Salesforce Shield alert on anomaly event

salesforce

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when Salesforce Shield generates an anomaly- or security-related alert.

Strategy

Using logs generated by Salesforce Shield, this rule monitors for the following events:

  • ApiAnomalyEventStore
  • CredentialStuffingEventStore
  • GuestUserAnomalyEventStore
  • LoginAnomalyEventStore
  • ReportAnomalyEventStore
  • SessionHijackingEventStore

To learn more, see the Salesforce Shield documentation.

Triage and response

  • Examine the associated user id and triggering security event within the Salesforce audit logs.
  • Determine if the type of anomaly event and pivot to related logs.
  • If alert detected suspicious or malicious behavior, revoke permissions and review audit logs for access events. If external access events occurred, initiate your incident response plan.