Salesforce API Anomaly Detection (RET Passthrough)

Severity: medium
Group by: SESSION_KEY, TIMESTAMP, USER_ID
Entities: actor_ids, ip_addresses, trace_ids, usernames
Log types: Salesforce.RealtimeEvent
Tags: Salesforce, API Security, Real-Time Event Monitoring, Anomaly Detection
Reference: https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/sforce_api_objects_apianomalyevent.htm
Source: github.com/panther-labs/panther-analysis

Salesforce Real-Time Event Monitoring has detected anomalous API activity. This could indicate compromised credentials, automated abuse, data exfiltration attempts, or other suspicious API usage patterns.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts
Credential Access	`T1110` Brute Force
Collection	`T1530` Data from Cloud Storage
Exfiltration	`T1567` Exfiltration Over Web Service

Rule body yaml

AnalysisType: rule
Description: "Salesforce Real-Time Event Monitoring has detected anomalous API activity. This could indicate compromised credentials, automated abuse, data exfiltration attempts, or other suspicious API usage patterns."
DisplayName: "Salesforce API Anomaly Detection (RET Passthrough)"
Enabled: true
Filename: salesforce_api_anomaly_passthrough.py
Runbook: |
  1. Review the anomaly score and summary to understand what triggered the alert
  2. Investigate the user's recent API activity in Salesforce EventLogFile
  3. Check if the source IP is expected for this user
  4. Review session details and authentication method
  5. Look for other anomalous activity from the same user or session
  6. If confirmed malicious, reset user credentials and review data access
  7. Consider enabling additional API monitoring or rate limiting
Reference: https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/sforce_api_objects_apianomalyevent.htm
Severity: Medium
Tests:
  - ExpectedResult: true
    Log:
      EVENT_TYPE: ApiAnomalyEventStore
      TIMESTAMP: "2024-01-15 14:23:45.123"
      TIMESTAMP_DERIVED: "2024-01-15 14:23:45.123"
      EVENT_DATE: "2024-01-15"
      ORGANIZATION_ID: 00D5f000005uVo7
      USER_ID: 0055f00000CyENt
      USER_ID_DERIVED: 0055f00000CyENtAAN
      USERNAME: suspicious.user@company.com
      USER_TYPE: Standard
      SESSION_KEY: fJ8kL2drc73p8/Wk
      SOURCE_IP: 45.67.89.123
      REQUEST_ID: 5tlEQPuEcPPzVPH-nPNWK-
      SCORE: 85.5
      SUMMARY: "Unusual API query volume and pattern detected"
      SECURITY_EVENT_DATA: '{"anomaly_type":"volume","threshold_exceeded":true,"queries_per_hour":1250}'
      p_event_time: "2024-01-15 14:23:45.123"
      p_parse_time: "2024-01-15 14:24:12.456"
      p_log_type: Salesforce.ApiAnomalyEventStore
      p_row_id: a8f3d45e7bc9f2e1a3d6f8b4c7e9a1b2
      p_source_id: f7e3c18d-837b-461f-9c2e-7f2g4ffa2c17
      p_source_label: Salesforce - Production
      p_any_ip_addresses:
        - 45.67.89.123
      p_any_usernames:
        - suspicious.user@company.com
      p_any_actor_ids:
        - 0055f00000CyENt
      p_any_trace_ids:
        - 5tlEQPuEcPPzVPH-nPNWK-
    Name: High Score API Anomaly Detected
  - ExpectedResult: true
    Log:
      EVENT_TYPE: ApiAnomalyEventStore
      TIMESTAMP: "2024-01-16 09:15:22.789"
      TIMESTAMP_DERIVED: "2024-01-16 09:15:22.789"
      EVENT_DATE: "2024-01-16"
      ORGANIZATION_ID: 00D5f000005uVo7
      USER_ID: 0055f00000DzFPu
      USER_ID_DERIVED: 0055f00000DzFPuBBP
      USERNAME: api.service@company.com
      USER_TYPE: Standard
      SESSION_KEY: gK9mM3esc84q9/Xl
      SOURCE_IP: 203.45.67.89
      REQUEST_ID: 6umFRQvFdQQ0WQI-oQOXL-
      SCORE: 42.3
      SUMMARY: "Atypical API access time and geolocation"
      SECURITY_EVENT_DATA: '{"anomaly_type":"geolocation","expected_country":"US","actual_country":"RU"}'
      p_event_time: "2024-01-16 09:15:22.789"
      p_parse_time: "2024-01-16 09:16:05.123"
      p_log_type: Salesforce.ApiAnomalyEventStore
      p_row_id: b9g4e56f8cd0g3f2b4e7g9c5d8f0b2c3
      p_source_id: f7e3c18d-837b-461f-9c2e-7f2g4ffa2c17
      p_source_label: Salesforce - Production
      p_any_ip_addresses:
        - 203.45.67.89
      p_any_usernames:
        - api.service@company.com
      p_any_actor_ids:
        - 0055f00000DzFPu
      p_any_trace_ids:
        - 6umFRQvFdQQ0WQI-oQOXL-
    Name: Medium Score Geolocation Anomaly
  - ExpectedResult: true
    Log:
      EVENT_TYPE: ApiAnomalyEventStore
      TIMESTAMP: "2024-01-17 16:45:33.456"
      TIMESTAMP_DERIVED: "2024-01-17 16:45:33.456"
      EVENT_DATE: "2024-01-17"
      ORGANIZATION_ID: 00D5f000005uVo7
      USER_ID: 0055f00000EzGQv
      USER_ID_DERIVED: 0055f00000EzGQvCCP
      USERNAME: data.export@company.com
      USER_TYPE: Standard
      SESSION_KEY: hL0nN4ftd95r0/Ym
      SOURCE_IP: 192.168.1.100
      REQUEST_ID: 7vnGSRwGeRR1XRJ-pRPYM-
      SCORE: 95.8
      SUMMARY: "Large data extraction detected"
      SECURITY_EVENT_DATA: '{"anomaly_type":"data_exfiltration","records_accessed":50000,"threshold":5000}'
      p_event_time: "2024-01-17 16:45:33.456"
      p_parse_time: "2024-01-17 16:46:18.789"
      p_log_type: Salesforce.ApiAnomalyEventStore
      p_row_id: c0h5f67g9de1h4g3c5f8h0d6e9g1c3d4
      p_source_id: f7e3c18d-837b-461f-9c2e-7f2g4ffa2c17
      p_source_label: Salesforce - Production
      p_any_ip_addresses:
        - 192.168.1.100
      p_any_usernames:
        - data.export@company.com
      p_any_actor_ids:
        - 0055f00000EzGQv
      p_any_trace_ids:
        - 7vnGSRwGeRR1XRJ-pRPYM-
    Name: Critical Data Exfiltration Anomaly
  - ExpectedResult: false
    Log:
      API_TYPE: ""
      API_VERSION: "59.0"
      AUTHENTICATION_METHOD_REFERENCE: ""
      BROWSER_TYPE: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
      CIPHER_SUITE: ECDHE-RSA-AES256-GCM-SHA384
      CLIENT_IP: 10.10.10.10
      CPU_TIME: 15
      DB_TOTAL_TIME: 1.8e+07
      EVENT_TYPE: Login
      LOGIN_KEY: IMwYW6cv9ydaPrRm
      LOGIN_STATUS: LOGIN_NO_ERROR
      ORGANIZATION_ID: 00D5f000005uVo7
      REQUEST_ID: 8woHTSxHfSS2YSK-qSQZN-
      REQUEST_STATUS: Success
      RUN_TIME: 38
      SESSION_KEY: jM2oO5gue06s2/Zo
      SOURCE_IP: 10.10.10.10
      TIMESTAMP: "2024-01-18 10:30:15.789"
      TIMESTAMP_DERIVED: "2024-01-18 10:30:15.789"
      TLS_PROTOCOL: TLSv1.3
      URI: /home.jsp
      USER_ID: 0055f00000FzHRw
      USER_ID_DERIVED: 0055f00000FzHRwDDP
      USER_NAME: normal.user@company.com
      USER_TYPE: Standard
      p_event_time: "2024-01-18 10:30:15.789"
      p_parse_time: "2024-01-18 10:31:02.123"
      p_log_type: Salesforce.Login
      p_row_id: d1i6g78h0ef2i5h4d6g9i1e7f0h2d4e5
      p_source_id: f7e3c18d-837b-461f-9c2e-7f2g4ffa2c17
      p_source_label: Salesforce - Production
      p_any_ip_addresses:
        - 10.10.10.10
      p_any_usernames:
        - normal.user@company.com
      p_any_actor_ids:
        - 0055f00000FzHRw
      p_any_trace_ids:
        - 8woHTSxHfSS2YSK-qSQZN-
    Name: Normal Login Event - Not Anomaly
DedupPeriodMinutes: 60
LogTypes:
  - Salesforce.RealtimeEvent
RuleID: "Salesforce.API.Anomaly.Passthrough"
Threshold: 1
Tags:
  - Salesforce
  - API Security
  - Real-Time Event Monitoring
  - Anomaly Detection
Reports:
  MITRE ATT&CK:
    - TA0001:T1078  # Initial Access: Valid Accounts
    - TA0006:T1110  # Credential Access: Brute Force
    - TA0009:T1530  # Collection: Data from Cloud Storage Object
    - TA0010:T1567  # Exfiltration: Exfiltration Over Web Service

Detection logic

Condition

EVENT_TYPE eq "ApiAnomalyEventStore"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EVENT_TYPE`	eq	`ApiAnomalyEventStore`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`User ID`	`USER_ID`
`Username`	`USERNAME`
`Session Key`	`SESSION_KEY`
`Source IP`	`SOURCE_IP`
`User Type`	`USER_TYPE`
`Anomaly Score`	`SCORE`
`Summary`	`SUMMARY`
`Request ID`	`REQUEST_ID`
`Organization ID`	`ORGANIZATION_ID`
`Event Date`	`EVENT_DATE`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)