For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/e07-736-rty.md. A documentation index is available at /llms.txt.

Anomalous amount of Salesforce records deleted

salesforce

Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

Goal

Detect when there is a significant increase in deleted records in Salesforce.

Strategy

Inspect and baseline Salesforce logs and determine if there is a significant increase in successful (@evt.outcome:Success) delete operations (@operation:Delete).

Triage and response

Determine if the user should be legitimately deleting Salesforce records.