Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects unusual Salesforce CLI tool usage.

Strategy

This rule monitors Salesforce events containing user agent strings Salesforce-Multi-Org-Fetcher/1.0 or Salesforce-CLI/1.0. These user agents are associated with Salesforce command-line interface tools and multi-organization management utilities that provide programmatic access to Salesforce data and configuration. While these tools have legitimate administrative uses, they can also be leveraged by attackers for automated data extraction, configuration changes, or reconnaissance activities. The detection triggers on any usage of these CLI tools, as they represent elevated access capabilities that should be carefully monitored.

Triage & Response

• Examine the specific activities performed by {{@usr.id}} using the Salesforce CLI tools to determine if they align with authorized administrative tasks.
• Review the user’s role and permissions to verify if they have legitimate reasons to use command-line tools for Salesforce administration.
• Analyze the timing and frequency of the CLI usage to identify potential automated or scripted activities that may indicate malicious intent.
• Check if the CLI usage correlates with any recent system changes, data migrations, or administrative projects that would justify the tool usage.
• Verify with the user and their supervisor whether the CLI tool usage was authorized and part of legitimate business operations.