Salesforce login from unseen application
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects Salesforce login attempts from previously unseen applications.
Strategy
This rule monitors Salesforce login events where @evt.name is Login or LoginEvent with an @application field present. It uses new value detection to identify when any application that has not been previously observed attempts to authenticate to the Salesforce environment. New applications accessing Salesforce may indicate legitimate business expansion, new integrations, or potentially malicious applications attempting unauthorized access.
Triage & Response
- Examine the application name and details for
{{@application}} to determine if it represents a legitimate business application or potentially malicious software. - Review recent IT change requests and application deployments to verify if the new application was authorized and expected.
- Analyze the login patterns and user accounts associated with the new application to identify any suspicious authentication activity.
- Check if the new application has appropriate security configurations and follows organizational security policies.
- Verify with IT administrators or application owners whether the new application access was planned and authorized.
