Salesforce login activity by unauthenticated user type
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect successful login events initiated by unauthenticated (Guest) users.
Strategy
This rule monitors Salesforce login events through both Event Log File (ELF) and Real Time Event Monitoring (RTEM) logging tiers.
For @evt.name:Login events, this rule monitors for @login_status:"LOGIN_NO_ERROR", indicating a successful login. Within the log, @user_type filters for Guest users that do not require authentication, and removes @login_type fields related to external user Chatter Communications.
For @evt.name:LoginEvent events, this rule monitors for a @status:Success result. Within the log, @user_type filters for Guest users that do not require authentication, and removes @login_type fields related to external user Chatter Communications.
Unauthenticated Guest users can perform actions in your Salesforce environment if not disabled by an administrator. For information on possible user types, see Salesforce’s Profile Object documentation.
Triage and response
- Examine the associated user ID, user type, IP address, and triggering login events within the Salesforce audit logs.
- Within the login event,
@login_type provides additional context on how the user authenticated, such as through a third party SSO. - In RTEM logs,
@http.useragent may contain additional useful information.
- Determine if the user activity includes additional events after the successful login. To correlate data, logs may include a
@session_key and @login_key. - If the login event is followed by unexpected actions within your Salesforce tenant, initiate your incident response plan.
