze the login patterns and user accounts associated with the new application to identify any suspicious authentication activity using @network.client.ip and @browser fields.
• Check if the new application has appropriate security configurations and follows organizational security policies.
• Verify with IT administrators or application owners whether the new application access was planned and authorized.

This detection is based on data from Drift/Salesforce Security Update and Widespread Data Theft Targets Salesforce Instances via Salesloft Drift.