In this blog post, we introduce the Salesforce Plugin for Falco, which ingests Salesforce Real-Time Event Monitoring Objects and transforms them into actionable Falco fields.
As many in the CNCF community know, Falco’s flexibility can be extended through Plugins, allowing users to build custom integrations to meet their unique security needs. Plugins extend the core functionalities of Falco, enabling new event sources and detection capabilities. This flexibility is especially powerful when it comes to monitoring SaaS services like Salesforce, Okta, and Box.
This plugin empowers organizations to detect and respond to Salesforce security threats in real-time, giving them the same level of visibility seen in containers, cloud platforms, and Kubernetes.
What the Salesforce Plugin Does
The Salesforce Plugin ingests critical event data from Salesforce’s Real-Time Event Monitoring, making it available for threat detection using Falco rules. This allows security teams to define custom rules that detect suspicious activities such as failed logins, unauthorized access, permission changes, and more—bringing a new level of real-time visibility into Salesforce.
With the plugin, you can monitor successful and failed logins, track logins from unusual geographies, and detect when administrators log in as other users. Beyond login activity, the plugin helps identify permission changes, spot API anomalies, and detect more advanced threats like session hijacking or credential stuffing attempts. A full list of the exported fields is available here.
By correlating Salesforce events with other data sources in Falco, you can detect lateral movement and other sophisticated attacks as they unfold across your cloud and SaaS.
Why Integrate Salesforce Events with Falco?
The value of ingesting Salesforce events into Falco lies in its ability to monitor multiple cloud platforms in parallel. With the Salesforce plugin, you can detect security incidents across your cloud infrastructure and SaaS services simultaneously. This capability is crucial for identifying active lateral movement across platforms in real-time, allowing security teams to respond quickly and mitigate damage.
Falco users can now unify their cloud-native threat detection efforts, extending coverage beyond Kubernetes and containers to include critical SaaS services like Salesforce.
Setting Up the Salesforce Plugin
To get started with the Salesforce plugin for Falco, you’ll need a few prerequisites:
- Salesforce Event Monitoring: The plugin requires access to Salesforce’s Real-Time Event Monitoring, which may require a Salesforce Shield or Event Monitoring subscription.
- Go 1.20 or higher: The plugin requires Go 1.20+ for compilation.
- Salesforce Connected App: The plugin uses the Client Credentials Flow to authenticate with Salesforce. You’ll need a Consumer Key, Consumer Secret, and Salesforce Login URL.
Once you have these credentials, configuring the plugin is rather straightforward within the Falco Configuration File:
plugins:
- name: salesforce
library_path: libsalesforce.so
init_config:
sfdcclientid: (your consumer key)
sfdcclientsecret: (your consumer secret)
sfdcloginurl: (your sfdc login url)
Debug: FalseCode language: YAML (yaml)After adding your credentials, simply enable the plugin in your falco.yaml config by setting:
load_plugins: [salesforce]Code language: YAML (yaml)Example Rules for Salesforce Threat Detection
With the Salesforce plugin, you can write rules to detect security incidents in real-time.
For example, detecting failed login attempts is simple using the following rule:
- rule: Failed Login
desc: User failed login
condition: salesforce.eventtype=LoginEvent and salesforce.loginstatus!="Success"
output: >
User %salesforce.username failed login (status=%salesforce.loginstatus, IP=%salesforce.sourceip, platform=%salesforce.platform, event ID=%salesforce.eventidentifier)
priority: ALERT
source: salesforce
tags: [salesforce, T1110, T1110.001, mitre_brute_force, mitre_password_guessing]Code language: YAML (yaml)To detect failed logins, we can use the existing Exported Fields that are handled by the plugin. Any event type where it’s a login event, and the login status is not equal to “Success” will naturally result in an unsuccessful or failed login attempt.
More often than not, Salesforce already has a specific event type related to the attack vector. So, if you’re looking to detect a credential stuffing attack, all you need to do is specify the condition of salesforce.eventtype=CredentialStuffingEvent.
- rule: Detected Credential Stuffing
desc: Detected Credential Stuffing
condition: salesforce.eventtype=CredentialStuffingEvent
output: >
Credential stuffing detected (User=%salesforce.username, IP=%salesforce.sourceip, User Agent=%salesforce.useragent, Event ID=%salesforce.eventidentifier)
priority: EMERGENCY
source: salesforce
tags: [salesforce, T1110, T1110.004, mitre_brute_force, mitre_credential_stuffing]Code language: YAML (yaml)Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service like Salesforce is compromised and the user account credentials accessed.
In this case, the rules can be tagged with the appropriate MITRE ATT&CK context for potential brute force attacks. These out-of-the-box rules also help users quickly identify potential threats in Salesforce, providing security teams with the foundation needed to respond effectively.
Why This Matters
The Salesforce plugin represents an important step toward securing SaaS services within a broader cloud-native environment. By leveraging Falco’s open-source ecosystem, users can monitor Salesforce alongside other platforms like Kubernetes, cloud providers, and more. This holistic view enhances security by allowing organizations to correlate events across platforms, improving detection capabilities and reducing blind spots.
As more businesses rely on SaaS platforms for critical functions, extending security to those platforms becomes increasingly important. With the Salesforce plugin for Falco, your organization gains the ability to detect and respond to threats in real-time—helping you stay ahead of attackers who may target these increasingly vital services.
Looking Ahead
As we’ve seen with plugins like Okta, which began as an open-source Falco plugin and later became a supported source in the Sysdig CNAPP platform, the Salesforce plugin could pave the way for deeper integration into enterprise security platforms. With open-source at its foundation, Falco allows users to address emerging threats with flexibility and speed, ensuring that your security evolves alongside the growing complexity of cloud-native environments.
We anticipate the Salesforce plugin, along with others like Box and GitLab, will become essential tools for organizations looking to secure their SaaS and cloud ecosystems. Stay ahead of the next high-profile breach by integrating and extending Falco with plugins.
By combining the power of Falco’s open-source detection capabilities with the flexibility to build custom integrations, your organization can achieve unparalleled visibility and protection across the cloud, containers, Kubernetes, and SaaS platforms like Salesforce.