Salesforce login activity by unauthenticated user type
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect successful login events initiated by unauthenticated (Guest) users.
Strategy
This rule monitors Salesforce login events through both Event Log File (ELF) and Real Time Event Monitoring (RTEM) logging tiers.
For @evt.name:Login events, this rule monitors for @login_status:"LOGIN_NO_ERROR", indicating a successful login. Within the log, @user_type filters for Guest users that do not require authentication, and removes @login_type fields related to external user Chatter Communications.
For @evt.name:LoginEvent events, this rule monitors for a @status:Success result. Within the log, @user_type filters for Guest users that do not require authentication, and removes @login_type fields related to external user Chatter Communications.
Unauthenticated Guest users can perform actions in your Salesforce environment if not disabled by an administrator. For information on possible user types, see Salesforce’s Profile Object documentation.
Triage and response
- Examine the associated user ID, user type, IP address, and triggering login events within the Salesforce audit logs.
- Within the login event,
@login_type provides additional context on how the user authenticated, such as through a third party SSO. - In RTEM logs,
@http.useragent may contain additional useful information.
- Determine if the user activity includes additional events after the successful login. To correlate data, logs may include a
@session_key and @login_key. - If the login event is followed by unexpected actions within your Salesforce tenant, initiate your incident response plan.
