--- title: Salesforce new third party package or application installed description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Salesforce new third party package or application installed --- # Salesforce new third party package or application installed Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1671-cloud-application-integration](https://attack.mitre.org/techniques/T1671) ## Goal{% #goal %} Detect new packages installed by a user within Salesforce. ## Strategy{% #strategy %} Adversaries may install attacker-controlled third party applications to gain access to your Salesforce environment. In the event of an approved third party application being compromised, the attacker may gain access to your instance through the previously granted credentials. Monitor for new packages installed by a user account from Salesforce AppExchange. There are packages, unmanaged or managed, available for download in the Salesforce AppExchange. For more information, review the [Package Install Event](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_packageinstall.htm) type. Using Event Log File (ELF) logs, this rule monitors for package installation or connected application events. For `PackageInstall` events, successful events (`@is_successful`) generate a signal with severity determined by whether the package is managed (`@is_managed`). In these logs, `@package_name` will provide the associated name. For `SetupAuditTrail` events,`insertConnectedApplication` administrator actions generate a `Low` severity signal. ## Triage and response{% #triage-and-response %} - Examine the associated user account, package or application name, and the IP address within the Salesforce audit logs. - Determine if the package or application is expected within your Salesforce environment. - If the package or application are unexpected or demonstrate evidence of suspicious activities, initiate your incident response plan.