Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Example of a new application accessing Salesforce.com use case?

adukes_splunk
Splunk Employee
Splunk Employee
‎09-10-2019 07:32 AM

Does anyone have examples of how to use Splunk to check for a new application accessing Salesforce.com?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adukes_splunk
Splunk Employee
Splunk Employee
‎09-10-2019 07:37 AM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Under the General Data Protection Regulation (GDPR) Article 30, organizations must maintain a record of processing activities including contact details of the controller, the purposes of processing, description of the categories of data subjects and personal data processed and the categories of recipients to whom the personal data has been or will be disclosed including recipients in any other countries. Interactions from new applications, whether for legitimate purposes or due to malicious activity, can create a non-compliance condition if they are not documented properly. This situation may not impact organizations who employ fewer than 250 persons and may not have critical categories of personal data for processing.

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Salesforce data. Install the Splunk Add-on for Salesforce and enable the inputs as described in the Splunk Add-on for Salesforce Manual to collect data.

Get insights

Salesforce contains the most critical information for many companies. This search looks for users who connect to SFDC's reporting API with new clients.

index=sfdc CLIENT_NAME=* EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI

Known false positives: Do not review these alerts directly, except for high sensitivity accounts, but use them for context, or to aggregate risk. This is a behavioral search, so the definition for false positive is slightly different from traditional searches. Every time this fires, it reflects the first occurrence in the time period you're currently searching.While there are no false positives in a traditional sense, there is lots of noise.

How to respond: When this search returns values, initiate the incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, and application. If possible, determine the system the user is using and its location. Contact the user and their manager to determine if it is authorized. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person used the user credentials and additional investigation is warranted.

If no results appear, you may need to deploy the Splunk Add-on for Salesforce to the search heads to use the knowledge objects necessary for simple searching.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adukes_splunk
Splunk Employee
Splunk Employee
‎09-10-2019 07:37 AM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Under the General Data Protection Regulation (GDPR) Article 30, organizations must maintain a record of processing activities including contact details of the controller, the purposes of processing, description of the categories of data subjects and personal data processed and the categories of recipients to whom the personal data has been or will be disclosed including recipients in any other countries. Interactions from new applications, whether for legitimate purposes or due to malicious activity, can create a non-compliance condition if they are not documented properly. This situation may not impact organizations who employ fewer than 250 persons and may not have critical categories of personal data for processing.

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Salesforce data. Install the Splunk Add-on for Salesforce and enable the inputs as described in the Splunk Add-on for Salesforce Manual to collect data.

Get insights

Salesforce contains the most critical information for many companies. This search looks for users who connect to SFDC's reporting API with new clients.

index=sfdc CLIENT_NAME=* EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI

Known false positives: Do not review these alerts directly, except for high sensitivity accounts, but use them for context, or to aggregate risk. This is a behavioral search, so the definition for false positive is slightly different from traditional searches. Every time this fires, it reflects the first occurrence in the time period you're currently searching.While there are no false positives in a traditional sense, there is lots of noise.

How to respond: When this search returns values, initiate the incident response process and identify the user demonstrating this behavior. Capture the time of the event, the user's role, and application. If possible, determine the system the user is using and its location. Contact the user and their manager to determine if it is authorized. If the access is authorized, document that this is authorized and by whom. If not, it's possible that another person used the user credentials and additional investigation is warranted.

If no results appear, you may need to deploy the Splunk Add-on for Salesforce to the search heads to use the knowledge objects necessary for simple searching.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...