Overview
Last updated
Last updated
Echo is a Salesforce AppExchange solution that safeguards Salesforce Orgs against account takeover (ATO), social engineering, phishing, malware, session hijacking, bot activity, and other cyberattacks in real time with the help of JA4+ fingerprinting and AI.
To learn more about the JA4+ fingerprinting methods, read the JA4+ announcement blog post.
Echo fingerprints Users any time they access a Lightning App that's monitored by Echo. These fingerprints act as identifiers that represent the unique combination of software that Users access their Org(s) with. As a result, each fingerprint is a unique identifier for the User that produced it, and bad actors will leave behind noticeably different fingerprints from the Users whom they attempt to impersonate in a phishing, session hijacking, or other credential-based cyberattack.
However, because the software system that each User accesses their Org(s) changes over time (e.g., a User updates their operating system, a User logs in to their Salesforce account on a new laptop while on vacation), their fingerprints change slightly over time. To accurately differentiate legitimate Users from bad actors amid these natural fingerprint mutations, we've developed a proprietary, AI- and JA4+ Database-powered risk assessment algorithm that generates a risk score for each fingerprint.
The risk score associated with each fingerprint is what enables Echo to classify Org traffic as legitimate or malicious with a high degree of confidence.
Salesforce Admins can prevent bad actors from accessing their Org's data by creating Triggers and Flows that revoke sessions, send messages, email response team(s), and take other thwarting actions when malicious fingerprints are detected by Echo.
The solution is centralized around a Lightning Background Utility Component named DarkSailFingerprinter
. Adding this Background Utility Component to a Lightning App enables Echo to fingerprint all traffic that accesses that Lightning App by hitting the DarkSail API at https://darksail.ai/api/v1/fingerprint. The subsequent response from our endpoint contains the fingerprint data that are used to populate a Salesforce Custom Object named Fingerprint
:
Key | Value Type | Value Description |
---|---|---|
In addition to Fingerprint
, fingerprint data is surfaced as a Custom Platform Event and in the Real-Time Event Monitoring (RTEM) service:
A Custom Object is a simple way to store data unique to your Salesforce Org. Data stored in Custom Objects can be read via SOQL, displayed on Dashboards or Reports, and accessed through several other Salesforce services.
Platform Events are secure and scalable messages that contain data. This is a great method for storing and processing fingerprints outside of Salesforce in destinations like security information and event management applications (SIEMS). Platform Events employ a pub/sub model, allowing external applications to subscribe to data streams and consume them in real time.
RTEM is a product within Salesforce Shield that generates several standard events that can be acted on in real time through Transaction Security Policies. These Policies execute code that acts on Event Objects (like fingerprint data from Echo), enabling actions like triggering a multi-factor authentication process, triggering a password change request, or logging a User out.
Echo injects generated fingerprints and their associated risk scores into the AdditionalInfo
field of the ApiEvent
Object.
User
string
The User's Salesforce ID
Fingerprint JA4
string
The User's JA4 (TLS client) fingerprint
Fingerprint JA4H
string
The User's JA4H (HTTP client) fingerprint
Fingerprint JA4L
string
The User's JA4L (light distance) fingerprint
Risk Score
number
The perceived risk of the Fingerprint, as assessed by DarkSail Takes on a value between 0 (no risk) and 100 (maximum risk)
Count Seen
number
The number of observations of this exact Fingerprint
First Seen
datetime
When this Fingerprint was first generated
Last Seen
datetime
When this Fingerprint was last generated
Created By
User
The Salesforce ID of the creator of the Fingerprint
Last Modified By
User
The Salesforce ID of the last User who altered the Fingerprint
Owner
User
The Salesforce ID of the owner of the Fingerprint
Fingerprint Name
string
The unique identifier for the Fingerprint