<  Back to rules search

Salesforce Login from Disabled Account

salesforce

Classification:

attack

Tactic:

Technique:

Set up the salesforce integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a disabled account attempts to log into Salesforce

Strategy

Inspect Salesforce logs and determine if there is a login attempt (@evt.name:LoginEvent) from from a disabled account (@status:\"User is Inactive\"). If more than ten attempts to authenticate to a disabled account a MEDIUM severity signal is created.

Triage and response

  1. Determine if the IP (@network.client.ip) has attempted to log into other accounts.