Salesforce anomalous amount of queried tables
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects when a Salesforce user queries an anomalous amount of different database tables compared to their historical baseline.
Strategy
This rule monitors Salesforce API events where @evt.name is ApiEvent and @operation is Query. It uses anomaly detection to identify when users access significantly more unique tables (@queried_entities) than their normal behavior pattern. This approach helps identify potential insider threats, compromised accounts, or automated tools performing unauthorized data discovery across the Salesforce environment.
Triage & Response
- Examine the specific tables queried by
{{@usr.id}} during the anomalous activity period to determine if the access pattern aligns with their job responsibilities. - Review the user’s recent authentication history and session details to identify any suspicious login patterns or locations.
- Analyze the timing and frequency of the queries to determine if they represent legitimate business activity or potential automated data harvesting.
- Check if the queried tables contain sensitive data such as customer information, financial records, or intellectual property.
- Verify with the user or their manager whether the expanded data access was part of an authorized business process or investigation.
