Salesforce Incident Response: Event Monitoring, Setup Audit Trail, and Connected App Forensics

Cybersecurity

A working Salesforce IR runbook spanning Event Monitoring, Setup Audit Trail, Login History, Connected Apps review, data export logs, Health Check, and Shield Platform Encryption considerations.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 12, 2024 · 8 min read

Salesforce holds the customer relationship in most enterprises. An incident there is a data incident. The IR runbook below assumes Salesforce Shield is licensed because Event Monitoring is where forensic-grade logging lives. Without Shield, you are working with sparse signals.

1. Event Monitoring as the primary log

Event Monitoring exposes 50+ event types as hourly log files in the EventLogFile object. The ones that matter for IR are Login, LoginAs, ApiTotalUsage, ReportExport, BulkApi, BulkApi2, RestApi, Search, and URI. Each event log file is a CSV downloadable through the Salesforce REST API.

GET /services/data/v60.0/query?q=SELECT+Id,EventType,LogFile,LogDate+FROM+EventLogFile+WHERE+EventType+IN+('Login','ReportExport','BulkApi')+AND+LogDate+>=+2024-05-25T00:00:00Z

Download the LogFile via the indicated URL, then parse with your tool of choice. For incident workflows, we keep a Python script that ingests EventLogFile CSVs and emits a per-user timeline.

2. Setup Audit Trail

The Setup Audit Trail logs every configuration change in Salesforce. During an incident, this is where you spot persistence: a new connected app, a profile permission change, a workflow rule with email alerts to an external address, or an Apex class deployment.

Pull the SetupAuditTrail object directly through SOQL filtered to the incident window. The Action and Display columns explain what changed; the CreatedBy column tells you which user (or integration) did it.

SELECT CreatedDate, CreatedBy.Username, Action, Display, Section FROM SetupAuditTrail WHERE CreatedDate >= 2024-05-25T00:00:00Z ORDER BY CreatedDate

3. Login History and the compromised session

LoginHistory is a separate object that captures every login attempt with Status, SourceIp, LoginType (Application, Remote Access 2.0, OAuth, etc.), Browser, Platform, and ApiVersion. A login from a new country, from an OAuth flow you did not provision, or with an obsolete API version is the start of the timeline.

Correlate LoginHistory with EventLogFile Login events. The first one gives you presence; the second gives you what they did next.

4. Connected Apps and OAuth scope review

Connected Apps are Salesforce's OAuth equivalent. During IR, list every Connected App with admin-approved or self-approved policies. The OauthToken object shows active token grants per user.

SELECT Id, UserId, AppName, LastUsedDate, UseCount FROM OauthToken WHERE LastUsedDate >= 2024-05-25T00:00:00Z

Revoke tokens for any app you do not recognize. From Setup, you can also block the app organization-wide via Manage Connected Apps. Be careful: blocking a legitimate integration mid-incident has cascading effects on your sales team.

5. Data export and bulk API forensics

Salesforce exfiltration usually rides the Bulk API or Data Export Service. The BulkApi and BulkApi2 event types log every job with row counts. The DataExport event captures admin-initiated weekly exports. Look for jobs initiated by non-integration users, or jobs with row counts much higher than the user's historical pattern.

If you find an unauthorized export job, the Bulk API job result endpoint may still be accessible. Pulling the results back into your forensics environment tells you exactly which records were exfiltrated.

6. Health Check and Shield Platform Encryption

After containment, run Health Check from Setup. It scores your org against the Salesforce Baseline Standard and surfaces session and password policy gaps that may have enabled the incident. If Shield Platform Encryption is in scope, any field encrypted with a tenant secret created during the compromise window needs the secret rotated and old version archived.

1. Freeze the user (Setup > Users > Freeze) without deactivating, to preserve evidence.
2. Revoke OAuth tokens for the user via OauthToken delete.
3. Reset the user's password and reset MFA factors through Identity Verification History.
4. Audit all Setup Audit Trail changes by the user in the window and reverse the malicious ones.
5. Re-enable the user only after a full Setup Audit Trail review.

Salesforce IR without Shield is a guessing game. With Shield, it is a workmanlike investigation. If your org runs revenue through Salesforce and does not have Event Monitoring licensed, that is a conversation worth having with your CFO this quarter.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.