Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Detection Event Is Definitely Anomalous but Maybe Not Malicious

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Detection Event Is Definitely Anomalous but Maybe Not Malicious

            Alice is a sales rep based in St. Louis. She’s often on the road to meet with clients. When she travels, she generally, but not consistently, use her company’s VPN to log into Salesforce.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.

            Available in: Enterprise, Unlimited, and Developer Editions

            Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

            On July 27, 2015, Alice’s account was used to generate a report from a relatively new IP address. Bob, the administrator for Alice’s org, noticed a ReportAnomalyEvent about this report generation activity. The event contained this information.

            ReportAnomalyEvent Field Value
            Score 95.0158
            SourceIp 96.43.144.27
            EventDate 2015-07-27T07:45:07.192Z
            UserId 00530000009M944
            Report 00OD0000001leVCMAY
            SecurityEventData (see next table)

            The SecurityEventData field contained this information.

            featureName featureValue featureContribution
            autonomousSystem Softbank Corp 73.4%
            rowCount 50876 15.6%
            userAgent - 9.9%
            numberFilters 11 0.81%
            periodOfDay Night 0.21%

            Bob notices that the autonomous system—derived from the IP address—is the top-ranked feature with 73.4% feature contribution. This percentage indicates that Alice rarely uses this autonomous system. Bob also notices that the report has around 50k rows, which is not small for this org. Bob then uses the UserId to identify the user as Alice. By looking at the ReportEvent events, Bob notices that Alice typically generates reports containing 1,000–10,000 rows. But on rare occasions, Alice generated reports with more than 50k rows. The userAgent has a smaller feature contribution, which could be attributed to Alice using her mobile device less when she travels. The numberFilters and periodOfDay features have small feature contributions, and are therefore not important.

            Because Alice rarely uses this autonomous system and the report is bigger than what Alice typically generates, Bob concludes that this report falls outside of typical activity. However, Bob is unable to verify whether Alice or an attacker committed this malicious act. He attempts to get more information on this incident before pursuing any threat mitigation actions.

            See Also

             
            Loading
            Salesforce Help | Article