Salesforce large amount of file download actions

salesforce

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1020-automated-exfiltration

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect when a user account initiates a large number of file downloads.

Strategy

The detection tracks the number of distinct files a user account downloads to identify suspicious mass download patterns. When a user account downloads multiple files in a short timeframe, this could indicate data exfiltration.

Using Event Log File (ELF) and Real Time Event Monitoring (RTEM) logs, this rule monitors for events related to resource downloads.

A user can attach files to individual records and view or download them. The attachment object is a legacy Salesforce object used to store files on records, and has been replaced in newer releases by Salesforce Files. The Salesforce documentation describes differences between attachments and files.

For DownloadAttachmentDownload events, the detection generates signals for multiple unique @entity_ids for a user account within a short timeframe. The @file_type field includes information on the resource type, such as PDF, CSV, etc. They are included in Event Log File (ELF) logs.

ContentTransfer events are preview, upload, or download actions performed on files and attachments to records. They are included in Event Log File (ELF) logs.

For ContentTransfer events, the detection generates signals for multiple unique @entity_ids for a user account within a short timeframe. In these logs, @transaction_type is monitored for UI download (VersionDownloadAction) and API download (VersionDownloadApi) actions. The @file_type field includes information on the resource type, such as PDF, CSV, etc.

File downloads events occur when a user downloads, previews, or uploads a file within Salesforce.

These events include a file source field, @file_source, to describe where the file is located:

  • S for within Salesforce
  • E for outside of Salesforce
  • L for a social network and accessed via Social Customer Service

For FileEventStore events, the detection generates signals for multiple unique @entity_ids for a user account within a short timeframe. In these logs, @file_action is monitored for UI download (UI_DOWNLOAD) and API download (API_DOWNLOAD) actions. The @file_type field includes information on the resource type, such as PDF, CSV, etc. They are included in Real Time Event Monitoring (RTEM) logging plans.

Triage and response

  • Examine the associated user ID and triggering download events in the Salesforce audit logs.
  • Determine if the download activity includes sensitive or confidential information. Review the number of files returned for context on potential data exfiltration.
  • Investigate the {{@usr.id}} for abnormal login behavior, using the user ID to correlate with the IP address, user agent, and session key in the login event logs.
  • If the file downloads include sensitive or confidential information, initiate your incident response plan.