Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1087-account-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Salesforce users performing database discovery queries to identify populated tables from previously unseen network locations and devices.

Strategy

This rule monitors Salesforce API events where @evt.name is ApiEvent and @operation is Query containing SELECT COUNT() FROM statements. It uses new value detection to identify when users execute count queries from network domains @network.client.geoip.as.domain and user agents @http.useragent that have not been previously observed for that user. Count queries are commonly used during reconnaissance phases to identify which database tables contain data without retrieving the actual records. This technique allows attackers to efficiently map the data landscape and prioritize tables for subsequent data extraction while minimizing their footprint.

Triage & Response

• Examine the specific count queries executed by {{@usr.id}} to determine which tables were being surveyed and whether this aligns with their job responsibilities.
• Review the new network domain and user agent combination to identify if it represents a legitimate new device or location for the user.
• Analyze the sequence and timing of the discovery queries to determine if they follow a systematic reconnaissance pattern.
• Check if the user has recently changed roles, received new system access, or is working on legitimate data analysis projects that would require table discovery.
• Verify with the user whether they initiated these queries from the new location and device, or if their account may be compromised.