Does anyone have examples of how to use Splunk to check for a new application accessing Salesforce.com?
Under the General Data Protection Regulation (GDPR) Article 30, organizations must maintain a record of processing activities including contact details of the controller, the purposes of processing, description of the categories of data subjects and personal data processed and the categories of recipients to whom the personal data has been or will be disclosed including recipients in any other countries. Interactions from new applications, whether for legitimate purposes or due to malicious activity, can create a non-compliance condition if they are not documented properly. This situation may not impact organizations who employ fewer than 250 persons and may not have critical categories of personal data for processing.
This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.
This example use case depends on Salesforce data. Install the Splunk Add-on for Salesforce and enable the inputs as described in the Splunk Add-on for Salesforce Manual to collect data.
Salesforce contains the most critical information for many companies. This search looks for users who connect to SFDC's reporting API with new clients.
index=sfdc CLIENT_NAME=* EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI
Known false positives: Do not review these alerts directly, except for high sensitivity accounts, but use them for context, or to aggregate risk. This is a behavioral search, so the definition for false positive is slightly different from traditional searches. Every time this fires, it reflects the first occurrence in the time period you're currently searching.While there are no false positives in a traditional sense, there is lots of noise.
How to respond: When this search returns values, initiate the incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, and application. If possible, determine the system the user is using and its location. Contact the user and their manager to determine if it is authorized. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person used the user credentials and additional investigation is warranted.
If no results appear, you may need to deploy the Splunk Add-on for Salesforce to the search heads to use the knowledge objects necessary for simple searching.
Under the General Data Protection Regulation (GDPR) Article 30, organizations must maintain a record of processing activities including contact details of the controller, the purposes of processing, description of the categories of data subjects and personal data processed and the categories of recipients to whom the personal data has been or will be disclosed including recipients in any other countries. Interactions from new applications, whether for legitimate purposes or due to malicious activity, can create a non-compliance condition if they are not documented properly. This situation may not impact organizations who employ fewer than 250 persons and may not have critical categories of personal data for processing.
This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.
This example use case depends on Salesforce data. Install the Splunk Add-on for Salesforce and enable the inputs as described in the Splunk Add-on for Salesforce Manual to collect data.
Salesforce contains the most critical information for many companies. This search looks for users who connect to SFDC's reporting API with new clients.
index=sfdc CLIENT_NAME=* EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI
Known false positives: Do not review these alerts directly, except for high sensitivity accounts, but use them for context, or to aggregate risk. This is a behavioral search, so the definition for false positive is slightly different from traditional searches. Every time this fires, it reflects the first occurrence in the time period you're currently searching.While there are no false positives in a traditional sense, there is lots of noise.
How to respond: When this search returns values, initiate the incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, and application. If possible, determine the system the user is using and its location. Contact the user and their manager to determine if it is authorized. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person used the user credentials and additional investigation is warranted.
If no results appear, you may need to deploy the Splunk Add-on for Salesforce to the search heads to use the knowledge objects necessary for simple searching.