Your organization maintains business-critical information within the SaaS customer relationship management application, Salesforce.com. This data relates to customers, partners, prospects, and, often, employees. As part of your Salesforce.com deployment, other applications interact with this sensitive data, via push or pull APIs that automate data exchange. For example, you might have integrations into finance and human resources applications, such as Workday, or marketing automation tools, such as Eloqua and Marketo.
You know that attackers can attempt to use the Salesforce.com API as a vector to gain access to sensitive data. Because Salesforce.com is a cloud application with a publicly accessible domain, this vector only requires valid credentials and can be exploited for access to sensitive data by adversaries, even if they lack access to internal resources. You need searches that you can run regularly to help detect any malicious behavior in your Salesforce environment.
How to use Splunk software for this use case
You can use Splunk software to monitor queries, especially queries that are new for certain users or peer groups. You can also monitor downloads of records and files, and set up searches to alert you to other high-risk events.
This use case is best deployed using Splunk Security Essentials (SSE), a free application with a security content library. However, you can run these searches on any Splunk Enterprise or Splunk Cloud Platform deployment.
- New application accessing the Salesforce API. Your Salesforce cloud deployment contains your company's most critical customer information. To help protect this data, you can regularly monitor users who connect to SFDC's reporting API with new clients.
- New high-risk event types for a Salesforce cloud user. First-time seen events, specifically high-risk types, can indicate unauthorized, non-compliant, and potentially malicious behavior.
- New tables queried by a Salesforce peer group. A search might show first-time query attempts to sensitive tables by a peer group that has previously not accessed the tables in question. This detection can help prove that individuals within the organization are not abusing or misusing legitimate access to assets that store and process personal data.
- New tables queried by a Salesforce cloud user. A search might show first-time query attempts to sensitive tables by a user that has previously not accessed the tables in question. This detection can help prove that individuals within the organization are not abusing or misusing legitimate access to assets that store and process personal data.
- Spike in downloaded documents per user on Salesforce cloud. A sudden, high-volume increase in downloaded documents can indicate unauthorized, non-compliant, and potentially malicious behavior.
- Spike in exported records from Salesforce cloud. A sudden, high-volume increase in exported records can indicate unauthorized, non-compliant, and potentially malicious behavior.
To maximize their benefit, the searches above likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Compliance office processes
- Security and Identity access management
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Counts of object access over time
- Counts identity access over time
- Number of reports for compliance attestation
In addition, these Splunk resources might help you understand and implement this use case: