Salesforce new third party package or application installed
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect new packages installed by a user within Salesforce.
Strategy
Adversaries may install attacker-controlled third party applications to gain access to your Salesforce environment. In the event of an approved third party application being compromised, the attacker may gain access to your instance through the previously granted credentials.
Monitor for new packages installed by a user account from Salesforce AppExchange. There are packages, unmanaged or managed, available for download in the Salesforce AppExchange. For more information, review the Package Install Event type.
Using Event Log File (ELF) logs, this rule monitors for package installation or connected application events.
For PackageInstall events, successful events (@is_successful) generate a signal with severity determined by whether the package is managed (@is_managed). In these logs, @package_name will provide the associated name.
For SetupAuditTrail events,insertConnectedApplication administrator actions generate a Low severity signal.
Triage and response
- Examine the associated user account, package or application name, and the IP address within the Salesforce audit logs.
- Determine if the package or application is expected within your Salesforce environment.
- If the package or application are unexpected or demonstrate evidence of suspicious activities, initiate your incident response plan.
