Security

Example of a new application accessing Salesforce.com use case?

adukes_splunk
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to check for a new application accessing Salesforce.com?

0 Karma
1 Solution

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Under the General Data Protection Regulation (GDPR) Article 30, organizations must maintain a record of processing activities including contact details of the controller, the purposes of processing, description of the categories of data subjects and personal data processed and the categories of recipients to whom the personal data has been or will be disclosed including recipients in any other countries. Interactions from new applications, whether for legitimate purposes or due to malicious activity, can create a non-compliance condition if they are not documented properly. This situation may not impact organizations who employ fewer than 250 persons and may not have critical categories of personal data for processing.

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Salesforce data. Install the Splunk Add-on for Salesforce and enable the inputs as described in the Splunk Add-on for Salesforce Manual to collect data.

Get insights

Salesforce contains the most critical information for many companies. This search looks for users who connect to SFDC's reporting API with new clients.

index=sfdc CLIENT_NAME=* EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI

Known false positives: Do not review these alerts directly, except for high sensitivity accounts, but use them for context, or to aggregate risk. This is a behavioral search, so the definition for false positive is slightly different from traditional searches. Every time this fires, it reflects the first occurrence in the time period you're currently searching.While there are no false positives in a traditional sense, there is lots of noise.

How to respond: When this search returns values, initiate the incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, and application. If possible, determine the system the user is using and its location. Contact the user and their manager to determine if it is authorized. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person used the user credentials and additional investigation is warranted.

If no results appear, you may need to deploy the Splunk Add-on for Salesforce to the search heads to use the knowledge objects necessary for simple searching.

View solution in original post

0 Karma

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Under the General Data Protection Regulation (GDPR) Article 30, organizations must maintain a record of processing activities including contact details of the controller, the purposes of processing, description of the categories of data subjects and personal data processed and the categories of recipients to whom the personal data has been or will be disclosed including recipients in any other countries. Interactions from new applications, whether for legitimate purposes or due to malicious activity, can create a non-compliance condition if they are not documented properly. This situation may not impact organizations who employ fewer than 250 persons and may not have critical categories of personal data for processing.

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Salesforce data. Install the Splunk Add-on for Salesforce and enable the inputs as described in the Splunk Add-on for Salesforce Manual to collect data.

Get insights

Salesforce contains the most critical information for many companies. This search looks for users who connect to SFDC's reporting API with new clients.

index=sfdc CLIENT_NAME=* EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI

Known false positives: Do not review these alerts directly, except for high sensitivity accounts, but use them for context, or to aggregate risk. This is a behavioral search, so the definition for false positive is slightly different from traditional searches. Every time this fires, it reflects the first occurrence in the time period you're currently searching.While there are no false positives in a traditional sense, there is lots of noise.

How to respond: When this search returns values, initiate the incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, and application. If possible, determine the system the user is using and its location. Contact the user and their manager to determine if it is authorized. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person used the user credentials and additional investigation is warranted.

If no results appear, you may need to deploy the Splunk Add-on for Salesforce to the search heads to use the knowledge objects necessary for simple searching.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...