Most security monitoring is reactive: a rule fires, an alert lands, someone investigates. Threat hunting flips that around. Instead of waiting for an alert, you form a hypothesis about how an attacker might operate in your environment, then go looking for evidence — whether or not anything has tripped an alarm.
Salesforce is a high-value target because it holds customer data, pipeline, and often integrations into the rest of the business. The good news: it also produces rich telemetry you can hunt through.
Depending on your edition and licensing, useful sources include:
ApiAnomalyEvent and ReportAnomalyEvent when Threat Detection is enabled.If you ship these to a SIEM, you can correlate Salesforce activity with the rest of your environment. If not, you can still hunt directly against the log files.
A good hunt begins with a question framed around attacker behavior. A few that map naturally to Salesforce:
"If an account were compromised, what would bulk data theft look like in our export and API logs?"
That single hypothesis points you at concrete signals to investigate.
Look at report-export and bulk-API events. Flag users exporting far more records than their baseline, exports at unusual hours, or a normally low-volume account suddenly pulling large datasets. Event Monitoring's ReportAnomalyEvent can seed this, but manual review catches what the model misses.
Cross-reference Login History IP addresses and timestamps. Two successful logins from geographically distant locations within an impossible window is a classic indicator of credential compromise. Also watch for logins from new countries, hosting/VPN ranges, or a spike in failed attempts before a success.
Use Setup Audit Trail to review who granted Modify All Data, created connected apps, changed sharing settings, or modified profiles and permission sets. Attackers who gain a foothold often expand access — and that expansion shows up here.
Profile your API traffic. A dormant integration user that suddenly issues unusual queries, or API calls from a new IP range, deserves a look. ApiAnomalyEvent helps, but knowing your integrations' normal behavior is what makes the anomaly obvious.
The output of a hunt isn't just "we found something" or "we found nothing." Every hunt should either surface an incident or produce a reusable detection. If you manually identified anomalous exports this week, codify that into an alert so you don't have to hunt for the same thing by hand next month. Over time, your hunts steadily raise your automated coverage.
You don't need a mature SOC to begin. Pick one hypothesis, pull the relevant logs for the last 30 days, establish what "normal" looks like, and investigate the outliers. That first cycle almost always teaches you something about your org.
Echo runs structured threat hunts against Salesforce and broader environments, then hands back both findings and the detections to keep watching. Get in touch if you'd like to talk through a hunt for your org.