Summary
The Salesforce API Anomaly Detection rule monitors API activity in real-time, detecting anomalies that may suggest compromised credentials or automated abuse. The system evaluates incoming API calls using a scoring mechanism, triggering alerts based on deviations from normal activity patterns. Notable anomalies include high query volumes, atypical access times, geolocation mismatches, and large data extractions. The detection framework integrates Salesforce's Event Monitoring capabilities, issuing alerts categorized by severity including medium and critical incidents, thereby enabling incident response workflows. Key measures include reviewing user activity logs, evaluating session integrity, validating source IP addresses, and modifying user credentials when warranted. The rule is in an experimental state, with a detailed runbook guiding the investigative process for analysts.
Categories
- Cloud
- Application
- Network
Data Sources
- Web Credential
- Network Traffic
- User Account
ATT&CK Techniques
- T1078
- T1110
- T1530
- T1567
Created: 2026-01-23