View downloaded Salesforce report activity in Incydr

Updated

Overview

Incydr helps protect your Salesforce data from unwanted exfiltration in two ways:

  1. By monitoring corporate devices for files acquired from Salesforce, then alerting you if those files move to untrusted locations.
  2. Via a data connection between Incydr and Salesforce to detect when reports are downloaded to personal devices.

This article describes how to identify Salesforce exfiltration activity in Incydr dashboards, user profiles, alerts, and Forensic Search. 

Salesforce exfiltration risk indicators

Salesforce exfiltration file events include one of the following risk indicators:

  • Acquired from Salesforce: Indicates the file was acquired from Salesforce and later moved to an untrusted destination.
  • Download to unmonitored device from corporate Salesforce (requires a Salesforce data connection): Indicates a report was exported from Salesforce to an endpoint that is not running the insider risk agent. This may indicate the report was downloaded to a personal device.

Incydr highlights these risk indicators in many places, including in alerts, dashboards, and Forensic Search. See below for more details about how to identify Salesforce exfiltration throughout Incydr.

Identify Salesforce exfiltration

Alerts

To receive proactive notifications about Salesforce activity, create Incydr alerts:

  1. In the Incydr console, go to Alerts > Manage Rules.
  2. Create two alerts:
    1. In the Recommended rules section, select Salesforce report exfiltration and complete the setup steps. This alert identifies when a file acquired from Salesforce is moved to an untrusted location.
    2. Click Create rule to add a second rule. Select Destination > External devices > Download to unmonitored device from corporate Salesforce and complete the setup steps. This alert identifies when a Salesforce report is exported to a personal device (requires the Salesforce data connection).

For more details, see the Alerts section below.

Search by risk indicator

There are several ways to search for file events with specific risk indicators.

Data movement dashboard

  1. In the Incydr console, go to Dashboards > Exfiltration.
  2. Review the Data movement graph for Salesforce activity. Look for the source "Acquired from Salesforce" and/or the destination "Download to unmonitored device from corporate Salesforce". You may need to click Show filters and select Salesforce risk indicators if they are not initially visible.
  3. Hover over any data flow for more details. Click any item to view all the file event details in Forensic Search.

Forensic Search

  1. In the Incydr console, go to Forensic Search > Search.
  2. Create the following search:
    • Filter: Risk indicator
    • Operator: includes any
    • Value: Acquired from Salesforce and Download to unmonitored device from corporate Salesforce
  3. (Optional) Click the plus icon to further refine the search criteria (for example, add specific users or watchlists).
  4. Click Search and review the results. 

Forensic Search query for Salesforce risk indicators

For more details, see the Forensic Search section below.

Search by user

  1. Go to User Activity > All users.
  2. Search for any user.
  3. Review the risk indicator columns for Salesforce activity.

Salesforce downloads in the All users list

In the example above, the risk indicator shows that Jim Harper downloaded a report from Salesforce to a device that is not monitored by Incydr. To view more information, click View event details to open Jim's User file activity.

User file activity

To view more information about activity associated with Salesforce report downloads on either dashboards or the All users list, click View event details . From there, click Filter to show only the files involved in Salesforce download activity, and click Investigate in Forensic Search to view more information about those exported reports.

Salesforce downloads in User file activity

Alerts

Use Incydr Alerts to build rules that notify you when activity that matches the rule's criteria occurs. When the rule is triggered, view the resulting alert notifications for more details about that activity and to investigate further.

Build rules to proactively notify you of Salesforce downloads

Incydr allows you to build alert rules that proactively notify you when Salesforce report download activity is detected. You can use the tools in Manage Rules to build these rules in different ways.

  • Use the Destination alert rule settings to detect Salesforce report downloads to untrusted devices. Select Download to unmonitored device from corporate Salesforce to monitor for this activity.

    To best focus investigations resulting from these alerts, this rule setting only notifies you about Salesforce reports that have been downloaded to personal devices that are not monitored by Incydr. Reports downloaded to trusted devices that are monitored by Incydr are filtered out. However, you can use Forensic Search to search for all Salesforce report download activity regardless of where it occurs.

    You can combine the Destinations settings with other settings to customize alerts that work for your environment and organizational needs.

  • Use the Salesforce report exfiltration recommended rule template to get up and running quickly with a rule that detects Salesforce report exfiltration.

    When activity relating to a file acquired from Salesforce is detected (regardless of whether it occurs on trusted or unmonitored devices), Incydr generates an alert notification.

    You can simply create the rule from this recommended rule template as it is "out of the box" or you can combine it with other rule settings to customize it for your organization's needs.

View alert notifications generated by Salesforce download activity

When the Salesforce download activity that matches alert rule settings is detected, Incydr displays information about that activity in the Review Alerts list and optionally sends an email with those details to the users you specify. Click any of the notifications in the Review Alerts list to view more details about that event.

Salesforce downloads in alert notifications

Use the controls in these details to perform these actions:

  • Click Investigate in Forensic Search to view more information about the activity in Forensic Search.
  • Click Send email to create an email from a template requesting more information from the user causing the activity.
  • After your investigation is complete, click Dismiss alert to close the alert and remove it from the list of currently active alerts.
  • During an investigation, select the Status for the notification: Open, In progress, Pending response, or Dismissed.
  • Use the Notes field to add or update any notes that provide additional context to your investigation.

Forensic Search

The Investigate in Forensic Search buttons on the Risk Exposure dashboard and in alert notifications automatically create the search for you in Forensic Search to locate the files involved in event activity. You can examine these search terms to help craft searches that locate Salesforce report downloads, or you can create your own searches for investigations.

Search for Salesforce downloads to unmonitored devices

To build a search in Forensic Search for Salesforce report downloads to devices that are not monitored by Incydr, use the Download to unmonitored device from corporate Salesforce risk indicator filter. Adjust the date filters and add other filters to this search as needed to further narrow down the results.

Salesforce downloads to unmonitored devices in Forensic Search

When the results appear, click View details to view more information about that file involved in the event.

Search for Salesforce downloads to any device

To help you focus on possible exfiltration, Incydr automatically filters the Risk Exposure dashboard and alert notification to show only Salesforce reports that have been downloaded to devices that are not monitored by Incydr. However, you can always view all Salesforce report download events in Forensic Search, even for events occurring on devices that Incydr monitors.

To create a search that shows all Salesforce report download events:

  • Adjust the date filter as needed to narrow your search to a specific timeframe.
  • Select the Event observer filter, the Includes any operator, and a value of Salesforce.
  • Add a Trusted activity event filter, then use the Value to control what you want to view.
    • Select Include to list the Salesforce reports that have been downloaded to trusted devices (that is, those that are monitored by Incydr).
    • Select Exclude to list reports that have been monitored to untrusted devices, such as personal computers that are not monitored by Incydr.

Searching for Salesforce downloads to trusted or untrusted devices in Forensic Search

Event details in Forensic Search

For any result listed in the Forensic Search table, click View details to view the file event metadata collected about that activity. Details about Salesforce report downloads appears in the Risk, Event, File, and Report sections of the event details. The most important details that you'll use during your investigations of these events are described below.

Filenames for Salesforce report downloads are predicted

When Incydr detects that a report has been exported from Salesforce, it predicts a filename for the downloaded report based on Salesforce defaults. This predicted filename appears under the File section in the event details.

Filename details in Forensic Search

Salesforce report details in Forensic Search

Incydr lists information about an exported report under the Salesforce reports section of the event details. You can use these details to directly identify and view a saved report or recreate an ad hoc report to see the data it may have contained. The fields in this section vary depending on whether the report is a saved or an ad hoc report; the example below shows the fields listed for a saved report.

Report details in Forensic Search

Saved reports

For saved reports, pay close attention to these fields in the Salesforce reports section:

  • Report name: The name selected when the report was originally saved.
  • Report description: The description entered when the report was originally saved (if any), which can provide context regarding the data the report contains.
  • Report ID: The ID that Salesforce assigned to the report when it was generated. You can search Salesforce using this ID to locate and view the exact report that was generated and downloaded.

Ad hoc reports

Due to their temporary nature, ad hoc reports do not include a report description or ID. Instead, you can use these fields to recreate the report and view the data it may have contained.

  • Report name: The Report Type the user selected in Salesforce when choosing what report to generate. To recreate the report in Salesforce, open the Report Builder and select this same report type.
  • Report column headers: The columns that the user selected in Salesforce when building the report. Select these same columns in Salesforce to view the data that the report contained.
  • Number of rows: Use this total to determine whether the report you recreate contains the same amount of data as the report the user generated and exported. Remember that Salesforce restricts data access by user permissions, so you may need to log in as a user with similar permissions to accurately identify the information included in the exported ad hoc report.

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.