SP6 Salesforce Security App

Protect Your

Customer data

Our Salesforce Security App Detects:

SP6 Salesforce Security App

Don't Let Critical data walk out the door.

Overview

The SP6 Salesforce Security App helps you uncover threats by identifying any unusual behavior and access anomalies in your Salesforce environment. It also provides dashboard visualizations for investigating any security incident as well as perform any analytical operation on the Salesforce data. The application displays your Salesforce data in clever, easy-to-understand, and intuitive visualizations, providing your security team with an edge. The application will alert you to nefarious and suspicious activity occurring within your Salesforce instance, allowing you to quell data exfiltration and other security issues before it’s too late. The SP6 Salesforce Security App is also configured to work with Splunk Enterprise Security for those who need the additional security measures that Splunk Enterprise Security offers.

About

The SP6 Salesforce Security App for Splunk gives you critical security and operational insight into your Salesforce account.

This App includes but not limited to:

  • Security Posture dashboard that summarizes all the triggered Alerts
  • User and Report Forensic capability dashboards
  • Audit Trail dashboards.
  • Alerts and Reports to capture any access anomalies and unusual events.

This app is also Splunk ES compatible, meaning that when you install this App on ES, then all the configured Alerts would also act as Correlation Search and start sending triggered alerts to notable events.

Pre-requisites

  1. The Splunk Add-on for Salesforce (v 4.0.1) must be installed and configured to collect data from your salesforce account. The Add-on is available here on Splunk base.
  2. The Salesforce data must be present in the below sourcetypes as the SP6 Salesforce Security App relies on these sourcetypes. You can find the process for adding these sourcetype data here. The ‘sfdc:logfile’ sourcetype relies on the Salesforce Event Monitoring This feature may need to be purchased separately from Salesforce.
    • sfdc:logfile
    • sfdc:LoginHistory
    • sfdc:SetupAuditTrail
    • sfdc:opportunity
    • sfdc:account
    • sfdc:report
    • sfdc:user
    • sfdc:dashboard
    • sfdc:ContentVersion
    • sfdc:UserLicense
  3. The default interval configuration for all sourcetypes are fine, except for the inputs for ‘sfdc:loginhistory’ & ‘sfdc:report’. These inputs should be configured to collect data more frequently (anywhere from 60 to 300 seconds) to help identify suspicious activity as soon as possible.
  4. Additional Input Configuration
    • All of the inputs for the above sourcetypes, except the inputs for the ‘sfdc:UserLicense’, ‘sfdc:SetupAuditTrail’, and ‘sfdc:logfile’ are provided by default within the ‘Splunk Add-on for Salesforce’ application and will begin collecting data once the account is configured and the inputs are enabled.
    • To create the input for the ‘sfdc:UserLicense’ sourcetype, ensure you are using the ‘Splunk Add-on for Salesforce’ application. Then, click the ‘Inputs’ tab on the navigation menu, click the ‘Create New Input’ button, and select ‘Salesforce Object’. Enter the following values for the configuration fields:
      • Name: user_license
      • Interval: 3600
      • Index: <salesforce data collection index>
      • Salesforce Account: <Select the user account that was configured for data collection>
      • Object: UserLicense
      • Object Fields: Id,LicenseDefinitionKey,MasterLabel,Status,TotalLicenses,UsedLicenses,UsedLicensesLastUpdated,Name
      • Order By: UsedLicensesLastUpdated
      • Use existing data input?: Yes
      • Limit: Set this to an appropriate limit for your organization (Default 1000)
    • To create the input for the ‘sfdc:SetupAuditTrail’ sourcetype, ensure you are using the ‘Splunk Add-on for Salesforce’ application. Then, click the ‘Inputs’ tab on the navigation menu, click the ‘Create New Input’ button, and select ‘Salesforce Object’. Enter the following values for the configuration fields:
      • Name: audit_trail
      • Interval: 60
      • Index: <salesforce data collection index>
      • Salesforce Account: <Select the user account that was configured for data collection>
      • Object: SetupAuditTrail
      • Object Fields: Id,Action,Section,CreatedDate,CreatedById,Display
      • Order By: CreatedDate
      • Use existing data input?: Yes
      • Limit: Set this to an appropriate limit for your organization (Default 1000)
    • To create the input for the ‘sfdc:logfile’ sourcetype, ensure you are using the ‘Splunk Add-on for Salesforce’ application. Then, click the ‘Inputs’ tab on the navigation menu, click the ‘Create New Input’ button, and select ‘Salesforce Event Log’. Enter the following values for the configuration fields:
      • Name: eventlog
      • Interval: 60
      • Index: <salesforce data collection index>
      • Salesforce Account: <Select the user account that was configured for data collection>
      • Use existing data input?: Yes
      • Monitor Interval: Hourly
      • Query Start Date: <This field is optional. Default is the previous 30 days>
  1. Enable the saved search ‘Lookup – USER_ID to USER_NAME’ that comes OOTB with Splunk Add-on for Salesforce. This Search will create the lookup ‘lookup_sfdc_usernames.csv’ and it is used by almost all the dashboards in the app. It is strongly recommended to schedule this saved search to run at least every 30 mins (default is 9 p.m every day) and update the lookups frequently so that the search queries in the app get the latest attributes of Salesforce user and produce the correct results. You can run a simple query | inputlookup lookup_sfdc_usernames.csvand verify that the lookup is populated.
  2. Splunk Add-on for Microsoft Windows/Active Directory data – There are certain dashboard panels & alerts that cover Active Directory and Salesforce integration-related use cases. If you have AD integrated with Salesforce for SSO in your environment then you should make sure that Splunk Add-on for Microsoft Windows (available here) is configured and collecting AD user data in “ActiveDirectory” sourcetype from your AD server.

Installation

This App needs to be installed on the search head layer only. The app is supported on the search head cluster as well. Please note that the pre-requisite add-on – Splunk Add-on for Salesforce also needs to be installed on the same search head where this app gets installed. Additional configuration is required. Please see Post-Install Configuration.

Post-Install Configuration

Summary Index

This app has certain alerts that capture the triggered alerts in “sfdc_summary” summary index. Please deploy the ‘sfdc_summary’ index in your environment per your index storage and retention policy. Please note that the security overview dashboards rely on this index and will not work without deploying this index before enabling the alerts.

Macros

get_salesforce_index  – All the dashboards and Reports/Alerts OOTB searches for ‘salesforce’ index by default. If you are consuming Salesforce data into any other index then please update the definition of `get_salesforce_index` macro

exclude_svc_account – The Splunk Add-on for Salesforce collects data using a particular account over REST API from Heavy Forwarder and generated frequent login messages in doing so. To exclude these messages from the dashboard and alert searches you need to update the service account and heavy forwarder IP in `exclude_svc_account` macro definition. You can put any other service account and/or source IP that you want to exclude from all dashboard/alert searches in this macro.

short_lived_account_threshold – Short-lived accounts are commonly used for malicious purposes. Update this macro to define the short-lived account threshold in seconds. The default threshold is 3600.

Lookups

sfdc_unapproved_apps (sfdc_unapproved_apps) – This lookup table contains a list of unapproved apps and needs to be configured per your organization’s security rules for Salesforce. You can find a list of all the apps available for Salesforce integration here. Please consult your Salesforce administrator and update this lookup before enabling the alert for the ‘Access to Unapproved Applications’ use case.

lookup_sfdc_usernames.csv – This lookup ships with Splunk Add-on for Salesforce and provides Salesforce user attributes like status (Active/Inactive) and location.  We strongly recommend scheduling the saved search – Lookup – USER_ID to USER_NAME – to run at least every 30 mins and update the lookups frequently so that search queries in our App gets latest attributes of Salesforce user and produces the correct results.

sfdc_employee_data_lookup  (org_hr_data_for_salesforce.csv )– Some of the searches rely on basic employee HR data to determine threats. This CSV lookup file must be provided by your organization for the searches to function properly. The fields contained in the lookup are Email, Last Name, First Name, Status, Start Date, End Date, Geolocation, and Manager. These fields are self-explanatory, except the ‘Status’ field, which should contain either ‘Active’ or ‘Inactive’ values.

sfdc_identity_tz_lookup (sfdc_identity_tz.csv) – Many organizations have employees that reside in different time zones. To maintain proper dates and times for user events, this CSV lookup file must be provided. The fields required for this lookup are Email, TZ, and time_offset. The Email field should contain the user’s email address, the TZ field should contain the user’s time zone (e.g., EST, CST, PST, MST, etc.) while the time_offset field should contain the time offset in seconds for the time zone compared to UTC.

windows_activedirectory_persons_for_salesforce – This is a KV store and it maintains the AD user list along with user attributes. There are 2 ways to configure this lookup, depending on your AD data collection situation.

1. Using AD baseline data – This is the preferred and less complicated way. This method also follows Splunk best practices.

If you haven’t already configured then configure “admin”  input to collect baseline data from not more than 2 AD servers per domain in your environment. The admin input in Splunk Add-on for Windows inputs config should something like below.

[admon://XXX]

disabled = 0

baseline = 1

monitorSubtree = 1

index=XXX

Run the search below for ‘All Time’ and verify that AD baseline data is being collected:

index=* sourcetype=activedirectory objectCategory=”CN=Person,CN=Schema,CN=Configuration,*”

Locate and run the saved search – SFDC Lookup Gen – Active Directory Identities – manually only once. This search will run all-time & collect all the AD user data and build the initial Lookup for you.

2. Using the ‘ad_users.csv’ file once – If you are not collecting baseline data and are not planning to do so, then you need to follow this method.

First, collect all the AD user data using the Get-ADuser Powershell cmdlet once and feed it to Splunk to build the initial lookup. Ensure that the Get-ADUser cmdlet is installed and execute the following PowerShell command from an Active Directory joined workstation with appropriate privileges:

Get-ADUser -Filter * -Properties * | export-csv -path c:\ad_users.csv

Once the ad_users.csv file is generated, you can upload it on the Splunk search head and assign appropriate permissions to make it accessible.

Locate and run the saved search – SFDC Lookup Gen – AD User Lookup Identities – manually only once. This search will take ad_users.csv file, apply some formatting and aggregation rules, and build an initial lookup for you

Note: In whatever way you chose to configure the initial version of windows_activedirectory_persons_lookup_for_salesforce lookup, it would be maintained and updated by another savedsearch – SFDC Lookup Update – Active Directory Identities –  that runs every 6 hours and look for any changes in AD User data reported by admin input in ActiveDirectory sourcetype.

Alerts & Reports

Search Name

Scheduled Interval

Time Window

Severity

Alert Suppression Setting

Alert Suppression Fields

SFDC Alert – Access from Unknown Browser

15th Minute past hour

Last 1 hour

Low

24 Hours

User Id, src ip

SFDC Alert – Access to Unapproved Applications

15th Minute past hour

Last 1 hour

High

24 Hours

User Id, Application

SFDC Alert – Geographically Improbable Access

30th-minute past hour

Last 1 hour

High

4 Hours

User Id

SFDC Alert – Inactive HR and AD Users in Salesforce

45th-minute past hour

Last 1 hour

Critical

4 Hours

User Id

SFDC Alert – Failed Login from Inactive User

Every 15 Minutes

Last 15 minutes

High

1 Hour

User Id

SFDC Alert – Non-AD Users Logging Into Salesforce

Every 4 Hours

Every 4 Hours

High

24 Hours

User Id, src

SFDC Alert – Security Controls Changes

7 a.m every day

Last 24 hours

Medium

N/A

N/A

SFDC Alert – Unusually High Number of Accesses to Report by User

1 a.m Everyday

Last 15 days

Medium

N/A

N/A

SFDC Alert – Unusually High Number of Unique Reports Accessed by User

2 a.m Everyday

Last 15 days

Medium

N/A

N/A

SFDC Alert – Unusually High Number of Users Accessing Report

3 a.m Everyday

Last 15 days

Medium

N/A

N/A

SFDC Alert – Unusually Large Report

4 a.m Everyday

Last 15 days

Medium

N/A

N/A

SFDC Alert – Unusually Large Report by User

5 a.m Everyday

Last 15 days

Medium

N/A

N/A

SFDC Alert – User Login During Off Hours

7 a.m Everyday

Last 24 hours

Low

N/A

N/A

SFDC Alert – User Permission Changes

8 a.m Everyday

Last 24 hours

Medium

N/A

N/A

SFDC Report – Login Distribution by Hour – Timezone Adjusted

N/A

Last 7 days

N/A

N/A

N/A

SFDC Report – Short-Lived User

N/A

Last 30 days

N/A

N/A

N/A

SFDC Report – User Creation/Activation

N/A

Last 7 days

N/A

N/A

N/A

SFDC Lookup Gen – Active Directory Identities

N/A

N/A

N/A

N/A

N/A

SFDC Lookup Update – Active Directory Identities

Every 6 Hours

Last 7 Days

N/A

N/A

N/A

SFDC Lookup Gen – AD User Lookup Identities

N/A

N/A

N/A

N/A

N/A

Knowledge Base

Dashboards

  • Security Overview Dashboards
    • Security Posture – This dashboard provides an overview of Salesforce activity that should be investigated and provides insight into login activity, report activity, and more. Relevant drill-downs are included on every panel to aid in your investigations. The default time range for the dashboard is the last 7 days.
    • Security Event Details – This dashboard is most commonly accessed through drill-downs on the Security Posture dashboard, but can also be used independently. It provides a table of triggered alerts with details on each and results can be filtered using the filtering inputs available on the top of the page. Drilldowns are included for every result to aid in your investigations.
    • Triggered Alerts – This dashboard provides an overview of all triggered alerts, not only security-focused alerts. A table of triggered alerts is provided as well as a visualization of triggered alerts over time. The default time range for the dashboard is the last 7 days.
  • Audit Dashboards
    • Audit Trail Overview – This dashboard provides an overview of SetupAuditTrail events within your Salesforce instance. You can gain insight into top events, trends by the user, trends by section, and more. Drilldowns are enabled for all panels to help aid you in your investigations. The default time range for the dashboard is the last 7 days.
    • Audit Event Details – This dashboard provides a distraction-free way to investigate SetupAuditTrail events within your Salesforce instance. It features a single table containing relevant events and multiple inputs to filter results effectively. The drill-down is enabled on the table to assist you in your investigations. The default time range of the dashboard is the last 7 days.
    • Audit Trail by User – This dashboard provides detailed information about what users are doing within your Salesforce instance, including events from multiple sourcetypes. The main feature of the dashboard is a table that aggregates relevant events from multiple sourcetypes into a chronological list of events that allows you to essentially track what a user is doing. This table is especially useful when investigating potential fraud. This dashboard also provides insight into user logins, activity spikes, and more. The default time range for the dashboard is the last 24 hours.
    • Permission Changes by User – This dashboard provides a distraction-free way to investigate user permission changes resulting in permission escalations performed by Salesforce administrators. Multiple filters are available and the drill-down is enabled to aid in your investigations. The default time range for the dashboard is the last 7 days.
    • Security Controls Changes – This dashboard provides a distraction-free way to investigate security control changes performed by Salesforce administrators. It offers insight into new users, 2FA account updates, permission set assignments, and more. Multiple filters are available and the drill-down is enabled to aid you in your investigations. The default time range for the dashboard is the last 7 days.
    • License Usage – This dashboard provides insight into Salesforce license information, as well as the users that the licenses are assigned. Quickly view total licenses, used licenses, and available licenses for each license category, free licenses over time, active and inactive license users, last login dates for users, and more. Multiple filters are available and drill-downs are enabled to assist you in your investigations. The default time range of the dashboard is all time.
  • Data Loss Prevention Dashboards
    • User Forensics – This dashboard provides insight into user activity, specifically, user activity related to reports, dashboards, opportunities, document downloads, accounts, and more. Detailed information is provided for report exports by the user, which can alert you to data theft within your organization. There are multiple filters available and drill-downs are enabled to assist you in your investigations. The default time range for the dashboard is the last 7 days.
    • Report Forensics – This dashboard provides an overview of report activity within your Salesforce instance. Detailed information is provided for report executions, report exports, and the users that are performing report activity. Multiple filters are available and drill-downs are enabled to assist you in your investigations. The default time range for the dashboard is the last 7 days.
  • User Intelligence Dashboards
    • User Logins – This dashboard provides detailed user login information for your Salesforce instance. It offers insight into user logins by geography, user, and source IP address, as well as providing details on locked accounts, password resets, password updates, and login distribution by the hour. Multiple filters are available and drill-downs are enabled to assist in your investigations.

Reports

Report Name

Overview

Description

SFDC Lookup Update – Active Directory Identities

Updates the identity KV store periodically

This report is scheduled for every 6 hours with a time range of the last 7 days to ensure accurate identity data. The search will update the identity KV store with the most recent Windows Active Directory user data.

SFDC Report – Short-Lived User

Displays short-lived users in Salesforce.

This report will display short-lived accounts that can be used for malicious reasons. The duration of a short-lived account is configured in the ‘short_lived_account_threshold’ macro. The default value is 1 hour.

SFDC Report – User Creation/Activation

Detects when a Salesforce user is created or activated/deactivated.

This report will display Salesforce users that are created or activated within the specified search time range.

SFDC Lookup Gen – AD User Lookup Identities

This search is intended to be executed one time to create the identity lookup from ad_users.csv file

This report relies on the ad_users.csv lookup table and should be running one time when initially configuring the application. This search will create the identity KV store that some other searches depend on.

SFDC Lookup Gen – AD User Lookup Identities

This Search is intended to be executed one time to create the Identity lookup from Active Directory baseline data

This report relies on baseline data collected in the “ActiveDirectory” sourcetype using the Splunk Add-on for Windows. It should be running one time when initially configuring the application. This search will create the identity KV store that some other searches depend on.

Alerts

Alert Name

Overview

Description

SFDC Alert – Access from Unknown Browser

Detects logins to Salesforce when a user’s browser name is unknown.

This search will analyze the browsers used to log in to Salesforce. When an unknown browser is detected during login, an alert will be created for the event. Known browsers include Chrome, Safari, Salesforce, Firefox, IE, Edge, Mobile Chrome, & Opera. Any browser not included in this list is considered unknown.

SFDC Alert – Access to Unapproved Applications

Detects access to unapproved applications by a Salesforce user.

This search relies on the ‘sfdc_unapproved_apps’ lookup and compares Salesforce application accesses against the lookup entries. An alert will be created if access to an unapproved application is detected.

SFDC Alert – Failed Login from Inactive User

Detects failed login attempts to Salesforce when the user’s status is inactive.

This search will create an alert if an inactive Salesforce user attempts to log in to Salesforce.

SFDC Alert – Geographically Improbable Access

Detects access to Salesforce from locations that are suspicious or improbable.

This search will create an alert if a Salesforce user logs in to Salesforce from a suspicious or improbable location compared to previous login locations.

SFDC Alert – Inactive HR and AD Users in Salesforce

Detects access to Salesforce from a user whose status is inactive in Active Directory or the organization’s HR platform.

This search will create an alert if a Salesforce user logs into Salesforce, but is inactive in either the identity KV store or the ‘org_hr_data_for_salesforce’ lookup.

SFDC Alert – Non-AD Users Logging Into Salesforce

Detects Salesforce logins by users whose status is inactive in Active Directory.

This search will create an alert if a Salesforce user logs in to Salesforce, but is not present in the identity KV store. The alert needs some tuning in a production environment to filter out local admin and integration/service account of Salesforce.

SFDC Alert – Security Controls Changes

Detects changes to Salesforce security controls.

This search will create an alert if a Salesforce administrator for your organization creates or updates security controls, such as a user’s 2FA status.

SFDC Alert – Unusually High Number of Accesses to Report by User

Detects an unusually high number of accesses to a single Salesforce report by a user.

This search creates an alert if an unusually high number of accesses to a single Salesforce report by a user is detected. The baseline average is created by analyzing the last 15 days of report accesses. An alert will be triggered if a standard deviation of +/- 2 is detected.

SFDC Alert – Unusually High Number of Unique Reports Accessed by User

Detects a high number of multiple Salesforce report accesses by a user.

This search creates an alert if an unusually high number of distinct, unique reports are accessed by a user. The baseline average is created by analyzing the last 15 days of report accesses. An alert will be triggered if a standard deviation of +/- 2 is detected.

SFDC Alert – Unusually High Number of Users Accessing Report

Detects an unusually high number of users accessing a single report.

This search creates an alert if an unusually high number of users are accessing a single, distinct report. The baseline average is created by analyzing the last 15 days of report accesses. An alert will be triggered if a standard deviation of +/- 2 is detected.

SFDC Alert – Unusually Large Report

Detects when an unusually large report is accessed or exported.

This search creates an alert if an unusually large report is accessed or exported. The baseline average report size is created by analyzing the last 15 days of accessed report sizes. An alert will be triggered if a standard deviation of +/- 2 is detected during the access of a report.

SFDC Alert – Unusually Large Report by User

Detects when a user accesses or exports an unusually large report.

This search will create an alert if a user accesses or exports an unusually large report. The baseline average report size is created by analyzing the last 15 days of accessed report sizes. An alert will be triggered if a standard deviation of +/- 2 is detected during the access of a report.

SFDC Alert – User Login During Off Hours

Detects Salesforce logins from users during business off-hours.

This search will create an alert if a user logs in to Salesforce after normal business hours.

SFDC Alert – User Permission Changes

Detects changes to Salesforce user’s permissions.

This search will create an alert if an update to user permissions is detected, specifically if the permission update is considered an escalation.

Lookups

sfdc_unapproved_apps – This lookup table contains the list of unapproved apps. A list of Salesforce application integrations is found here. Please consult your Salesforce administrator and update this lookup before enabling the alert for ‘Access to Unapproved Applications’.

sfdc_logfile_eventtypes – This lookup table contains the special event type definitions used by the ‘Audit Trail Summary’ table on the ‘Audit Trail by User’ dashboard.

org_hr_data_for_salesforce – This lookup table contains the organization-specific HR employee data required for some searches and must be provided by your organization. Please refer to ‘Post Install Configuration’ for details on creating this lookup.

ad_users – This lookup table is the initial Windows Active Directory user data that the identity KV store is created from. This lookup must be provided by your organization for dependent searches to function properly. Please refer to ‘Post Install Configuration’ for details on creating this lookup.

sfdc_identity_tz – This lookup table contains the time zones and time zone offsets (in seconds) for every Salesforce user in your organization. This lookup must be provided by your organization for dependent searches to function properly. Please refer to ‘Post Install Configuration’ for details on creating this lookup.

sfdc_ip_list – This lookup table contains a list of Salesforce server IP addresses used to filter out false positives.

sfdc_logfile_request_status_lookup – This lookup table contains request status mappings for Salesforce events.

sfdc_renderingtypes – This lookup table contains Salesforce report rendering type mappings, such as Email, Excel, CSV, etc.

Macros

AuditTrailEventTypeFilter – This macro is used to filter relevant events for the Audit Trail searches.

convert_time_to_string(2) – This macro is used in some searches to manage complex time to string conversions.

exclude_svc_account – This macro is used to exclude the service account’s events from search results. Please refer to ‘Post Install Configuration’ to learn how to configure this macro for your organization.

get_salesforce_index – This macro is used in searches that query the index containing your organization’s Salesforce data. Please refer to ‘Post Install Configuration’ to learn how to configure this macro for your organization.

include_user_category – This macro is used to include the user category ‘Standard’ in searches involving Active Directory queries.

privilege_escalation_filter – This macro is used to filter relevant events for permission changes searches.

security_control_changes_filter – This macro is used to filter relevant events for security controls searches.

short_lived_account_threshold – This macro contains the time threshold in seconds that defines a short-lived user. Please refer to ‘Post Install Configuration’ to learn how to configure this macro for your organization.

FAQs

Troubleshooting

Release Notes

Release 1.0.0

Known Issues:

  • Some of the Salesforce Reports comes with a null REPORT_NAME field in Splunk event, this can cause problems in Search queries, especially panels that do aggregation on the report name. To mitigate this problem, many search queries use and display Report ID instead of the Report Name.

Need Assistance?

If you need assistance with the SP6 Salesforce Security App in any way, feel free to reach out to us.

We Are Here to Help

Need Assistance or Would Like to Download the App