---
title: Salesforce anomalous amount of queried tables
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Salesforce anomalous amount of queried
  tables
---

# Salesforce anomalous amount of queried tables
Classification:attackTactic:[TA0009-collection](https://attack.mitre.org/tactics/TA0009)Technique:[T1213-data-from-information-repositories](https://attack.mitre.org/techniques/T1213) 
## Goal{% #goal %}

Detects when a Salesforce user queries an anomalous amount of different database tables compared to their historical baseline.

## Strategy{% #strategy %}

This rule monitors Salesforce API events where `@evt.name` is `ApiEvent` and `@operation` is `Query`. It uses anomaly detection to identify when users access significantly more unique tables (`@queried_entities`) than their normal behavior pattern. Specifically, the detection triggers when a user's activity exceeds 3 standard deviations above their historical baseline. This approach helps identify potential insider threats, compromised accounts, or automated tools performing unauthorized data discovery across the Salesforce environment.

## Triage & Response{% #triage--response %}

- Examine the specific tables queried by `{{@usr.id}}` during the anomalous activity period to determine if the access pattern aligns with their job responsibilities.
- Review the user's recent authentication history and session details to identify any suspicious login patterns or locations.
- Analyze the timing and frequency of the queries to determine if they represent legitimate business activity or potential automated data harvesting.
- Check if the queried tables contain sensitive data such as customer information, financial records, or intellectual property.
- Verify with the user or their manager whether the expanded data access was part of an authorized business process or investigation.

*This detection is based on data from [Drift/Salesforce Security Update](https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Update) and [Widespread Data Theft Targets Salesforce Instances via Salesloft Drift](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift)*