Skip to main content
Splunk Lantern

New high-risk event types for a Salesforce cloud user

You might need to detect first-time occurrences of high-risk behavior when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

First-time seen events, specifically high-risk types, can indicate unauthorized, non-compliant, and potentially malicious behavior. Because so many people in your organization have access to Salesforce, you want to monitor regularly for such events.

To optimize the search shown below, you should specify an index and a time range. 

  1. Populate the lookup_sfdc_usernames lookup provided by the Salesforce Add-on with live values from your site.
  2. Run the following search:
EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI OR EVENT_TYPE=ReportExport
| lookup lookup_sfdc_usernames USER_ID 
| stats earliest(_time) AS earliest latest(_time) AS latest BY Username, EVENT_TYPE 
| where earliest > relative_time(now(), "-1d@d")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI OR EVENT_TYPE=ReportExport

Filter for high risk events. 

|lookup lookup_sfdc_usernames USER_ID

Convert the SFDC USER_ID into a friendly username via a lookup. 

|stats earliest(_time) AS earliest latest(_time) AS latest  BY Username, EVENT_TYPE

Calculate the earliest and the latest time this combination of fields occurred.

|where earliest > relative_time(now(), "-1d@d")

Determine whether the earliest time this value was seen was within the last day.

Result

While there are no traditional false positives in this search, there will be a lot of noise. Every time this search runs, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). You should not review these alerts directly (except for high sensitivity accounts), but instead use them for context or to aggregate risk.

For most environments, these searches can be run once a day, often overnight, without a lag. If you want to run this search more frequently, or if this search is too slow for your environment, leverage a lookup cache. 

When this search returns values, initiate your incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, application, and number of rows exported or viewed. If possible, determine the system used and its location. Contact the user and their manager to determine if the download is authorized, and then document that it was authorized and by whom. If you cannot find authorization, the user credentials may have been used by another party and additional investigation is warranted.

GDPR Relevance: Detecting first-time occurrences of high-risk behavior and proving that individuals within the organization are not abusing or misusing legitimate access to assets that store and process personal data is an industry best practice and can be considered an effective security control, as required by Article 32. This is applicable to processing personal data from the controller and needs to also be addressed if contractors or sub-processors from third countries or international organizations access and transfer personal data (Article 15).

  • Was this article helpful?