Aditum Salesforce Security App

Aditum Salesforce Security App

Overview

The Aditum Salesforce Security App helps you uncover threats by identifying any unusual behavior and access anomalies in your Salesforce environment. It also provides dashboard visualizations for investigating any security incident as well as perform any analytical operation on the Salesforce data. The application displays your Salesforce data in clever, easy-to-understand, and intuitive visualizations, providing your security team with an edge. The application will alert you to nefarious and suspicious activity occurring within your Salesforce instance, allowing you to quell data exfiltration and other security issues before it’s too late. The Aditum Salesforce Security App is also configured to work with Splunk Enterprise Security for those who need the additional security measures that Splunk Enterprise Security offers.

About

The Aditum Salesforce Security App for Splunk gives you critical security and operational insight into your Salesforce account.

This App includes but not limited to:

  • Security Posture dashboard that summarizes all the triggered Alerts
  • User and Report Forensic capability dashboards
  • Audit Trail dashboards.
  • Alerts and Reports to capture any access anomalies and unusual events.

This app is also Splunk ES compatible, meaning that when you install this App on ES, then all the configured Alerts would also act as Correlation Search and start sending triggered alerts to notable events.

Pre-requisites

  1. The Splunk Add-on for Salesforce (v 4.0.1) must be installed and configured to collect data from your salesforce account. The Add-on is available here on Splunk base.
  2. The Salesforce data must be present in the below sourcetypes as the Aditum Salesforce Security App relies on these sourcetypes. You can find the process for adding these sourcetype data here. The ‘sfdc:logfile’ sourcetype relies on the Salesforce Event Monitoring feature. This feature may need to be purchased separately from Salesforce.
    • sfdc:logfile
    • sfdc:LoginHistory
    • sfdc:SetupAuditTrail
    • sfdc:opportunity
    • sfdc:account
    • sfdc:report
    • sfdc:user
    • sfdc:dashboard
    • sfdc:ContentVersion
    • sfdc:UserLicense
  3. The default interval configuration for all sourcetypes are fine, except for the inputs for ‘sfdc:loginhistory’ & ‘sfdc:report’. These inputs should be configured to collect data more frequently (anywhere from 60 to 300 seconds) to help identify suspicious activity as soon as possible.
  4. Additional Input Configuration
    • All of the inputs for above sourcetypes, except the inputs for the ‘sfdc:UserLicense’, ‘sfdc:SetupAuditTrail’, and ‘sfdc:logfile’ are provided by default within the ‘Splunk Add-on for Salesforce’ application and will begin collecting data once the account is configured and the inputs are enabled.
    • To create the input for the ‘sfdc:UserLicense’ sourcetype, ensure you are using the ‘Splunk Add-on for Salesforce’ application. Then, click the ‘Inputs’ tab on the navigation menu, click the ‘Create New Input’ button, and select ‘Salesforce Object’. Enter the following values for the configuration fields:
      • Name: user_license
      • Interval: 3600
      • Index: <salesforce data collection index>
      • Salesforce Account: <Select the user account that was configured for data collection>
      • Object: UserLicense
      • Object Fields: Id,LicenseDefinitionKey,MasterLabel,Status,TotalLicenses,UsedLicenses,UsedLicensesLastUpdated,Name
      • Order By: UsedLicensesLastUpdated
      • Use existing data input?: Yes
      • Limit: Set this to an appropriate limit for your organization (Default 1000)
    • To create the input for the ‘sfdc:SetupAuditTrail’ sourcetype, ensure you are using the ‘Splunk Add-on for Salesforce’ application. Then, click the ‘Inputs’ tab on the navigation menu, click the ‘Create New Input’ button, and select ‘Salesforce Object’. Enter the following values for the configuration fields:
      • Name: audit_trail
      • Interval: 60
      • Index: <salesforce data collection index>
      • Salesforce Account: <Select the user account that was configured for data collection>
      • Object: SetupAuditTrail
      • Object Fields: Id,Action,Section,CreatedDate,CreatedById,Display
      • Order By: CreatedDate
      • Use existing data input?: Yes
      • Limit: Set this to an appropriate limit for your organization (Default 1000)
    • To create the input for the ‘sfdc:logfile’ sourcetype, ensure you are using the ‘Splunk Add-on for Salesforce’ application. Then, click the ‘Inputs’ tab on the navigation menu, click the ‘Create New Input’ button, and select ‘Salesforce Event Log’. Enter the following values for the configuration fields:
      • Name: eventlog
      • Interval: 60
      • Index: <salesforce data collection index>
      • Salesforce Account: <Select the user account that was configured for data collection>
      • Use existing data input?: Yes
      • Monitor Interval: Hourly
      • Query Start Date: <This field is optional. Default is the previous 30 days>
  5. Enable the saved search ‘Lookup – USER_ID to USER_NAME’ that comes OOTB with Splunk Add-on for Salesforce. This Search will create the lookup ‘lookup_sfdc_usernames.csv’ and it is used by almost all the dashboards in app. It is strongly recommended to schedule this saved search to run at least every 30 mins (default is 9 p.m every day) and update the lookups frequently so that the search queries in the app get the latest attributes of Salesforce user and produces the correct results. You can run a simple query | inputlookup lookup_sfdc_usernames.csv and verify that the lookup is populated.
  6. Splunk Add-on for Microsoft Windows/Active Directory data – There are certain dashboard panels & alerts that cover Active Directory and Salesforce integration related use cases. If you have AD integrated with Salesforce for SSO in your environment then you should make sure that Splunk Add-on for Microsoft Windows (available here) is configured and collecting AD user data in “ActiveDirectory” sourcetype from your AD server.

Installation

This App needs to be installed on the search head layer only. The app is supported on search head cluster as well. Please note that the pre-requisite add-on – Splunk Add-on for Salesforce also needs to be installed on same search head where this app gets installed. Additional configuration is required. Please see Post-Install Configuration.

Post-Install Configuration

Summary Index

This app has certain alerts that capture the triggered alerts in “sfdc_summary” summary index. Please deploy the ‘sfdc_summary’ index in your environment per your index storage and retention policy. Please note that the security overview dashboards rely on this index and will not work without deploying this index before enabling the alerts.

Macros

get_salesforce_index  – All the dashboards and Reports/Alerts OOTB searches for ‘salesforce’ index by default. If you are consuming Salesforce data into any other index then please update the definition of `get_salesforce_index` macro

exclude_svc_account – The Splunk Add-on for Salesforce collects data using particular account over REST API from Heavy Forwarder and generated frequent login messages in doing so. To exclude these messages from dashboard and alert searches you need to update the service account and heavy forwarder IP in `exclude_svc_account` macro definition. You can put any other service account and/or source IP that you want to exclude from all dashboard/alert searches in this macro.

short_lived_account_threshold – Short-lived accounts are commonly used for malicious purposes. Update this macro to define the short-lived account threshold in seconds. The default threshold is 3600.

Lookups

sfdc_unapproved_apps (sfdc_unapproved_apps) – This lookup table contains a list of unapproved apps and needs to be configured per your organization’s security rules for Salesforce. You can find list of all the apps available for Salesforce integration here. Please consult your Salesforce administrator and update this lookup before enabling the alert for the ‘Access to Unapproved Applications’ use case.

lookup_sfdc_usernames.csv – This lookup ships with Splunk Add-on for Salesforce and provides Salesforce user attributes like status (Active/Inactive) and location.  We strongly recommend to schedule the saved search – Lookup – USER_ID to USER_NAME – to run at least every 30 mins  and update the lookups frequently so that search queries in our App gets latest attributes of  salesforce user and produces the correct results.

sfdc_employee_data_lookup  (org_hr_data_for_salesforce.csv )– Some of the searches rely on basic employee HR data to determine threats. This CSV lookup file must be provided by your organization for the searches to function properly. The fields contained in the lookup are: Email, Last Name, First Name, Status, Start Date, End Date, Geolocation, and Manager. These fields are self-explanatory, except the ‘Status’ field, which should contain either ‘Active’ or ‘Inactive’ values.

sfdc_identity_tz_lookup (sfdc_identity_tz.csv) – Many organizations have employees that reside in different time zones. To maintain proper dates and times for user events, this CSV lookup file must be provided. The fields required for this lookup are: Email, TZ, and time_offset. The Email field should contain the user’s email address, the TZ field should contain the user’s time zone (e.g., EST, CST, PST, MST, etc.) while the time_offset field should contain the time offset in seconds for the time zone compared to UTC time.

windows_activedirectory_persons_for_salesforce – This is a KV store and it maintains the AD user list along with user attributes. There are 2 ways to configure this lookup, depending on your AD data collection situation.

1. Using AD baseline data – This is the preferred and less complicated way. This method also follows Splunk best practices.

If you haven’t already configured then configure “admon”  input   to collect baseline data from not more than 2 AD servers per domain in your environment. The admon input in Splunk Add-on for Windows inputs config should something like below.

[admon://XXX]
disabled = 0
baseline = 1
monitorSubtree = 1
index=XXX

Run the search below for ‘All Time’ and verify that AD baseline data is being collected:

index=* sourcetype=activedirectory objectCategory="CN=Person,CN=Schema,CN=Configuration,*"

Locate and run the saved search – SFDC Lookup Gen – Active Directory Identities – manually only once. This search will run for all time & collect all the AD user data and build the initial Lookup for you.

2. Using the ‘ad_users.csv’ file once – If you are not collecting baseline data and are not planning to do so, then you need to follow this method.

First, collect all the AD user data using the Get-ADuser Powershell cmdlet once and feed it to splunk to  build the initial  lookup. Ensure that the Get-ADUser cmdlet is installed and execute the following PowerShell command from an Active Directory joined workstation with appropriate privileges:

Get-ADUser -Filter * -Properties * | export-csv -path c:\ad_users.csv

Once the ad_users.csv file is generated, you can upload it on the Splunk search head and assign appropriate permissions to make it accessible.

Locate and run the saved search – SFDC Lookup Gen – AD User Lookup Identities – manually only once. This search will take ad_users.csv file, apply some formatting and aggregation rules, and build initial lookup for you

Note: In whatever way you chose to configure initial version of windows_activedirectory_persons_lookup_for_salesforce lookup, it would be maintained and updated by another savedsearch – SFDC Lookup Update – Active Directory Identities –  that runs every 6 hours and  look for any changes in AD User data reported by admon input in ActiveDirectory sourcetype.

Alerts and Reports

Search NameScheduled IntervalTime WindowSeverityAlert Suppression SettingAlert Suppression Fields
SFDC Alert – Access from Unknown Browser15th Minute past hourLast 1 hourLow24 HoursUser Id , src ip
SFDC Alert – Access to Unapproved Applications15th Minute past hourLast 1 hourHigh24 HoursUser Id, Application
SFDC Alert – Geographically Improbable Access30th minute past hourLast 1 hourHigh4 HoursUser Id
SFDC Alert – Inactive HR and AD Users in Salesforce45th minute past hourLast 1 hourCritical4 HoursUser Id
SFDC Alert – Failed Login from Inactive UserEvery 15 MinutesLast 15 minutesHigh1 HourUser Id
SFDC Alert – Non-AD Users Logging Into SalesforceEvery 4 HoursEvery 4 HoursHigh24 HoursUser Id, src
SFDC Alert – Security Controls Changes7 a.m everydayLast 24 hoursMediumN/AN/A
SFDC Alert – Unusually High Number of Accesses to Report by User1a.m EverydayLast 15 daysMediumN/AN/A
SFDC Alert – Unusually High Number of Unique Reports Accessed by User2 a.m EverydayLast 15 daysMediumN/AN/A
SFDC Alert – Unusually High Number of Users Accessing Report3 a.m EverydayLast 15 daysMediumN/AN/A
SFDC Alert – Unusually Large Report4 a.m EverydayLast 15 daysMediumN/AN/A
SFDC Alert – Unusually Large Report by User5 a.m EverydayLast 15 daysMediumN/AN/A
SFDC Alert – User Login During Off Hours7 a.m EverydayLast 24 hoursLowN/AN/A
SFDC Alert – User Permission Changes8 a.m EverydayLast 24 hoursMediumN/AN/A
SFDC Report – Login Distribution by Hour – Timezone AdjustedN/ALast 7 daysN/AN/AN/A
SFDC Report – Short Lived UserN/ALast 30 daysN/AN/AN/A
SFDC Report – User Creation/ActivationN/ALast 7 daysN/AN/AN/A
SFDC Lookup Gen – Active Directory IdentitiesN/AN/AN/AN/AN/A
SFDC Lookup Update – Active Directory IdentitiesEvery 6 HoursLast 7 DaysN/AN/AN/A
SFDC Lookup Gen – AD User Lookup IdentitiesN/AN/AN/AN/AN/A

Knowledge Base

Dashboards

  • Security Overview Dashboards
    • Security Posture – This dashboard provides an overview of Salesforce activity that should be investigated and provides insight into login activity, report activity, and more. Relevant drilldowns are included on every panel to aid in your investigations. The default time range for the dashboard is the last 7 days.
    • Security Event Details – This dashboard is most commonly accessed through drilldowns on the Security Posture dashboard, but can also be used independently. It provides a table of triggered alerts with details on each and results can be filtered using the filtering inputs available on the top of the page. Drilldowns are included for every result to aid in your investigations.
    • Triggered Alerts – This dashboard provides an overview of all triggered alerts, not only security-focused alerts. A table of triggered alerts is provided as well as a visualization of triggered alerts over time. The default time range for the dashboard is the last 7 days.
  • Audit Dashboards
    • Audit Trail Overview – This dashboard provides an overview of SetupAuditTrail events within your Salesforce instance. You can gain insight into top events, trends by user, trends by section, and more. Drilldowns are enabled for all panels to help aid you in your investigations. The default time range for the dashboard is the last 7 days.
    • Audit Event Details – This dashboard provides a distraction-free way to investigate SetupAuditTrail events within your Salesforce instance. It features a single table containing relevant events and multiple inputs to filter results effectively. The drilldown is enabled on the table to assist you in your investigations. The default time range of the dashboard is the last 7 days.
    • Audit Trail by User – This dashboard provides detailed information about what users are doing within your Salesforce instance, including events from multiple sourcetypes. The main feature of the dashboard is a table that aggregates relevant events from multiple sourcetypes into a chronological list of events that allows you to essentially track what a user is doing. This table is especially useful when investigating potential fraud. This dashboard also provides insight into user logins, activity spikes, and more. The default time range for the dashboard is the last 24 hours.
    • Permission Changes by User – This dashboard provides a distraction-free way to investigate user permission changes resulting in permission escalations performed by Salesforce administrators. Multiple filters are available and the drilldown is enabled to aid in your investigations. The default time range for the dashboard is the last 7 days.
    • Security Controls Changes – This dashboard provides a distraction-free way to investigate security controls changes performed by Salesforce administrators. It offers insight into new users, 2FA account updates, permission set assignments, and more. Multiple filters are available and the drilldown is enabled to aid you in your investigations. The default time range for the dashboard is the last 7 days.
    • License Usage – This dashboard provides insight into Salesforce license information, as well as the users that the licenses are assigned to. Quickly view total licenses, used licenses, and available licenses for each license category, free licenses over time, active and inactive license users, last login dates for users, and more. Multiple filters are available and drilldowns are enabled to assist you in your investigations. The default time range of the dashboard is all time.
  • Data Loss Prevention Dashboards
    • User Forensics – This dashboard provides insight into user activity, specifically, user activity related to reports, dashboards, opportunities, document downloads, accounts, and more. Detailed information is provided for report exports by user, which can alert you to data theft within your organization. There are multiple filters available and drilldowns are enabled to assist you in your investigations. The default time range for the dashboard is the last 7 days.
    • Report Forensics – This dashboard provides an overview of report activity within your Salesforce instance. Detailed information is provided for report executions, report exports, and the users that are performing report activity. Multiple filters are available and drilldowns are enabled to assist you in your investigations. The default time range for the dashboard is the last 7 days.
  • User Intelligence Dashboards
    • User Logins – This dashboard provides detailed user login information for your Salesforce instance. It offers insight into user logins by geography, user, and source IP address, as well as providing details on locked accounts, password resets, password updates, and login distribution by hour. Multiple filters are available and drilldowns are enabled to assist in your investigations.

Reports

Report NameOverviewDescription
SFDC Lookup Update – Active Directory IdentitiesUpdates the identity KV store periodicallyThis report is scheduled to every 6 hours with a time range of the last 7 days to ensure accurate identity data. The search will update the identity KV store with the most-recent Windows Active Directory user data.
SFDC Report – Short Lived UserDisplays short-lived users in Salesforce.This report will display short-lived accounts that can be used for malicious reasons. The duration of a short-lived account is configured in the ‘short_lived_account_threshold’ macro. The default value is 1 hour.
SFDC Report – User Creation/ActivationDetects when a Salesforce user is created or activated/deactivated.This report will display Salesforce users that are created or activated within the specified search time range.
SFDC Lookup Gen – AD User Lookup IdentitiesThis search is intended to be executed one time to create the identity lookup from ad_users.csv fileThis report relies on the ad_users.csv lookup table and should be ran one time when initially configuring the application. This search will create the identity KV store that some other searches depend on.
SFDC Lookup Gen – AD User Lookup IdentitiesThis Search is intended to be executed one time to create the Identity lookup from Active Directory baseline dataThis report relies on baseline data collected in the “ActiveDirectory” sourcetype using the Splunk Add-on for Windows. It should be ran one time when initially configuring the application. This search will create the identity KV store that some other searches depend on.

Alerts

Alert NameOverviewDescription
SFDC Alert – Access from Unknown BrowserDetects logins to Salesforce when a user’s browser name is unknown.This search will analyze the browsers used to login to Salesforce with. When an unknown browser is detected during a login, an alert will be created for the event. Known browsers include: Chrome, Safari, Salesforce, Firefox, IE, Edge, Mobile Chrome, & Opera. Any browser not included in this list is considered unknown.
SFDC Alert – Access to Unapproved ApplicationsDetects access to unapproved applications by a Salesforce user.This search relies on the ‘sfdc_unapproved_apps’ lookup and compares Salesforce application accesses against the lookup entries. An alert will be created if an access to an unapproved application is detected.
SFDC Alert – Failed Login from Inactive UserDetects failed login attempts to Salesforce when the user’s status is inactive.This search will create an alert if an inactive Salesforce user attempts to login to Salesforce.
SFDC Alert – Geographically Improbable AccessDetects access to Salesforce from locations that are suspicious or improbable.This search will create an alert if a Salesforce user logs in to salesforce from a suspicious or improbable location compared to previous login locations.
SFDC Alert – Inactive HR and AD Users in SalesforceDetects access to Salesforce from a user whose status is inactive in Active Directory or the organization’s HR platform.This search will create an alert if a Salesforce user logs into Salesforce, but is inactive in either the identity KV store or the ‘org_hr_data_for_salesforce’ lookup.
SFDC Alert – Non-AD Users Logging Into SalesforceDetects Salesforce logins by users whose status is inactive in Active Directory.This search will create an alert if a Salesforce user logs in to Salesforce, but is not present in the identity KV store. The alert needs some tuning in a production environment to filter out local admin and integration/service account of Salesforce.
SFDC Alert – Security Controls ChangesDetects changes to Salesforce security controls.This search will create an alert if a Salesforce administrator for your organization creates or updates security controls, such as a user’s 2FA status.
SFDC Alert – Unusually High Number of Accesses to Report by UserDetects an unusually high number of accesses to a single Salesforce report by a user.This search creates an alert if an unusually high number of accesses to a single Salesforce report by a user is detected. The baseline average is created by analyzing the last 15 days of report accesses. An alert will be triggered if a standard deviation of +/- 2 is detected.
SFDC Alert – Unusually High Number of Unique Reports Accessed by UserDetects a high number of multiple Salesforce report accesses by a user.This search creates an alert if an unusually high number of distinct, unique reports are accessed by a user. The baseline average is created by analyzing the last 15 days of report accesses. An alert will be triggered if a standard deviation of +/- 2 is detected.
SFDC Alert – Unusually High Number of Users Accessing ReportDetects an unusually high number of users accessing a single report.This search creates an alert if an unusually high number of users are accessing a single, distinct report. The baseline average is created by analyzing the last 15 days of report accesses. An alert will be triggered if a standard deviation of +/- 2 is detected.
SFDC Alert – Unusually Large ReportDetects when an unusually large report is accessed or exported.This search creates an alert if an unusually large report is accessed or exported. The baseline average report size is created by analyzing the last 15 days of accessed report sizes. An alert will be triggered if a standard deviation of +/- 2 is detected during the access of a report.
SFDC Alert – Unusually Large Report by UserDetects when a user accesses or exports an unusually large report.This search will create an alert if a user accesses or exports an unusually large report. The baseline average report size is created by analyzing the last 15 days of accessed report sizes. An alert will be triggered if a standard deviation of +/- 2 is detected during the access of a report.
SFDC Alert – User Login During Off HoursDetects Salesforce logins from users during business off-hours.This search will create an alert if a user logs in to Salesforce after normal business hours.
SFDC Alert – User Permission ChangesDetects changes to Salesforce user’s permissions.This search will create an alert if an update to user permissions is detected, specifically if the permission update is considered an escalation.

Lookups

sfdc_unapproved_apps – This lookup table contains list of unapproved apps. A list of Salesforce application integrations is found here. Please consult your Salesforce administrator and update this lookup before enabling the alert for ‘Access to Unapproved Applications’.

sfdc_logfile_eventtypes – This lookup table contains the special event type definitions used by the ‘Audit Trail Summary’ table on the ‘Audit Trail by User’ dashboard.

org_hr_data_for_salesforce – This lookup table contains the organization specific HR employee data required for some searches and must be provided by your organization. Please refer to ‘Post Install Configuration’ for details on creating this lookup.

ad_users – This lookup table is the initial Windows Active Directory user data that the identity KV store is created from. This lookup must be provided by your organization for dependent searches to function properly. Please refer to ‘Post Install Configuration’ for details on creating this lookup.

sfdc_identity_tz – This lookup table contains the time zones and time zone offsets (in seconds) for every Salesforce user in your organization. This lookup must be provided by your organization for dependent searches to function properly. Please refer to ‘Post Install Configuration’ for details on creating this lookup.

sfdc_ip_list – This lookup table contains a list of Salesforce server IP addresses used to filter out false-positives.

sfdc_logfile_request_status_lookup – This lookup table contains request status mappings for Salesforce events.

sfdc_renderingtypes – This lookup table contains Salesforce report rendering type mappings, such as Email, Excel, CSV, etc.

Macros

AuditTrailEventTypeFilter – This macro is used to filter relevant events for the Audit Trail searches.

convert_time_to_string(2) – This macro is used in some searches to manage complex time to string conversions.

exclude_svc_account – This macro is used to exclude the service account’s events from search results. Please refer to ‘Post Install Configuration’ to learn how to configure this macro for your organization.

get_salesforce_index – This macro is used in searches that query the index containing your organization’s Salesforce data. Please refer to ‘Post Install Configuration’ to learn how to configure this macro for your organization.

include_user_category – This macro is used to include the user category ‘Standard’ in searches involving Active Directory queries.

privilege_escalation_filter – This macro is used to filter relevant events for permission changes searches.

security_control_changes_filter – This macro is used to filter relevant events for security controls searches.

short_lived_account_threshold – This macro contains the time threshold in seconds that defines a short-lived user. Please refer to ‘Post Install Configuration’ to learn how to configure this macro for your organization.

FAQs

Troubleshooting

Release Notes

Release 1.0.0

Known Issues:

  • Some of the Salesforce Reports comes with null REPORT_NAME field in Splunk event, this can cause problems in Search queries, especially panels that does aggregation on report name. To mitigate this problem, many search queries use and display Report ID instead of the Report Name.

Need Assistance?

If you need assistance with the Aditum Salesforce Security App in any way, feel free to reach out to us.

> Back to Top