Overview

Echo is a Salesforce AppExchange solution that safeguards Salesforce Orgs against account takeover (ATO), social engineering, phishing, malware, session hijacking, bot activity, and other cyberattacks in real time with the help of JA4+ fingerprinting and AI.

To learn more about the JA4+ fingerprinting methods, read the JA4+ announcement blog post.

Echo fingerprints Users any time they access a Lightning App that's monitored by Echo. These fingerprints act as identifiers that represent the unique combination of software that Users access their Org(s) with. As a result, each fingerprint is a unique identifier for the User that produced it, and bad actors will leave behind noticeably different fingerprints from the Users whom they attempt to impersonate in a phishing, session hijacking, or other credential-based cyberattack.

However, because the software system that each User accesses their Org(s) changes over time (e.g., a User updates their operating system, a User logs in to their Salesforce account on a new laptop while on vacation), their fingerprints change slightly over time. To accurately differentiate legitimate Users from bad actors amid these natural fingerprint mutations, we've developed a proprietary, AI- and JA4+ Database-powered risk assessment algorithm that generates a risk score for each fingerprint.

The risk score associated with each fingerprint is what enables Echo to classify Org traffic as legitimate or malicious with a high degree of confidence.

Salesforce Admins can prevent bad actors from accessing their Org's data by creating Triggers and Flows that revoke sessions, send messages, email response team(s), and take other thwarting actions when malicious fingerprints are detected by Echo.

How It Works

The solution is centralized around a Lightning Background Utility Component named DarkSailFingerprinter. Adding this Background Utility Component to a Lightning App enables Echo to fingerprint all traffic that accesses that Lightning App by hitting the DarkSail API at https://darksail.ai/api/v1/fingerprint. The subsequent response from our endpoint contains the fingerprint data that are used to populate a Salesforce Custom Object named Fingerprint:

KeyValue TypeValue Description

User

string

The User's Salesforce ID

Fingerprint JA4

string

The User's JA4 (TLS client) fingerprint

Fingerprint JA4H

string

The User's JA4H (HTTP client) fingerprint

Fingerprint JA4L

string

The User's JA4L (light distance) fingerprint

Risk Score

number

The perceived risk of the Fingerprint, as assessed by DarkSail Takes on a value between 0 (no risk) and 100 (maximum risk)

Count Seen

number

The number of observations of this exact Fingerprint

First Seen

datetime

When this Fingerprint was first generated

Last Seen

datetime

When this Fingerprint was last generated

Created By

User

The Salesforce ID of the creator of the Fingerprint

Last Modified By

User

The Salesforce ID of the last User who altered the Fingerprint

Owner

User

The Salesforce ID of the owner of the Fingerprint

Fingerprint Name

string

The unique identifier for the Fingerprint

In addition to Fingerprint, fingerprint data is surfaced as a Custom Platform Event and in the Real-Time Event Monitoring (RTEM) service:

Custom Object

A Custom Object is a simple way to store data unique to your Salesforce Org. Data stored in Custom Objects can be read via SOQL, displayed on Dashboards or Reports, and accessed through several other Salesforce services.

Custom Platform Event

Platform Events are secure and scalable messages that contain data. This is a great method for storing and processing fingerprints outside of Salesforce in destinations like security information and event management applications (SIEMS). Platform Events employ a pub/sub model, allowing external applications to subscribe to data streams and consume them in real time.

Real-Time Event Monitoring (RTEM)

RTEM is a product within Salesforce Shield that generates several standard events that can be acted on in real time through Transaction Security Policies. These Policies execute code that acts on Event Objects (like fingerprint data from Echo), enabling actions like triggering a multi-factor authentication process, triggering a password change request, or logging a User out.

Echo injects generated fingerprints and their associated risk scores into the AdditionalInfo field of the ApiEvent Object.

Last updated