Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1030-data-transfer-size-limits

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects large-volume data exfiltration attempts through Salesforce REST API GET requests.

Strategy

This rule monitors Salesforce REST API events where @evt.name is RestApi with @http.method as GET targeting query and object endpoints (@uri containing /services/data/*/query* or /services/data/*/sobjects*) that return successful responses. The detection triggers on response sizes over 1MB. Large response sizes indicate potential bulk data extraction, which may represent legitimate reporting activities or malicious data theft. Attackers often use API endpoints to systematically extract large volumes of sensitive data while appearing to perform normal application functions.

Triage & Response

• Examine the specific API endpoints and query parameters used by {{@usr.id}} to determine what data was accessed and whether the volume aligns with legitimate business needs.
• Review the user’s role and typical data access patterns to verify if large data retrievals are part of their normal job functions.
• Analyze the timing and frequency of the large data requests to identify potential automated or systematic extraction attempts.
• Check if the accessed data contains sensitive information such as customer records, financial data, or intellectual property that would be valuable to attackers.
• Verify with the user or their supervisor whether the large data extraction was authorized and part of legitimate business operations such as reporting, analytics, or data migration.