View downloaded Salesforce report activity in Incydr

Last updated
Save as PDF

Overview

When a user generates and exports a report from a Salesforce environment that is monitored by Code42, Code42 displays information about that activity throughout Incydr, such as on the Risk Exposure dashboard, on the All users list, in alert notifications, and in Forensic Search. This article describes how to identify downloaded Salesforce report activity in these tools.

Risk Exposure dashboard

The Risk Exposure dashboard provides a "one-stop shop" to quickly locate any report export activity. Use the Top users by critical activity panel on the dashboard to quickly see whether any users who cause the most critical activity in your environment have downloaded reports from Salesforce. Look for the Download to unmonitored device from corporate Salesforce risk indicator.

Salesforce downloads in Top users by critical activity

In the example above, the risk indicator shows that Jim Harper has downloaded a report from Salesforce to a device that is not monitored by Incydr. To view more information, click View event details to open Jim's User file activity.

All users

The Download to unmonitored device from corporate Salesforce risk indicator also appears in the All users list for users associated with such activity. To view the list, select User Activity > All Users.

Salesforce downloads in the All users list

User file activity

To view more information about activity associated with Salesforce report downloads on either the Risk Exposure dashboard or the All users list, click View event details . From there, click Filter to show only the files involved in Salesforce download activity, and click Investigate in Forensic Search to view more information about those exported reports.

Salesforce downloads in User file activity

Alerts

Use Code42's Alerts to build rules that notify you when activity that matches the rule's criteria occurs. When the rule is triggered, view the resulting alert notifications for more details about that activity and to investigate further.

Build rules to proactively notify you of Salesforce downloads

Incydr allows you to build alert rules that proactively notify you when Salesforce report download activity is detected. You can use the tools in Manage Rules to build these rules in different ways.

Use the Destination alert rule settings to detect Salesforce report downloads to untrusted devices. Select Download to unmonitored device from corporate Salesforce to monitor for this activity.
To best focus investigations resulting from these alerts, this rule setting only notifies you about Salesforce reports that have been downloaded to personal devices that are not monitored by Incydr. Reports downloaded to trusted devices that are monitored by Incydr are filtered out. However, you can use Forensic Search to search for all Salesforce report download activity regardless of where it occurs.

You can combine the Destinations settings with other settings to customize alerts that work for your environment and organizational needs.
Use the Salesforce report exfiltration recommended rule template to get up and running quickly with a rule that detects Salesforce report downloads based on filenames. This recommended rule template relies on the default filenames that Salesforce suggests when a user generates a report in Salesforce.
When activity relating to a file that uses one of these default filenames is detected (regardless of whether it occurs on trusted or unmonitored devices), Code42 generates an alert notification. However, keep in mind that depending on browser settings, users may be able to change report filenames upon export, which would then not match the criteria in this rule.

You can simply create the rule from this recommended rule template as it is "out of the box" or you can combine it with other rule settings to customize it for your organization's needs.

View alert notifications generated by Salesforce download activity

When the Salesforce download activity that matches alert rule settings is detected, Code42 displays information about that activity in the Review Alerts list and optionally sends an email with those details to the users you specify. Click any of the notifications in the Review Alerts list to view more details about that event.

Salesforce downloads in alert notifications

Use the controls in these details to perform these actions:

Click Investigate in Forensic Search to view more information about the activity in Forensic Search.
Click Send email to create an email from a template requesting more information from the user causing the activity.
After your investigation is complete, click Dismiss alert to close the alert and remove it from the list of currently active alerts.
During an investigation, select the Status for the notification: Open, In progress, Pending response, or Dismissed.
Use the Notes field to add or update any notes that provide additional context to your investigation.

Forensic Search

The Investigate in Forensic Search buttons on the Risk Exposure dashboard and in alert notifications automatically create the search for you in Forensic Search to locate the files involved in event activity. You can examine these search terms to help craft searches that locate Salesforce report downloads, or you can create your own searches for investigations.

Search for Salesforce downloads to unmonitored devices

To build a search in Forensic Search for Salesforce report downloads to devices that are not monitored by Incydr, use the Download to unmonitored device from corporate Salesforce risk indicator filter. Adjust the date filters and add other filters to this search as needed to further narrow down the results.

Salesforce downloads to unmonitored devices in Forensic Search

When the results appear, click View details to view more information about that file involved in the event.

Search for Salesforce downloads to any device

To help you focus on possible exfiltration, Code42 automatically filters the Risk Exposure dashboard and alert notification to show only Salesforce reports that have been downloaded to devices that are not monitored by Incydr. However, you can always view all Salesforce report download events in Forensic Search, even for events occuring on devices that Incydr monitors.

To create a search that shows all Salesforce report download events:

Adjust the date filter as needed to narrow your search to a specific timeframe.
Select the Event observer filter, the Includes any operator, and a value of Salesforce.
Add a Trusted activity event filter, then use the Value to control what you want to view.
- Select Include to list the Salesforce reports that have been downloaded to trusted devices (that is, those that are monitored by Incydr).
- Select Exclude to list reports that have been monitored to untrusted devices, such as personal computers that are not monitored by Incydr.

Searching for Salesforce downloads to trusted or untrusted devices in Forensic Search

Event details in Forensic Search

For any result listed in the Forensic Search table, click View details to view the file event metadata collected about that activity. Details about Salesforce report downloads appears in the Risk, Event, File, and Report sections of the event details. The most important details that you'll use during your investigations of these events are described below.

Filenames for Salesforce report downloads are predicted

When Code42 detects that a report has been exported from Salesforce, it predicts a filename for the downloaded report based on Salesforce defaults. This predicted filename appears under the File section in the event details.

Filename details in Forensic Search

Salesforce report details in Forensic Search

Code42 lists information about an exported report under the Salesforce reports section of the event details. You can use these details to directly identify and view a saved report or recreate an ad hoc report to see the data it may have contained. The fields in this section vary depending on whether the report is a saved or an ad hoc report; the example below shows the fields listed for a saved report.

Report details in Forensic Search

Saved reports

For saved reports, pay close attention to these fields in the Salesforce reports section:

Report name: The name selected when the report was originally saved.
Report description: The description entered when the report was originally saved (if any), which can provide context regarding the data the report contains.
Report ID: The ID that Salesforce assigned to the report when it was generated. You can search Salesforce using this ID to locate and view the exact report that was generated and downloaded.

Ad hoc reports

Due to their temporary nature, ad hoc reports do not include a report description or ID. Instead, you can use these fields to recreate the report and view the data it may have contained.

Report name: The Report Type the user selected in Salesforce when choosing what report to generate. To recreate the report in Salesforce, open the Report Builder and select this same report type.
Report column headers: The columns that the user selected in Salesforce when building the report. Select these same columns in Salesforce to view the data that the report contained.
Number of rows: Use this total to determine whether the report you recreate contains the same amount of data as the report the user generated and exported. Remember that Salesforce restricts data access by user permissions, so you may need to log in as a user with similar permissions to accurately identify the information included in the exported ad hoc report.