API

Anomalous amount of Salesforce query results

Docs > Datadog Security > OOTB Rules > Anomalous amount of Salesforce query results

Classification:

attack

Tactic:

TA0010-exfiltration

Set up the salesforce integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data.

Strategy

Inspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (@rows_returned).

Triage and response

Determine if the user should be legitimately performing large queries.