Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data.

Strategy

Inspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (@rows_returned).

Triage and response

Determine if the user should be legitimately performing large queries.