Rules: Salesforce User Role Changed
Detects role changes. While this is a routine activity, role changes could be used by an adversary for persistence and privilege escalation. Salesforce admin match lists are exclude in this rule in an attempt to reduce the false positives due to expected admin activity. These match lists should be created and populated with Salesforce admin usernames and IPs.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Persistence |
| Apply Risk to Entities | srcDevice_ip, user_username |
| Signal Name | Salesforce User Role Changed |
| Summary Expression | {{description}} |
| Score/Severity | Static: 1 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0003, _mitreAttackTechnique:T1098 |
| Origin | Field |
|---|---|
| Normalized Schema | listMatches |
| Normalized Schema | metadata_deviceEventId |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |