An Introduction to Forensic Reconstruction of a Salesforce Security Incident

Deep dive

Context

Following the primer on investigating Salesforce security incidents , customers have asked for more details on how to correlate logs to reconstruct what happened. The Salesforce Log Analysis Guide provides a general overview with links to related resources. While Salesforce’s core platform remains robust, threat actors continuously evolve their techniques to gain unauthorized access and steal sensitive data. Using a fictitious security incident scenario, this blog post demonstrates how to leverage Salesforce Shield Event Monitoring and Transaction Security Policies (TSPs) to detect, investigate, and defend against such threats. The examples in this article are mainly focused on events stored in Event Log Files (ELFs) as part of Event Monitoring, but Salesforce also provides a robust set of services to monitor system and user activity as part of its standard editions. Other sources of Event Monitoring logs , such as Real-Time Events (RTEM) and low-latency Event Log Objects (ELO) also contain relevant information for detecting and investigating security incidents as discussed in the primer . After experiencing a security incident, some customers invest in Event Monitoring to take…

For builders

Check docs/changelog for breaking changes. Also: check API docs for breaking changes; verify benchmark methodology.

Verify

Prefer primary announcements, papers, repos, and changelogs over reposts.