API

Salesforce login from disabled account

Docs > Datadog Security > OOTB Rules > Salesforce login from disabled account

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the salesforce integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a disabled account attempts to log into Salesforce

Strategy

Inspect Salesforce logs and determine if there is a login attempt (@evt.name:LoginEvent) from from a disabled account (@status:\"User is Inactive\"). If more than ten attempts to authenticate to a disabled account a MEDIUM severity signal is created.

Triage and response

Determine if the IP (@network.client.ip) has attempted to log into other accounts.