Skip to main content
Lantern Home

 

Splunk Lantern

Spike in exported records from Salesforce cloud

  1. Last updated
  2. Save as PDF

A sudden, high-volume increase in exported records can indicate unauthorized, non-compliant, and potentially malicious behavior. Because so many people in your organization have access to Salesforce, this is an activity you want to monitor for regularly.

Data required

Salesforce data

How to use Splunk software for this use case

  1. Populate the lookup_sfdc_usernames lookup provided by the Salesforce Add-on with live values from your site.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=sfdc ROWS_PROCESSED>0 EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI 
| lookup SFDC_User_Lookup USER_ID 
| bucket _time span=1d 
| stats sum(ROWS_PROCESSED) AS rows BY _time USER_NAME

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

index=sfdc ROWS_PROCESSED>0 EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI 

Pull in your SFDC dataset and filter for what you're looking for in this use case, specifically export EVENT_TYPEs with at least one ROWS_PROCESSED.

| lookup SFDC_User_Lookup USER_ID

Enrich the search to convert the SFDC USER_ID into a friendly username via a lookup.

| bucket _time span=1d

Bucket (aliased to bin) allows you to group events based on _time, effectively flattening the actual _time value to the same day.

| stats sum(ROWS_PROCESSED) AS rows BY _time USER_NAME

Count and aggregate per user, per day.

Next steps

When this search returns values, initiate your incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, and number of records downloaded. If possible, determine the system used to download this data and its location. Contact the user and their manager to determine if the download is authorized, and then document that it was authorized and by whom. If you cannot find authorization, the user credentials may have been used by another party and additional investigation is warranted.

GDPR Relevance: Detecting and proving that individuals within the organization are not abusing or misusing legitimate access to assets that store and process personal data is an industry best practice and can be considered an effective security control, as required by Article 32. This is applicable to processing personal data from the controller and needs to also be addressed if contractors or sub-processors from third countries or international organizations access and transfer personal data (Article 15).

Finally, you might be interested in other processes associated with the Protecting a Salesforce cloud deployment use case.

  • Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their Success Plan. Engage the ODS team at ondemand@cisco.com if you would like assistance.