Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Real-Time Event Monitoring Definitions
Considerations for Using Real-Time Event Monitoring
Enable Access to Real-Time Event Monitoring
Stream and Store Event Data
Create Logout Event Triggers
How Chunking Works with ReportEvent and ListViewEvent
Enhanced Transaction Security
Threat Detection
Session Hijacking
Credential Stuffing
Report Anomaly
API Anomaly
Training and Inference Steps
Investigate API Request Anomalies
Best Practices for Investigating API Request Anomalies
API Request Anomaly Detection Examples
Guest User Anomaly
View Threat Detection Events and Provide Feedback
Event Log File Browser
Store and Query Log Data with Event Log Objects
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Best Practices for Investigating API Request Anomalies

Keep these tips and best practices in mind when you investigate unusual user behavior. Find the information you require to make a well-informed evaluation of your data’s safety.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

Identify the involved user.
Keeping customer privacy in mind, we can’t access customer data or any data inside the reports. As a result, we can provide only the user ID of the user who generated the report that is marked as an anomaly. Use this user ID to locate the username and other details about the person associated with the detection event.

Field: ApiAnomalyEvent.UserId

Use the timestamp.
Our detection model already considers various features derived from the timestamp to determine report generation activity as anomalous or not. You can use this timestamp to narrow down the set of events you must review. You can also determine if the time of report generation was unusual for the user who generated the report.

Field: ApiAnomalyEvent.EventDate

Use contributing factors as a guide.
The contributing factors JSON output shows the features in descending order of contribution. As you start your investigation into the event logs, keep an eye out for the top contributing features. If these features look unusual, they can provide more evidence that confirms the anomaly or even indicate a possible data breach.

Field: ApiAnomalyEvent.SecurityEventData

Consider the anomaly in the context of the user's typical behavior.
Using the ReportAnomalyEvent field values, try to determine whether the user activity within the detection event is typical for the user. For example, consider if it's typical for a user to generate a report from the IP address provided.

Field: ApiAnomalyEvent.SourceIp

Consider the size of the report.
We consider the size of the report to determine if the report generation was anomalous. A user generating a larger report than usual can indicate an unauthorized data export attempt. For example, an attacker obtained unauthorized access to the user's account and exfiltrate as much data as possible before losing access. Or it could mean that a disgruntled employee is exfiltrating data for use beyond the needs of the employer.

Field: ApiAnomalyEvent.SecurityEventData (specifically the rowCount feature name)

Not all anomalies are malicious.
While some anomalies can indicate a malicious intent, other anomalies can be legitimate but unusual. Our detection model can produce detection events that are unusual but not malicious. For example, if an employee gets promoted to a new role and starts generating larger reports, our model can flag this behavior as anomalous.