Salesforce account compromise
You might want to audit Salesforce user activity when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- CRM, ERP, and other business application data
- Virtual private network data
- Network access control data
- Splunk Add-on for Salesforce
Example
Your organization uses Salesforce as your CRM to store and maintain all customer data. You ingest both your Salesforce data as well as VPN and network authentication logs into Splunk Enterprise. Everyone at the company has a unique login to Salesforce with each person having a different role inside of the company. The permissions are set up in Salesforce such that everyone has access to customer data for sales, support, opportunities, etc., but not everyone is able to create or alter this data. You notice some strange audit activity in Salesforce from a user who was trying to delete a record they didn’t have access to modify. You decide to investigate further.
To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
source=<name of vpn source> OR source=<name of network data source> AND source=sfdc | search sfdc_action=login AND source_ip=<known bad IP address>
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
source=<name of vpn source> OR source=<name of network data source> AND source=sfdc |
This part specifies which datasource of VPN or Network Data is onboarded into Splunk. This will be different per sourcetype. |
| search sfdc_action=login AND source_ip=<known bad IP address> |
This clarifying string specifies to look for only successful Salesforce logins and compares them to a known bad IP address. |
Result
This search can reveal additional unexpected user behavior, such as:
- Attempt to delete
- Attempt to download
- Attempt to modify
- Attempt to add new users
- Attempt to delete users
Lots of unexpected actions can indicate that a user’s account has been compromised. Remediation of the situation includes both changing the user’s password as well as end-user training on security best practices.
This search can improve mean time to detect, mean time to respond, and return on investment.