Following the primer on investigating Salesforce safety incidents, clients have requested for extra particulars on find out how to correlate logs to reconstruct what occurred. The Salesforce Log Evaluation Information supplies a normal overview with hyperlinks to associated sources. Whereas Salesforce’s core platform stays strong, menace actors constantly evolve their methods to achieve unauthorized entry and steal delicate knowledge. Utilizing a fictitious safety incident situation, this weblog publish demonstrates find out how to leverage Salesforce Protect Occasion Monitoring and Transaction Safety Insurance policies (TSPs) to detect, examine, and defend in opposition to such threats.
The examples on this article are primarily targeted on occasions saved in Occasion Log Recordsdata (ELFs) as a part of Occasion Monitoring, however Salesforce additionally supplies a sturdy set of companies to watch system and consumer exercise as a part of its customary editions. Different sources of Occasion Monitoring logs, equivalent to Actual-Time Occasions (RTEM) and low-latency Occasion Log Objects (ELO) additionally include related data for detecting and investigating safety incidents as mentioned within the primer. After experiencing a safety incident, some clients spend money on Occasion Monitoring to make the most of the ELO “look again” function that allows organizations to question these logs from the prior 30 days. Organizations that don’t have the Occasion Monitoring add-on can request retrieval of sure logs from as much as 30 days prior to now with the Historic Occasion Logs Course of.
Illustrative Incident: Suspicious Exercise with Emma Martin’s Account
On August 29, suspicious actions have been noticed in Protect Occasion Monitoring involving the consumer account of an worker, Emma Martin. Login occasion logs revealed a number of logins from non-approved IP addresses, instantly elevating a purple flag for InfoSec. Upon contacting Emma Martin, it was confirmed that these logins weren’t official.
| # | Timestamp | Person Id | Person Title | Consumer IP | Login Key | Login URL | Login Standing |
| 1 | 2025-08-29T11:35:55.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 83.98.57.94 | 2+lGfKbFHsHZoqu0 | login.salesforce.com | LOGIN_CHALLENGE_ISSUED |
| 2 | 2025-08-29T11:37:30.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 139.99.88.165 | MqCliSn2LJuTNY9s | dfirscenario.my.salesforce.com | LOGIN_NO_ERROR |
| 3 | 2025-08-29T11:39:12.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 51.68.140.104 | 0rd0xNj1TS/Pa+Nx | dfirscenario.my.salesforce.com | LOGIN_NO_ERROR |
| 4 | 2025-08-29T11:43:22.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 83.98.57.94 | A0vf4w6xsWTmChma | login.salesforce.com | LOGIN_NO_ERROR |
| 5 | 2025-08-29T11:55:34.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 83.98.57.94 | DwO9oPCqkS/8sO1b | login.salesforce.com | LOGIN_NO_ERROR |
| Practitioner’s Tip: The precise title “Emma Martin” related to a Person Id just isn’t saved in Login occasion logs, and is obtained from the Person object. To correlate all occasions in a given login session throughout varied Salesforce occasion logs, use the Login Key subject (for instance, “DwO9oPCqkS/8sO1b”) which is mapped to a login time and shopper IP through the login occasion. This permits reconstruction of a complete view and timeline of actions throughout an incident.
Along with the Login Key, you may also use the next to trace the actions taking place throughout the varied occasions: The consumer’s 18-character Person Id is used all through occasion queries to isolate the related entries.The Session Key, which tracks all exercise throughout a selected session.The Request Id is a singular identifier for API calls and different operations inside Salesforce. Since this identifier will be set by the exterior system making the API name (utilizing the X-SFDC-REQUEST-ID HTTP header), it could assist correlate the Salesforce logs with these within the exterior programs. The Login Key’s a string that ties collectively all occasions in a given consumer’s login session, beginning with a login occasion and ending with a logout occasion (or the session expiring). A Login Key could also be related to a number of Session Keys. |
The staff initiated an investigation to find out the extent of the compromise and the info accessed by the menace actor.
The “Who Sees What (WsW) explorer” in Safety Middle makes this a lot simpler and quicker. By navigating to “Customers” and looking for “Emma Martin”, the staff may view all permissions assigned to the compromised account. This revealed that Emma Martin had Modify All Information permissions, a crucial discovering indicating the potential for widespread knowledge manipulation. The WsW explorer additionally reveals the rationale this consumer has the permission, on this case as a result of the “SalesSuperPerms” was assigned.
Alt Textual content: Who Sees What Explorer getting used to look at permissions assigned to a consumer.
Remember the fact that permissions assigned to a consumer on the time of investigation could differ from these on the time of the suspicious exercise. To grasp when these elevated permissions have been granted, the staff examined the Setup Audit Path. This confirmed that the Modify All Information permissions had been assigned to Emma Martin on July 3 by Traci Barrett, a Salesforce Admin. This established that the compromised account possessed crucial permissions in the course of the incident.
| # | Created Date | Person Title | Motion | Show |
| 1 | 2025-07-03T11:57:21.000Z | Traci Barrett | PermSetCreateNoLicense | Created permission set SalesSuperPerms: with no license |
| 2 | 2025-07-03T11:58:34.000Z | Traci Barrett | PermSetEnableUserPerm | Modified permission set SalesSuperPerms: Modify All Information permission was modified from disabled to enabled |
| 3 | 2025-07-03T12:01:05.000Z | Traci Barrett | PermSetAssign | Permission set SalesSuperPerms: assigned to consumer Emma Martin (UserID: [005Hn00000HvwCW]) |
Figuring out Information Entry and Alterations
Additional investigation was carried out to find out exactly what knowledge the menace actors accessed and altered utilizing the compromised Emma Martin account. API occasion logs from August 29 confirmed that the menace actor up to date 593 contacts. This crucial discovery indicated knowledge integrity had been compromised and necessitated a knowledge restoration effort. You will need to be aware that every one of those adjustments occurred by means of a single request, however the shopper cut up it into three requests. Due to this fact, correlation of API log entries can’t rely solely on the Request Id, or related data could be missed.
| # | Timestap | Person Id | Person Title | Consumer IP | Login Key | Request Id | Methodology | Entity | Rows Processed |
| Abstract | – | – | – | – | – | – | – | – | 593 |
| 1 | 2025-08-29T11:57:10.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 83.98.57.94 | DwO9oPCqkS/8sO1b | 55-uuJ3oZ2eYc7FL2AJXB- | replace | Contact | 200 |
| 2 | 2025-08-29T11:57:12.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 83.98.57.94 | DwO9oPCqkS/8sO1b | 55-uuTMk3WW6U-0X1lqr3- | replace | Contact | 193 |
| 3 | 2025-08-29T11:57:12.000Z | 005Hn00000HvwCWIAZ | Emma Martin | 83.98.57.94 | DwO9oPCqkS/8sO1b | 55-uuSQLuq-22V0X1lqtJ- | replace | Contact | 200 |
| Practitioner’s Tip: Subject Audit Path (FAT) can present full particulars about what was modified on key tracked fields in a better method than analyzing occasion logs. |
Information integrity is paramount as a result of incorrect or corrupt data can disrupt mission crucial companies and end in inaccurate outcomes. Salesforce Backup & Recuperate proved invaluable right here. By evaluating backup jobs, the staff may pinpoint precisely what had modified, enabling exact restoration of solely the altered data to their unique, good state, thereby avoiding additional knowledge loss.
UniqueQuery occasion logs revealed that the complete contact knowledge set was queried, successfully stealing details about each particular person. This highlighted a big knowledge exfiltration occasion. These log entries are from the Occasion Log File. As demonstrated within the Forensic Primer weblog publish, Actual-Time Occasion Monitoring (RTEM) logs (ApiEventStream) have extra particulars, together with the report identifiers that have been obtained by the question.
| # | Timestamp | Person Id | Question Identifier | Occasion Kind | Question Kind | Session Key | SQL Id | Login Key |
| 1 | 2025-08-29T11:55:40.000Z | 005Hn00000HvwCW | SELECT Title, Telephone, Id FROM Account WHERE Id IN (:id, :id, :id) | UniqueQuery | SOQL | FTUOli2Tbg8GUKyh | cnmafj84dnr26 | DwO9oPCqkS/8sO1b |
| 2 | 2025-08-29T11:55:40.000Z | 005Hn00000HvwCW | SELECT PromptVersionId, LastDisplayDate, LastResult, LastResultDate, TimesActionTaken, TimesDismissed, StepCount, StepNumber, TimesDisplayed, SnoozeUntil FROM PromptAction WHERE (UserId = :id AND PromptVersionId IN (:id, :id, :id)) | UniqueQuery | SOQL | FTUOli2Tbg8GUKyh | 28pprd547c230 | DwO9oPCqkS/8sO1b |
| 3 | 2025-08-29T11:55:53.000Z | 005Hn00000HvwCW | SELECT Id FROM Contact | UniqueQuery | SOQL | uf/+bql8pXw6f7wz | 4v6q4ctdsma09 | DwO9oPCqkS/8sO1b |
| 4 | 2025-08-29T11:55:53.000Z | 005Hn00000HvwCW | SELECT Id FROM Contact | UniqueQuery | SOQL | uf/+bql8pXw6f7wz | 5vbndc4aa860m | DwO9oPCqkS/8sO1b |
| 5 | 2025-08-29T11:56:02.000Z | 005Hn00000HvwCW | SELECT FIELDS(ALL) FROM Contact LIMIT 200 | UniqueQuery | SOQL | uf/+bql8pXw6f7wz | 9nftw39tz0xs6 | DwO9oPCqkS/8sO1b |
| 6 | 2025-08-29T11:56:26.000Z | 005Hn00000HvwCW | SELECT Id FROM contact WHERE Contact_Status__c = Inactive | UniqueQuery | SOQL | uf/+bql8pXw6f7wz | 7awffu016c13a | DwO9oPCqkS/8sO1b |
Actual-Time Protection
As well as, the intruder ran quite a few reviews within the Salesforce consumer interface.
| # | Timestamp | Person Id | Report Title | Person Title | Consumer IP | Origin | Request Id | Login Key | No. of Columns | Row Rely |
| 1 | 2025-08-29T11:38:15.000Z | 005Hn00000HvwCWIAZ | – | Emma Martin | 139.99.88.165 | ReportRunFromClassic | 55-tsOD8AP-iRNFL2AEc– | MqCliSn2LJuTNY9s | 20 | 64 |
| 2 | 2025-08-29T11:39:26.000Z | 005Hn00000HvwCWIAZ | All Energetic Contacts | Emma Martin | 51.68.140.104 | ReportRunFromClassic | 55-twLrhTz0YWcFL2AOY7- | 0rd0xNj1TS/Pa+Nx | 13 | 10,808 |
| 3 | 2025-08-29T11:40:07.000Z | 005Hn00000HvwCWIAZ | All Open Buyer Service Circumstances | Emma Martin | 51.68.140.104 | ReportRunFromClassic | 55-tyDgudI8JQcFL26Hr3- | 0rd0xNj1TS/Pa+Nx | 17 | 99,660 |
| 4 | 2025-08-29T11:40:07.000Z | 005Hn00000HvwCWIAZ | All Open Buyer Service Circumstances | Emma Martin | 51.68.140.104 | ReportRunFromClassic | 55-tyTNc9NYP8sFL2ANmc- | 0rd0xNj1TS/Pa+Nx | 17 | 99,660 |
| 5 | 2025-08-29T11:40:39.000Z | 005Hn00000HvwCWIAZ | All Open Buyer Service Circumstances | Emma Martin | 51.68.140.104 | ReportExported | 55-u-PBGDe56m7FL26BxZ- | 0rd0xNj1TS/Pa+Nx | 17 | 99,660 |
| 6 | 2025-08-29T11:43:27.000Z | 005Hn00000HvwCWIAZ | My Pipeline | Emma Martin | – | ChartRenderedInEmbeddedAnalyticsApp | 55-u9Y0uaJG0NV0X1lqr3- | – |
Happily, a configured TSP performed an important function in blocking report exports, mitigating additional harm. The next log reveals that the report “All Open Buyer Providers Circumstances” was blocked for export through a TSP. This demonstrates the facility of TSPs to forestall undesirable actions in actual time.
| # | Timestamp | Person Id | Consumer IP | Login Key | Session Key | Coverage Id | Consequence | Request Id |
| 1 | 2025-08-29T11:40:38.000Z | 005Hn00000HvwCWIAZ | 51.68.140.104 | 0rd0xNj1TS/Pa+Nx | niVvD3K6ztkSaOZP | 0NIHn000000GmdNOAS | TRIGGERED | 55-u-PBGDe56m7FL26BxZ- |
TSPs will be configured to your particular Salesforce atmosphere. As an example, a TSP will be set to dam reviews with greater than 10,000 knowledge rows from being exported. This proactive measure can stop large-scale knowledge exfiltration.
| Practitioner’s Tip: The actual-time occasion that triggered a Transaction Safety Coverage populates the Coverage Final result subject and supplies extra data for forensic reconstruction. To acquire this data, question the Report Occasion object by EventDate & UserId (one of many solely real-time occasions that has a secondary index on UserId).
An instance SOQL question in opposition to the Report Occasion object (the Huge Object which acts as the shop for the real-time report occasions): SELECT EventDate,Operation, Report.Title, DisplayedFieldEntities, RowsProcessed, PolicyOutcome from ReportEvent the place UserId = ‘005Hn00000HvwCWIAZ’ AND EventDate = 2025-08-29T11:40:38.000Z |
The results of the above question:
| EventDate | Operation | Report.Title | DisplayedFieldEntities | RowsProcessed | PolicyOutcome |
| 2025-08-29T11:40:38.000Z | ReportExported | All Open Buyer Service Circumstances | Account,Contact,Case | 99660 | Block |
Person Exercise Timeline
Use dashboards in Analytics Studio to view and filter extra occasion logs, and acquire broader visibility into different consumer actions. Lightning Occasion logs confirmed that the menace actor seen all Accounts Checklist View, offering additional perception into their reconnaissance actions inside the compromised org. You too can filter the Risk & Entry dashboards to concentrate on a particular consumer, answering the query, “What did a particular consumer do throughout that point?” and acquiring particulars wanted to develop a timeline of occasions.
Strengthen Your Safety Posture
This illustrative incident investigation demonstrates the usage of Salesforce Trusted Providers options for real-time incident response and forensic investigation of safety incidents. Occasion Monitoring supplies instruments and related data to analyze safety incidents, whereas TSPs provide real-time alerting and blocking capabilities to forestall undesirable actions.
By proactively implementing and configuring these instruments, organizations can considerably strengthen their safety posture, defend delicate knowledge, and reply successfully to evolving cyber threats. Further TSPs may have been in place to dam exfiltration of huge numbers of data through API and different undesirable actions in an effort to stop knowledge theft.
Salesforce Safety Made Easy with Invisibles, Configurables and Enhanceables
Salesforce Safety Made Easy with Invisibles, Configurables and Enhanceables
Need a enjoyable, approachable option to clarify safety greatest practices to your admin and dev networks? Hearken to the newest episode of Superior Admins!
