Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Salesforce login attempts from previously unseen applications.

Strategy

This rule monitors Salesforce login events where @evt.name is Login or LoginEvent with an @application field present. It uses new value detection to identify when any application that has not been previously observed attempts to authenticate to the Salesforce environment. New applications accessing Salesforce may indicate legitimate business expansion, new integrations, or potentially malicious applications attempting unauthorized access.

Triage & Response

• Examine the application name and details for {{@application}} to determine if it represents a legitimate business application or potentially malicious software.
• Review recent IT change requests and application deployments to verify if the new application was authorized and expected.
• Analyze the login patterns and user accounts associated with the new application to identify any suspicious authentication activity.
• Check if the new application has appropriate security configurations and follows organizational security policies.
• Verify with IT administrators or application owners whether the new application access was planned and authorized.