Investigate Guest User Anomalies
It's often necessary to further investigate a guest user anomaly to determine if a data breach occurred or to rule it out as benign.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
Available in: Enterprise, Unlimited, and Developer Editions Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. |
As a Shield customer, the Real-Time Event Monitoring events provide you with the required information to perform your investigation and ensure your data is secure. In particular:
- GuestUserAnomalyEvent and its storage equivalent GuestUserAnomalyEventStore. This entity helps detect data access anomalies caused by guest user permission misconfiguration. These objects are the starting point of your investigation.
For example, say that your org receives a GuestUserAnomalyEvent that indicates a potential anomaly in a guest user’s data access attempt. The first thing you do is look at relevant fields of the event to get basic information about the anomaly, such as:
| Field | Description |
|---|---|
| RequestedEntities | Objects that are queried by the guest user. For example: |
| Score | Specifics how significantly the guest user behavior deviates from the other guest users. It’s formatted as a number between 0 and 1. A higher score means a greater deviation. |
| SoqlCommands | SOQL commands run by the guest user. For example: |
| Summary | A text summary of the threat that caused this event to be created. The summary lists the browser fingerprint features that most contributed to the threat detection along with their contribution to the total score. For example: |
| TotalControllerEvents | The number of times controllers were triggered. |
| UserAgent | User Agent for this event. For example: |
See the API Documentation for a full list of fields.
Now that you have the data, you can investigate further.
