Salesforce Shield alert on anomaly event

salesforce

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when Salesforce Shield generates an anomaly- or security-related alert.

Strategy

Using logs generated by Salesforce Shield, this rule monitors for the following events:

  • ApiAnomalyEventStore
  • CredentialStuffingEventStore
  • GuestUserAnomalyEventStore
  • LoginAnomalyEventStore
  • ReportAnomalyEventStore
  • SessionHijackingEventStore

To learn more, see the Salesforce Shield documentation.

Triage and response

  • Examine the associated user id and triggering security event within the Salesforce audit logs.
  • Determine if the type of anomaly event and pivot to related logs.
  • If alert detected suspicious or malicious behavior, revoke permissions and review audit logs for access events. If external access events occurred, initiate your incident response plan.