Overview
Echo is a Salesforce AppExchange solution that safeguards Salesforce Orgs against account takeover (ATO), social engineering, phishing, malware, session hijacking, bot activity, and other cyberattacks in real time with the help of JA4+ fingerprinting and AI.
To learn more about the JA4+ fingerprinting methods, read the JA4+ announcement blog post.
Echo fingerprints Users any time they access a Lightning App that's monitored by Echo. These fingerprints act as identifiers that represent the unique combination of software that Users access their Org(s) with. As a result, each fingerprint is a unique identifier for the User that produced it, and bad actors will leave behind noticeably different fingerprints from the Users whom they attempt to impersonate in a phishing, session hijacking, or other credential-based cyberattack.
However, because the software system that each User accesses their Org(s) changes over time (e.g., a User updates their operating system, a User logs in to their Salesforce account on a new laptop while on vacation), their fingerprints change slightly over time. To accurately differentiate legitimate Users from bad actors amid these natural fingerprint mutations, we've developed a proprietary, AI- and JA4+ Database-powered risk assessment algorithm that generates a risk score for each fingerprint.
The risk score associated with each fingerprint is what enables Echo to classify Org traffic as legitimate or malicious with a high degree of confidence.
Salesforce Admins can prevent bad actors from accessing their Org's data by creating Triggers and Flows that revoke sessions, send messages, email response team(s), and take other thwarting actions when malicious fingerprints are detected by Echo.
How It Works
The solution is centralized around a Lightning Background Utility Component named DarkSailFingerprinter
. Adding this Background Utility Component to a Lightning App enables Echo to fingerprint all traffic that accesses that Lightning App by hitting the DarkSail API at https://darksail.ai/api/v1/fingerprint. The subsequent response from our endpoint contains the fingerprint data that are used to populate a Salesforce Custom Object named Fingerprint
:
Key | Value Type | Value Description |
---|---|---|
User |
| The User's Salesforce ID |
Fingerprint JA4 |
| The User's JA4 (TLS client) fingerprint |
Fingerprint JA4H |
| The User's JA4H (HTTP client) fingerprint |
Fingerprint JA4L |
| The User's JA4L (light distance) fingerprint |
Risk Score |
| The perceived risk of the Fingerprint, as assessed by DarkSail Takes on a value between 0 (no risk) and 100 (maximum risk) |
Count Seen |
| The number of observations of this exact Fingerprint |
First Seen |
| When this Fingerprint was first generated |
Last Seen |
| When this Fingerprint was last generated |
Created By |
| The Salesforce ID of the creator of the Fingerprint |
Last Modified By |
| The Salesforce ID of the last User who altered the Fingerprint |
Owner |
| The Salesforce ID of the owner of the Fingerprint |
Fingerprint Name |
| The unique identifier for the Fingerprint |
In addition to Fingerprint
, fingerprint data is surfaced as a Custom Platform Event and in the Real-Time Event Monitoring (RTEM) service:
Custom Object
A Custom Object is a simple way to store data unique to your Salesforce Org. Data stored in Custom Objects can be read via SOQL, displayed on Dashboards or Reports, and accessed through several other Salesforce services.
Custom Platform Event
Platform Events are secure and scalable messages that contain data. This is a great method for storing and processing fingerprints outside of Salesforce in destinations like security information and event management applications (SIEMS). Platform Events employ a pub/sub model, allowing external applications to subscribe to data streams and consume them in real time.
Real-Time Event Monitoring (RTEM)
RTEM is a product within Salesforce Shield that generates several standard events that can be acted on in real time through Transaction Security Policies. These Policies execute code that acts on Event Objects (like fingerprint data from Echo), enabling actions like triggering a multi-factor authentication process, triggering a password change request, or logging a User out.
Echo injects generated fingerprints and their associated risk scores into the AdditionalInfo
field of the ApiEvent
Object.
Last updated