Event Monitoring and offline forensics
Vulkro reads exported EventLogFile data offline and scores it for the
behavioural signatures of an active or recent compromise. You export the
logs once (through your own sf CLI or the Event Monitoring API) and
Vulkro analyses them on your machine: no live streaming, no agent
sitting in the org, no log data leaving the laptop. The rule set is the
SF-EVENT-MON-001 through SF-EVENT-MON-024 family, plus the
device-fingerprint session-anomaly rule SF-SESSION-FP-001.
Each rule carries a MITRE ATT&CK mapping so a finding lands directly in the same taxonomy your SOC already triages against. ATT&CK reference: https://attack.mitre.org/.
Authentication and session signatures
SF-EVENT-MON-001failed-login burst: a cluster of failedLoginevents against one account or from one source above the burst threshold in a short window. Maps to ATT&CK T1110 (Brute Force).SF-EVENT-MON-002impossible travel: two successful logins for the same user from geographies too far apart to be physically plausible in the elapsed time. Maps to T1078 (Valid Accounts).SF-EVENT-MON-003session-token reuse: the same session identifier seen from two distinct source IPs or client fingerprints, the on-platform signature of a replayed or stolen session cookie. Maps to T1550 (Use Alternate Authentication Material).
Reporting, dashboard, and export abuse
SF-EVENT-MON-004report abuse: a single user running reports at a volume or breadth far above their own baseline, the classic "scrape the CRM through the report engine" pattern. Maps to T1213 (Data from Information Repositories).SF-EVENT-MON-005dashboard abuse: anomalous dashboard refresh or view volume used to page through data the user would not otherwise query directly.SF-EVENT-MON-006bulk export / extract: largeApiTotalUsageor bulk-API extract volume tied to one principal. Maps to T1567 (Exfiltration Over Web Service).
Advanced exfiltration scoring
SF-EVENT-MON-007advanced exfiltration: a composite score that combines SOQL-query complexity (rows returned, objects joined, fields projected) with a per-user field-access baseline. A query that is both unusually complex AND touches fields the user has never read before scores higher than either signal alone, which is what separates a real exfiltration sweep from a one-off broad report. Maps to T1213 and T1567.SF-EVENT-MON-008sensitive-field tracking: access to a curated set of sensitive fields (credentials, tokens, government identifiers, financial fields) is tracked per principal regardless of query volume, so a low-and-slow read of a few high-value fields still surfaces. Maps to T1530 (Data from Cloud Storage).
Lateral movement and policy ingestion
SF-EVENT-MON-009grant-velocity lateral movement: a spike in permission grants (permission-set assignments, role changes) in a short window, the signature of an attacker spreading access after an initial foothold. Maps to T1098 (Account Manipulation) and T1078.SF-EVENT-MON-010Transaction Security Policy ingestion: Vulkro ingestsTransactionSecuritypolicy events so policy-blocked actions are correlated against the rest of the timeline rather than read in isolation.
Full API-abuse scoring (SF-EVENT-MON-011 through -018)
SF-EVENT-MON-011throughSF-EVENT-MON-018: the full API-abuse scoring band. These rules profile each API principal across request volume, endpoint diversity, error-to-success ratio, off-hours activity, and method mix, then score the principal against its own history and against org-wide norms. The band exists to catch a compromised integration user whose individual requests each look ordinary but whose aggregate behaviour does not. Maps to T1071 (Application Layer Protocol) and T1567.
Wave 9 EventTypes (SF-EVENT-MON-019 through -024)
These rules extend offline forensics to event types added in the Wave 9 detector set. Each correlates the new event stream into the same scoring model as the core rules above.
SF-EVENT-MON-019VisualforceRequest: anomalous Visualforce page request patterns (enumeration, forced browsing, parameter sweeping).SF-EVENT-MON-020ContentDistribution: public content-distribution link creation and access, an exfiltration channel that bypasses the record-level UI. Maps to T1567.SF-EVENT-MON-021WaveDownload: CRM Analytics (Wave) dataset downloads, a bulk-extract channel distinct from report and bulk-API export.SF-EVENT-MON-022QueuedExecution / AsyncReportRun: queued and asynchronous report execution used to run heavy extracts out of band where synchronous limits would otherwise throttle them.SF-EVENT-MON-023Search: global-search volume and breadth used to enumerate records across objects without issuing a flagged report or query.SF-EVENT-MON-024ExternalCrossOrgCallout: cross-org callouts that move data to an external or attacker-controlled org. Maps to T1567 and T1071.
Device-fingerprint session anomaly: SF-SESSION-FP-001
Beyond the core event rules, Vulkro fingerprints the device and client seen on each session and flags a user whose session count from distinct device fingerprints exceeds the configured ceiling inside a rolling window. A burst of sessions from many never-before-seen fingerprints is the signature of a shared or stolen credential being used across an attacker's infrastructure. Maps to T1078 and T1550.
Two environment variables tune this rule:
VULKRO_SF_EVENT_MON_DEVICE_FP_WINDOW_MINUTES: the rolling window, in minutes, over which distinct fingerprints are counted.VULKRO_SF_EVENT_MON_DEVICE_FP_COUNT: the number of distinct device fingerprints within that window above which the rule fires.
Widen the window or raise the count for orgs with large roaming or BYOD populations; tighten both for a fixed-workstation environment where any fingerprint churn is suspicious.
What this does not catch
Offline log analysis sees only what the org logged. An attacker who acts inside a single session that the org's Event Monitoring tier does not capture, or who operates entirely within a user's own established baseline, leaves no anomalous signature for these rules to score. The rules raise the cost of bulk and cross-session abuse; they are not a substitute for the configuration-level controls that prevent the access in the first place.
Where to go next
- Least privilege and privilege escalation: the configuration controls that reduce what a compromised account can reach.
- The
vulkro-sf logscommand reference: how to run this analysis and export findings to your SIEM. - MITRE ATT&CK Enterprise matrix: https://attack.mitre.org/matrices/enterprise/