Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Real-Time Event Monitoring Definitions
Considerations for Using Real-Time Event Monitoring
Enable Access to Real-Time Event Monitoring
Stream and Store Event Data
Create Logout Event Triggers
How Chunking Works with ReportEvent and ListViewEvent
Enhanced Transaction Security
Threat Detection
Session Hijacking
Credential Stuffing
Report Anomaly
Training and Inference Steps
Investigate Report Anomalies
Best Practices for Investigating Report Anomalies
Report Anomaly Detection Examples
Detection Event Isn’t Anomalous
Detection Event Possibly Anomalous
Detection Event Is Definitely Anomalous but Maybe Not Malicious
Detection Event Is Confirmed Malicious
API Anomaly
Guest User Anomaly
View Threat Detection Events and Provide Feedback
Event Log File Browser
Store and Query Log Data with Event Log Objects
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Detection Event Is Definitely Anomalous but Maybe Not Malicious

Alice is a sales rep based in St. Louis. She’s often on the road to meet with clients. When she travels, she generally, but not consistently, use her company’s VPN to log into Salesforce.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

On July 27, 2015, Alice’s account was used to generate a report from a relatively new IP address. Bob, the administrator for Alice’s org, noticed a ReportAnomalyEvent about this report generation activity. The event contained this information.

ReportAnomalyEvent Field Value
Score 95.0158
SourceIp 96.43.144.27
EventDate 2015-07-27T07:45:07.192Z
UserId 00530000009M944
Report 00OD0000001leVCMAY
SecurityEventData (see next table)

The SecurityEventData field contained this information.

featureName featureValue featureContribution
autonomousSystem Softbank Corp 73.4%
rowCount 50876 15.6%
userAgent - 9.9%
numberFilters 11 0.81%
periodOfDay Night 0.21%

Bob notices that the autonomous system—derived from the IP address—is the top-ranked feature with 73.4% feature contribution. This percentage indicates that Alice rarely uses this autonomous system. Bob also notices that the report has around 50k rows, which is not small for this org. Bob then uses the UserId to identify the user as Alice. By looking at the ReportEvent events, Bob notices that Alice typically generates reports containing 1,000–10,000 rows. But on rare occasions, Alice generated reports with more than 50k rows. The userAgent has a smaller feature contribution, which could be attributed to Alice using her mobile device less when she travels. The numberFilters and periodOfDay features have small feature contributions, and are therefore not important.

Because Alice rarely uses this autonomous system and the report is bigger than what Alice typically generates, Bob concludes that this report falls outside of typical activity. However, Bob is unable to verify whether Alice or an attacker committed this malicious act. He attempts to get more information on this incident before pursuing any threat mitigation actions.