Salesforce Shield alert on anomaly event

salesforce

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when Salesforce Shield generates an anomaly- or security-related alert.

Strategy

Using logs generated by Salesforce Shield, this rule monitors for the following events:

  • ApiAnomalyEventStore
  • CredentialStuffingEventStore
  • GuestUserAnomalyEventStore
  • LoginAnomalyEventStore
  • ReportAnomalyEventStore
  • SessionHijackingEventStore

To learn more, see the Salesforce Shield documentation.

Triage and response

  • Examine the associated user id and triggering security event within the Salesforce audit logs.
  • Determine if the type of anomaly event and pivot to related logs.
  • If alert detected suspicious or malicious behavior, revoke permissions and review audit logs for access events. If external access events occurred, initiate your incident response plan.