<  Back to rules search

Anomalous amount of Salesforce query results

salesforce

Classification:

attack

Tactic:

Set up the salesforce integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data.

Strategy

Inspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (@rows_returned).

Triage and response

  1. Determine if the user should be legitimately performing large queries.