I’m more and more requested by clients the right way to examine potential safety incidents of their Salesforce environments. Frequent questions are: What did a particular consumer do throughout that point? and What information was impacted? Each group and incident is exclusive, and the reply to those questions is determined by the precise scenario, however there may be some basic steering I can present.
Three key sources of data for investigating a safety incident in Salesforce environments are exercise logs, consumer permissions, and backup information.
Logs sometimes present probably the most investigatively helpful info (who did what, the place, when and the way), permissions present what information a consumer account may entry and export, and backups point out the affect on information. Right here, Login Historical past exhibits a consumer based mostly within the U.S. connecting to Salesforce from a special nation. Evaluation of Salesforce permissions exhibits the consumer may obtain delicate information and modify sure configurations. Comparative evaluation of backups exhibits all information adjustments that occurred throughout an incident.
The default logs accessible in a Salesforce org are helpful for detecting uncommon logins and investigating vital adjustments captured within the Setup Audit Path. Protect Occasion Monitoring is an add-on product that gives enhanced visibility into actions, together with API calls, report exports, and file downloads. For purchasers utilizing B2C Commerce Cloud, there are extra logs helpful for safety monitoring.
Practitioner Tip: Allow your logs! Some organizations don’t notice they should configure actual time occasions in Salesforce Protect. At a minimal, allow storage of logs, which provides you as much as 6 months. It’s also possible to allow streaming of logs to ship them to a centralized safety monitoring system.
When investigating a safety incident, an preliminary concern is whether or not the consumer had entry to delicate information and will make important adjustments within the Salesforce org. Figuring out a consumer’s entry and permissions in Salesforce may be difficult, significantly given the mix of Profiles, Permission Units / Teams, Sharing Guidelines and Function Hierarchies. You’ll find the knowledge in a number of locations or rapidly see all the pieces in a single view utilizing Who Sees What (WsW) Explorer.
Determine: Safety Middle WsW Explorer used to get a fast and complete overview of which Objects and Fields a consumer has permission to entry alter, and export, with delicate fields denoted with a pink icon.
When the precept of least privilege is adopted to limit consumer entry and permissions, this helps restrict the affect of a safety incident. Conversely, if an preliminary affect evaluation reveals {that a} consumer had broad entry to delicate information and will make important adjustments within the Salesforce org, then extra in depth evaluation may be carried out to find out particularly what was accessed and altered.
Most forensic investigations of Salesforce safety incidents contain discovering pertinent info in massive volumes of logs. Figuring out what logs can be found and what particulars they comprise aid you type an efficient log evaluation technique. Occasion Monitoring has three sources of enhanced logging that may be helpful for figuring out and investigating Salesforce safety incidents:
- Actual Time Occasion Monitoring (RTEM) that may be streamed for lively safety monitoring, and saved for as much as six months to allow querying. RTEM consists of specialised Menace Detection occasions that make use of statistical and machine studying strategies to alert on uncommon actions.
- Occasion Log Objects (ELO) supplies low-latency logs with many, however not all, occasions at present represented within the ELF. This low-latency log supply may be queried through Salesforce Platform APIs.
- Occasion Log Recordsdata (ELF) in CSV format that help safety, efficiency, consumer adoption, and basic observability, however not near-realtime/low-latency.
Practitioner Tip: Use your logs! Storing logs with out a monitoring technique is beneficial for investigating an incident after it happens, whereas utilizing logs routinely can floor issues earlier than they escalate. Sending logs to a centralized safety monitoring system with out figuring out what “unhealthy” appears to be like like provides a false sense of safety. Early detection and drawback prevention requires common use of occasion monitoring for safety and efficiency functions to grow to be accustomed to regular baseline actions and to be taught what “unhealthy” appears to be like like in your atmosphere.
At a minimal, try to be monitoring Menace Detection occasions for identified anomalies, with the caveat that these nonetheless require investigation to find out whether or not they’re really malicious. The anomaly occasions set off when any consumer exercise is sufficiently completely different from the historic exercise of the identical consumer, so there will probably be false optimistic alerts below sure circumstances. Menace Detection occasions may be considered inside a person Salesforce org, or throughout your entire orgs and sandboxes utilizing the centralized dashboard in Safety Middle (see How To Simplify Safety, Response, and Compliance in Salesforce).
Routine monitoring of logs helps develop familiarity with typical actions in your Salesforce atmosphere, making it simpler to determine deviations, together with exterior assaults and insider threats. Salesforce Analytics Studio can be utilized to create dashboards for monitoring threats and investigating incidents, and that is made even simpler with having the ability to question ELO. As an illustration, you’ll be able to filter the Menace & Entry dashboards to give attention to a particular consumer, answering the query “What did a particular consumer do throughout that point?” and acquiring particulars wanted to develop a timeline of occasions.
Determine: Analytics Studio Threats & Entry dashboards utilizing information in ELO. Specifying a consumer and time refocuses these dashboards on the logs related to the query “What did a particular consumer do throughout that point?”
When the dashboard shows actions that warrant additional investigation, you’ll be able to rapidly pivot to the supply information in ELO to research the logs in additional element. For instance, an uncommon enhance in API actions for a given consumer account or linked app deserves additional consideration.
Practitioner Tip: Salesforce utility programming interface (API) calls are made by some regular consumer actions, not simply integrations or automations. When investigating actions of a particular consumer, together with information exfiltration, embrace API occasions in your evaluation.
Determine: Analytics Studio dashboard displaying API entry by shopper (left) and supply ELO information (proper)
Transaction safety insurance policies
When an incident entails information exfiltration, the forensic investigation delves deeper into logs to reconstruct what occurred and what information was taken. When analyzing Occasion Monitoring, remember that some log sources can have extra fields for a similar occasion. For instance, ELF ReportExport has 16 fields, ELO ReportEventLog has 25 fields, RTEM ReportEventStream has 37 fields. When information is exfiltrated through API, the RTEM APIEventStream specifies which information and fields that had been queried; ELF and ELO should not have these particulars. A sanitized pattern entry from the realtime API ApiEventStream specializing in DataLoader exhibits the question and downloaded information in daring.
{ “EventDate”: “2025-07-16T11:12:13Z”, “ConnectedAppId”: “01pfL000003z8x13”, “Platform”: “Unknown”, “Question”: “Choose AccountNumber, Active__c FROM Account”, “EvaluationTime”: 0, “ElapsedTime”: 32, “Operation”: “QueryAll”, “LoginHistoryId”: “0Yc5W0000CasEyDQSP”, “CreatedById”: “0054L000004coZNQAY”, “SessionKey”: “Zu3fvv2Y+GoQKeva”, “ApiType”: “SOAP Companion”, “UserAgent”: “Salesforce Net Service Connector For Java/1.0”, “Consumer”: “DataLoaderPartnerUI/”, “PolicyOutcome”: null, “Data”: “{”totalSize”:16,”performed”:true,”information”:[{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpiZQAS”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpiaQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpibQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpicQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpidQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpieQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpifQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpigQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpihQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpiiQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpijQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W000028EpikQAC”},{”attributes”:{”type”:”Account”},”Id”:”0013W00002h677PQAQ”},{”attributes”:{”type”:”Account”},”Id”:”0013W00002MDGfRQAX”},{”attributes”:{”type”:”Account”},”Id”:”0013W00002MDGfMQAX”},{”attributes”:{”type”:”Account”},”Id”:”0013W00002h677UQAQ”}]}”, “AdditionalInfo”: “{}”, “ApiVersion”: 55, “EventIdentifier”: “053a4e21-6b56-3b12-b2d8-13b84414602d”, “RelatedEventIdentifier”: null, “RowsProcessed”: 16, “RowsReturned”: 16, “SourceIp”: “204.14.236.211”, “Username”: “Jo.Doe@sfproductionorg.com”, “UserId”: “0054L000004coZNQAY”, “CreatedDate”: “2025-07-16T11:12:13Z”, “LoginKey”: “BJ+55cNYKVcOH02E”, “Software”: “N/A”, “PolicyId”: null, “QueriedEntities”: “Account”, “SessionLevel”: “STANDARD”}
Log particulars may be vital for creating incident timelines, performing scope evaluation, figuring out root trigger, notifying affected clients, and reporting to stakeholders or regulators. Forensic findings from log evaluation may also assist eradicate unauthorized entry, inform future mitigations, and pursue authorized treatments.
Subject Historical past Monitoring is beneficial for figuring out whether or not sure fields had been altered by the consumer through the incident, and backups are invaluable for making certain information integrity and returning broken information to a identified good state.
Practitioner Tip: Assessment what modified in your org to confirm the integrity of your information and safety configuration. Setup Audit Path and Safety Middle observe configuration adjustments made through the incident that may present whether or not an intruder created a method to regain unauthorized entry. Comparative evaluation between backups earlier than and after an incident utilizing Backup & Get better can reveal information and recordsdata that had been planted, corrupted, or destroyed.
Enhanced Transaction Safety is a characteristic accessible for some RTEM occasions that may be configured with particular coverage guidelines that set off a response when violated. Any report containing delicate fields may be blocked from being downloaded by coverage, as proven under. These automated responses configured in Transaction Safety Insurance policies (TSP) can embrace blocking the exercise, sending an alert, and requiring MFA. TSP will also be mixed and might set off a workflow that automates follow-up actions in real-time, corresponding to making a case and sending a Slack safety notification.
Determine: Transaction Safety Insurance policies that set off automated actions when particular real-time occasions happen
Take into account a scenario by which a Visitor Person Anomaly alert triggers a TSP to dam unauthorized entry to information in your org through a buyer portal. This kind of entry through Digital Expertise Websites creates distinctive AuraRequest occasions that present the IP deal with of the system getting used to realize unauthorized entry, which can be utilized to go looking logs for associated actions. Figuring out what information was accessible requires a overview of permissions for visitor consumer accounts and which objects have exterior org broad defaults set to public learn/write. Such undesirable information publicity may be prevented by limiting Visitor Person permissions in Salesforce Digital Expertise portals.
Organizations that put together proactively for safety incidents impacting mission-critical Salesforce information are in a greater place to detect, examine, and neutralize issues extra rapidly. Addressing these incidents promptly and successfully reduces the downtime and price, and might stop the issues from escalating.
Practitioner Tip: There are extra methods to research Occasion Monitoring, together with performing SOQL queries and utilizing Agentforce for Safety to reply particular questions corresponding to “Present me all occasions for the customers that simply logged in from [foreign IP address] and suggest response actions.”
Associated Assets:
