---
title: Salesforce large-sized chunk exfiltration through GET requests
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Salesforce large-sized chunk
  exfiltration through GET requests
---

# Salesforce large-sized chunk exfiltration through GET requests
Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1030-data-transfer-size-limits](https://attack.mitre.org/techniques/T1030) 
## Goal{% #goal %}

Detects large-volume data exfiltration attempts through Salesforce REST API GET requests.

## Strategy{% #strategy %}

This rule monitors Salesforce REST API events where `@evt.name` is `RestApi` with `@http.method` as `GET` targeting query and object endpoints (`@uri` containing `/services/data/*/query*` or `/services/data/*/sobjects*`) that return successful responses. The detection triggers on response sizes over 1MB. Large response sizes indicate potential bulk data extraction, which may represent legitimate reporting activities or malicious data theft. Attackers often use API endpoints to systematically extract large volumes of sensitive data while appearing to perform normal application functions.

## Triage & Response{% #triage--response %}

- Examine the specific API endpoints and query parameters used by `{{@usr.id}}` to determine what data was accessed and whether the volume aligns with legitimate business needs.
- Review the user's role and typical data access patterns to verify if large data retrievals are part of their normal job functions.
- Analyze the timing and frequency of the large data requests to identify potential automated or systematic extraction attempts.
- Check if the accessed data contains sensitive information such as customer records, financial data, or intellectual property that would be valuable to attackers.
- Verify with the user or their supervisor whether the large data extraction was authorized and part of legitimate business operations such as reporting, analytics, or data migration.

*This detection is based on data from [Drift/Salesforce Security Update](https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Update) and [Widespread Data Theft Targets Salesforce Instances via Salesloft Drift](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift).*