Salesforce login from unseen application

Documentos > Datadog Security > OOTB Rules > Salesforce login from unseen application

Classification:

attack

Tactic:

Technique:

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects Salesforce login attempts from previously unseen applications.

Strategy

This rule monitors Salesforce login events where @evt.name is Login or LoginEvent with an @application field present. It uses new value detection to identify when any application that has not been previously observed attempts to authenticate to the Salesforce environment. New applications accessing Salesforce may indicate legitimate business expansion, new integrations, or potentially malicious applications attempting unauthorized access.

Triage & Response

Examine the application name and details for {{@application}} to determine if it represents a legitimate business application or potentially malicious software.
Review recent IT change requests and application deployments to verify if the new application was authorized and expected.
Analyze the login patterns and user accounts associated with the new application to identify any suspicious authentication activity.
Check if the new application has appropriate security configurations and follows organizational security policies.
Verify with IT administrators or application owners whether the new application access was planned and authorized.