Skip to main content
 
 
 
Splunk Lantern

Salesforce account compromise

 

You might want to audit Salesforce user activity when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your organization uses Salesforce as your CRM to store and maintain all customer data. You ingest both your Salesforce data as well as VPN and network authentication logs into Splunk Enterprise. Everyone at the company has a unique login to Salesforce with each person having a different role inside of the company. The permissions are set up in Salesforce such that everyone has access to customer data for sales, support, opportunities, etc., but not everyone is able to create or alter this data. You notice some strange audit activity in Salesforce from a user who was trying to delete a record they didn’t have access to modify. You decide to investigate further.

To optimize the search shown below, you should specify an index and a time range. 

  1. Run the following search:
source=<name of vpn source> OR source=<name of network data source> AND source=sfdc 
| search sfdc_action=login AND source_ip=<known bad IP address>

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source=<name of vpn source> OR source=<name of network data source> AND source=sfdc

This part specifies which datasource of VPN or Network Data is onboarded into Splunk. This will be different per sourcetype.

| search sfdc_action=login AND source_ip=<known bad IP address>

This clarifying string specifies to look for only successful Salesforce logins and compares them to a known bad IP address.

Result

This search can reveal additional unexpected user behavior, such as:

  • Attempt to delete
  • Attempt to download
  • Attempt to modify
  • Attempt to add new users
  • Attempt to delete users

Lots of unexpected actions can indicate that a user’s account has been compromised. Remediation of the situation includes both changing the user’s password as well as end-user training on security best practices.

This search can improve mean time to detect, mean time to respond, and return on investment.