Salesforce Brute force attack on user

salesforce

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the salesforce integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect a brute force attack on a Salesforce user.

Strategy

To determine a successful attempt: Detect when the same user fails to login five times and then successfully logs in. This generates a MEDIUM severity signal.

To determine an unsuccessful attempt: Detect when the same user fails to login ten times. This generates an INFO severity signal.

Triage and response

  1. Inspect the logs to see if this was a valid login attempt.
  2. See if 2FA was authenticated.
  3. If the user was compromised, rotate user credentials.