Threat Detection
Threat Detection uses statistical and machine learning methods to detect threats to your Salesforce org. While Salesforce identifies these threats for all Salesforce customers, you can view the information in the events with Threat Detection in Event Monitoring and investigate further if necessary. Threat Detection events do not count towards standard object storage limits.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
Available in: Enterprise, Performance, and Unlimited Editions Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. |
Threat Detection identifies:
- If a user session is hijacked
- When large-scale automated login requests use stolen user credentials to gain access to Salesforce
- Anomalies in a user's report views or exports
- Anomalies in how users make API calls
- Anomalies in guest user activity
- Anomalies in login attempts
Respond to Detected Threat Events
Use Threat Detection to plan and implement appropriate responses that keep your data safe. When we detect anomalous activity, the resulting Threat Detection events are compatible with transaction security policies and flows.
| Response Method | Description |
|---|---|
| Use Transaction Security Policies to Monitor Threats | Create a transaction security policy on the Threat Detection events that generate email or in-app notifications when Salesforce detects a threat. After investigating the detected threat, consider creating a policy to control users' behavior. For example, you receive multiple ReportAnomalyEvents about a user who exported many more records of a report on Leads than usual. Because you created a transaction security policy on ReportAnomalyEventStore, you receive a notification each time this anomaly occurs. To further protect the Lead object, you can create a ReportEvent policy on the report to block users from exporting more than 10 rows. |
| Automate Responses with Platform Event-Triggered Flows | You can build flows to respond to anomalies detected on the ApiAnomalyEvent, CredentialStuffingEvent, ReportAnomalyEvent, and SessionHijackingEvent. For example, create flows that generate a case for a follow-up investigation, send an email to a security specialist, or deactivate an affected user pending further investigation. |
| Aggregate Detected Threats with Security Center | You can save time by aggregating information on detected threats across your entire Salesforce rollout in one place with the Threat Detection app in Security Center. For more information, see Review Threat Detection Events |
- Session Hijacking
Session Hijacking is a customer-focused attack where attackers try to steal information from using a client’s access to a web application. In our case, this application is Salesforce. When a client successfully authenticates with Salesforce, they receive a session token. The attacker tries to hijack the client’s session by obtaining their session token. - Credential Stuffing
Credential stuffing is a type of cyber attack that uses stolen account credentials. It’s also known as “password spraying” or “credential spills”. Attackers obtain large numbers of usernames and passwords through data breaches or other types of cyber attacks. They then use these credentials to gain unauthorized access to user accounts through large-scale automated login requests against a web application such as Salesforce. - Report Anomaly
An anomaly is any user activity that is sufficiently different from the historical activity of the same user. We use the metadata in Salesforce Core application logs about report generation and surrounding activities to build a baseline model of the historical activity. We then compare any new report generation activity against this baseline to determine if the new activity is sufficiently different to be called an anomaly. We don't look at the actual data that a user interacts with— we look at how the user interacts with the data. - API Anomaly
An anomaly is any user activity that is sufficiently different from the historical activity of the same user. We use the metadata in Salesforce Core application logs about API generation and surrounding activities to build a baseline model of the historical activity. We then compare any new API generation activity against this baseline to determine if the new activity is sufficiently different to be called an anomaly. We don't look at the actual data that a user interacts with— we look at how the user interacts with the data. - Guest User Anomaly
An anomaly is any user activity that is sufficiently different from the other users. We use the metadata in Salesforce Core application logs to build profiles representing guest users’ data access activities. This threat detection event identifies suspicious attempts by guest users to access organization data. - View Threat Detection Events and Provide Feedback
Launch the Threat Detection app and view all the detected threats that occurred in your Salesforce org. Threats include anomalies in how users run reports, session hijacking attempts, and credential stuffing. Use the same app to easily provide feedback about the severity of a specific threat. - Login Anomaly
An anomalous login refers to the detection of a potential attacker attempting to gain unauthorized access to a legitimate user's account. This threat detection event identifies login attempts that deviate significantly from a user's typical login behavior, such as unusual times of day, unfamiliar devices (endpoints), or unexpected locations. Detecting these anomalies early is critical as a successful login is often the first step in broader malicious activities like data exfiltration or the deployment of malware and phishing campaigns.
