Salesforce login from unseen application
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects Salesforce login attempts from previously unseen applications.
Strategy
This rule monitors Salesforce login events where @evt.name is Login or LoginEvent with an @application field present. It uses new value detection to identify when any application that has not been previously observed attempts to authenticate to the Salesforce environment. New applications accessing Salesforce may indicate legitimate business expansion, new integrations, or potentially malicious applications attempting unauthorized access.
Triage & Response
- Examine the application name and details for
{{@application}} to determine if it represents a legitimate business application or potentially malicious software. - Review recent IT change requests and application deployments to verify if the new application was authorized and expected.
- Analyze the login patterns and user accounts associated with the new application to identify any suspicious authentication activity.
- Check if the new application has appropriate security configurations and follows organizational security policies.
- Verify with IT administrators or application owners whether the new application access was planned and authorized.
