Salesforce new third party package or application installed

salesforce

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1671-cloud-application-integration

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect new packages installed by a user within Salesforce.

Strategy

Adversaries may install attacker-controlled third party applications to gain access to your Salesforce environment. In the event of an approved third party application being compromised, the attacker may gain access to your instance through the previously granted credentials.

Monitor for new packages installed by a user account from Salesforce AppExchange. There are packages, unmanaged or managed, available for download in the Salesforce AppExchange. For more information, review the Package Install Event type.

Using Event Log File (ELF) logs, this rule monitors for package installation or connected application events.

For PackageInstall events, successful events (@is_successful) generate a signal with severity determined by whether the package is managed (@is_managed). In these logs, @package_name will provide the associated name.

For SetupAuditTrail events,insertConnectedApplication administrator actions generate a Low severity signal.

Triage and response

  • Examine the associated user account, package or application name, and the IP address within the Salesforce audit logs.
  • Determine if the package or application is expected within your Salesforce environment.
  • If the package or application are unexpected or demonstrate evidence of suspicious activities, initiate your incident response plan.