---
title: Salesforce large amount of file download actions
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Salesforce large amount of file
  download actions
---

# Salesforce large amount of file download actions
Classification:attackTactic:[TA0010-exfiltration](https://attack.mitre.org/tactics/TA0010)Technique:[T1020-automated-exfiltration](https://attack.mitre.org/techniques/T1020) 
## Goal{% #goal %}

Detect when a user account initiates a large number of file downloads.

## Strategy{% #strategy %}

The detection tracks the number of distinct files a user account downloads to identify suspicious mass download patterns. When a user account downloads multiple files in a short timeframe, this could indicate data exfiltration.

Using Event Log File (ELF) and Real Time Event Monitoring (RTEM) logs, this rule monitors for events related to resource downloads.

A user can attach files to individual records and view or download them. The attachment object is a legacy Salesforce object used to store files on records, and has been replaced in newer releases by Salesforce Files. The [Salesforce documentation](https://help.salesforce.com/s/articleView?id=experience.collab_files_differences.htm&type=5) describes differences between attachments and files.

For [`DownloadAttachmentDownload` events](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_documentattach.htm), the detection generates signals for multiple unique `@entity_id`s for a user account within a short timeframe. The `@file_type` field includes information on the resource type, such as `PDF`, `CSV`, etc. They are included in Event Log File (ELF) logs.

`ContentTransfer` events are preview, upload, or download actions performed on files and attachments to records. They are included in Event Log File (ELF) logs.

For `ContentTransfer` events, the detection generates signals for multiple unique `@entity_id`s for a user account within a short timeframe. In these logs, `@transaction_type` is monitored for UI download (`VersionDownloadAction`) and API download (`VersionDownloadApi`) actions. The `@file_type` field includes information on the resource type, such as `PDF`, `CSV`, etc.

File downloads events occur when a user downloads, previews, or uploads a file within Salesforce.

These events include a file source field, `@file_source`, to describe where the file is located:

- `S` for within Salesforce
- `E` for outside of Salesforce
- `L` for a social network and accessed via Social Customer Service

For [`FileEventStore` events](https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/sforce_api_objects_fileevent.htm), the detection generates signals for multiple unique `@entity_id`s for a user account within a short timeframe. In these logs, `@file_action` is monitored for UI download (`UI_DOWNLOAD`) and API download (`API_DOWNLOAD`) actions. The `@file_type` field includes information on the resource type, such as `PDF`, `CSV`, etc. They are included in Real Time Event Monitoring (RTEM) logging plans.

## Triage and response{% #triage-and-response %}

- Examine the associated user ID and triggering download events in the Salesforce audit logs.
- Determine if the download activity includes sensitive or confidential information. Review the number of files returned for context on potential data exfiltration.
- Investigate the `{{@usr.id}}` for abnormal login behavior, using the user ID to correlate with the IP address, user agent, and session key in the login event logs.
- If the file downloads include sensitive or confidential information, initiate your incident response plan.