Salesforce anomalous amount of queried tables
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when a Salesforce user queries an anomalous amount of different database tables compared to their historical baseline.
Strategy
This rule monitors Salesforce API events where @evt.name is ApiEvent and @operation is Query. It uses anomaly detection to identify when users access significantly more unique tables (@queried_entities) than their normal behavior pattern. This approach helps identify potential insider threats, compromised accounts, or automated tools performing unauthorized data discovery across the Salesforce environment.
Triage & Response
- Examine the specific tables queried by
{{@usr.id}} during the anomalous activity period to determine if the access pattern aligns with their job responsibilities. - Review the user’s recent authentication history and session details to identify any suspicious login patterns or locations.
- Analyze the timing and frequency of the queries to determine if they represent legitimate business activity or potential automated data harvesting.
- Check if the queried tables contain sensitive data such as customer information, financial records, or intellectual property.
- Verify with the user or their manager whether the expanded data access was part of an authorized business process or investigation.
