Salesforce anomalous amount of queried tables
Goal
Detects when a Salesforce user queries an anomalous amount of different database tables compared to their historical baseline.
Strategy
This rule monitors Salesforce API events where @evt.name is ApiEvent and @operation is Query. It uses anomaly detection to identify when users access significantly more unique tables (@queried_entities) than their normal behavior pattern. Specifically, the detection triggers when a user’s activity exceeds 3 standard deviations above their historical baseline. This approach helps identify potential insider threats, compromised accounts, or automated tools performing unauthorized data discovery across the Salesforce environment.
Triage & Response
- Examine the specific tables queried by
{{@usr.id}} during the anomalous activity period to determine if the access pattern aligns with their job responsibilities. - Review the user’s recent authentication history and session details to identify any suspicious login patterns or locations.
- Analyze the timing and frequency of the queries to determine if they represent legitimate business activity or potential automated data harvesting.
- Check if the queried tables contain sensitive data such as customer information, financial records, or intellectual property.
- Verify with the user or their manager whether the expanded data access was part of an authorized business process or investigation.
This detection is based on data from Drift/Salesforce Security Update and Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
