Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Real-Time Event Monitoring Definitions
Considerations for Using Real-Time Event Monitoring
Enable Access to Real-Time Event Monitoring
Stream and Store Event Data
Create Logout Event Triggers
How Chunking Works with ReportEvent and ListViewEvent
Enhanced Transaction Security
Threat Detection
Session Hijacking
Credential Stuffing
Report Anomaly
API Anomaly
Guest User Anomaly
View Threat Detection Events and Provide Feedback
Event Log File Browser
Store and Query Log Data with Event Log Objects
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Threat Detection

Threat Detection uses statistical and machine learning methods to detect threats to your Salesforce org. While Salesforce identifies these threats for all Salesforce customers, you can view the information in the events with Threat Detection in Event Monitoring and investigate further if necessary.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available in: Enterprise, Performance, and Unlimited Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

Threat Detection identifies:

  • If a user session is hijacked
  • When a user successfully logs in during an identified credential stuffing attack. Credential stuffing occurs when large-scale automated login requests use stolen user credentials to gain access to Salesforce.
  • Anomalies in a user's report views or exports
  • Anomalies in how users make API calls

Not all third-party proxies pass network-related parameters, such as IP addresses, into Salesforce. Without network-related parameters, Salesforce doesn’t detect all threats to these proxies.

Note

Respond to Detected Threat Events

Use Threat Detection to plan and implement appropriate responses that keep your data safe. When we detect anomalous activity, the resulting Threat Detection events are compatible with transaction security policies and flows.

Use Transaction Security Policies to Monitor Threats
Create a transaction security policy on the Threat Detection events that generate email or in-app notifications when Salesforce detects a threat. After investigating the detected threat, consider creating a policy to control users’ behavior.

For example, you receive multiple ReportAnomalyEvents about a user who exported many more records of a report on Leads than usual. Because you created a transaction security policy on ReportAnomalyEventStore, you receive a notification each time this anomaly occurs. To further protect the Lead object, you can create a ReportEvent policy on the report to block users from exporting more than 10 rows.

Automate Responses with Platform Event-Triggered Flows
You can build flows to respond to anomalies detected on the ApiAnomalyEvent, CredentialStuffingEvent, ReportAnomalyEvent, and SessionHijackingEvent. For example, create flows that generate a case for a follow-up investigation, send an email to a security specialist, or deactivate an affected user pending further investigation.
Aggregate Detected Threats with Security Center
You can save time by aggregating information on detected threats across your entire Salesforce rollout in one place with the Threat Detection app in Security Center. For more information, see Review Threat Detection Events