Salesforce new third party package or application installed
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect new packages installed by a user within Salesforce.
Strategy
Adversaries may install attacker-controlled third party applications to gain access to your Salesforce environment. In the event of an approved third party application being compromised, the attacker may gain access to your instance through the previously granted credentials.
Monitor for new packages installed by a user account from Salesforce AppExchange. There are packages, unmanaged or managed, available for download in the Salesforce AppExchange. For more information, review the Package Install Event type.
Using Event Log File (ELF) logs, this rule monitors for package installation or connected application events.
For PackageInstall events, successful events (@is_successful) generate a signal with severity determined by whether the package is managed (@is_managed). In these logs, @package_name will provide the associated name.
For SetupAuditTrail events,insertConnectedApplication administrator actions generate a Low severity signal.
Triage and response
- Examine the associated user account, package or application name, and the IP address within the Salesforce audit logs.
- Determine if the package or application is expected within your Salesforce environment.
- If the package or application are unexpected or demonstrate evidence of suspicious activities, initiate your incident response plan.
