sf-agent-framework
Version:
AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction
577 lines (479 loc) • 16.6 kB
Markdown
# Salesforce Security Audit - SOQL Data Extraction Queries
## For Dashboard and Analytical Reports Generation
### Query Execution Instructions
1. Execute each query in Developer Console or Workbench
2. Export results to CSV for processing
3. Use the results to populate the dashboard templates below
---
## 🔴 CRITICAL SECURITY METRICS - EXECUTIVE DASHBOARD
### 1. System Administrator Access Analysis
```sql
-- Query 1A: System Administrator Count and Activity
SELECT
COUNT(Id) AS Total_Sys_Admins,
COUNT(CASE WHEN IsActive = true THEN 1 END) AS Active_Sys_Admins,
COUNT(CASE WHEN LastLoginDate > LAST_N_DAYS:30 THEN 1 END) AS Recently_Active,
COUNT(CASE WHEN TwoFactorEnabled = false THEN 1 END) AS Without_MFA
FROM User
WHERE Profile.Name = 'System Administrator'
-- Query 1B: System Administrator Details
SELECT
Username,
Email,
FirstName + ' ' + LastName AS Full_Name,
IsActive,
TwoFactorEnabled AS MFA_Enabled,
LastLoginDate,
CreatedDate,
CASE
WHEN LastLoginDate < LAST_N_DAYS:90 THEN 'Inactive >90 days'
WHEN LastLoginDate < LAST_N_DAYS:30 THEN 'Inactive 30-90 days'
ELSE 'Active'
END AS Activity_Status
FROM User
WHERE Profile.Name = 'System Administrator'
ORDER BY IsActive DESC, LastLoginDate DESC
```
### 2. Critical Permissions Distribution
```sql
-- Query 2A: View All Data Permission Summary
SELECT
'Profile' AS Permission_Type,
Profile.Name AS Source_Name,
COUNT(Id) AS User_Count
FROM User
WHERE Profile.PermissionsViewAllData = true
AND IsActive = true
GROUP BY Profile.Name
UNION ALL
SELECT
'Permission Set' AS Permission_Type,
PermissionSet.Name AS Source_Name,
COUNT(AssigneeId) AS User_Count
FROM PermissionSetAssignment
WHERE PermissionSet.PermissionsViewAllData = true
AND PermissionSet.IsOwnedByProfile = false
GROUP BY PermissionSet.Name
-- Query 2B: Modify All Data Permission Summary
SELECT
'Profile' AS Permission_Type,
Profile.Name AS Source_Name,
COUNT(Id) AS User_Count
FROM User
WHERE Profile.PermissionsModifyAllData = true
AND IsActive = true
GROUP BY Profile.Name
UNION ALL
SELECT
'Permission Set' AS Permission_Type,
PermissionSet.Name AS Source_Name,
COUNT(AssigneeId) AS User_Count
FROM PermissionSetAssignment
WHERE PermissionSet.PermissionsModifyAllData = true
AND PermissionSet.IsOwnedByProfile = false
GROUP BY PermissionSet.Name
```
### 3. MFA Enforcement Status
```sql
-- Query 3: MFA Coverage Analysis
SELECT
Profile.Name AS Profile_Name,
COUNT(Id) AS Total_Users,
COUNT(CASE WHEN TwoFactorEnabled = true THEN 1 END) AS MFA_Enabled,
COUNT(CASE WHEN TwoFactorEnabled = false THEN 1 END) AS MFA_Disabled,
ROUND((COUNT(CASE WHEN TwoFactorEnabled = true THEN 1 END) * 100.0 / COUNT(Id)), 2) AS MFA_Coverage_Percent
FROM User
WHERE IsActive = true
AND Profile.PermissionsModifyAllData = true
GROUP BY Profile.Name
ORDER BY MFA_Coverage_Percent ASC
```
---
## 📊 LAYER-BASED SECURITY ASSESSMENT DASHBOARD
### FOUNDATION LAYER (30% Weight)
#### 4. Password Policy Assessment
```sql
-- Query 4: Password Policy Configuration
SELECT
Name AS Policy_Name,
CASE PasswordComplexity
WHEN 0 THEN 'No Policy'
WHEN 1 THEN 'Alpha Only'
WHEN 2 THEN 'Alphanumeric'
WHEN 3 THEN 'Alphanumeric + Special'
WHEN 4 THEN 'Alphanumeric + Special + No Common'
END AS Complexity_Level,
MinPasswordLength AS Min_Length,
PasswordExpiration AS Expiry_Days,
PasswordHistory AS History_Count,
MaxLoginAttempts AS Max_Attempts,
CASE
WHEN MinPasswordLength >= 12 AND PasswordComplexity >= 3 THEN 'STRONG'
WHEN MinPasswordLength >= 8 AND PasswordComplexity >= 2 THEN 'MODERATE'
ELSE 'WEAK'
END AS Security_Rating
FROM PasswordPolicy
```
#### 5. Login Security Analysis
```sql
-- Query 5A: IP Restriction Coverage
SELECT
COUNT(DISTINCT Id) AS Profiles_With_IP_Restrictions
FROM LoginIpRange
-- Query 5B: Login-As Activity Monitoring
SELECT
CALENDAR_MONTH(CreatedDate) AS Month,
COUNT(*) AS Login_As_Events,
COUNT(DISTINCT UserId) AS Unique_Users_Targeted,
COUNT(DISTINCT LoginHistoryId) AS Unique_Admins_Using_LoginAs
FROM LoginHistory
WHERE LoginType = 'Login As'
AND CreatedDate = LAST_N_DAYS:90
GROUP BY CALENDAR_MONTH(CreatedDate)
```
#### 6. Guest User Security Status
```sql
-- Query 6: Guest User Analysis
SELECT
Profile.Name AS Guest_Profile,
COUNT(Id) AS Guest_User_Count,
COUNT(CASE WHEN IsActive = true THEN 1 END) AS Active_Guest_Users
FROM User
WHERE UserType = 'Guest'
GROUP BY Profile.Name
```
### USER EXPERIENCE LAYER (15% Weight)
#### 7. PII Field Exposure Analysis
```sql
-- Query 7: PII Field Access Summary
SELECT
Field.EntityDefinition.QualifiedApiName AS Object_Name,
Field.QualifiedApiName AS Field_Name,
Field.DataType AS Data_Type,
COUNT(DISTINCT Parent.ProfileId) AS Profiles_With_Access,
COUNT(DISTINCT Parent.ParentId) AS PermSets_With_Access,
CASE
WHEN Field.IsEncrypted = true THEN 'ENCRYPTED'
ELSE 'NOT ENCRYPTED'
END AS Encryption_Status
FROM FieldPermissions
WHERE Field.DataType IN ('Email', 'Phone', 'Address', 'EncryptedString')
AND PermissionsRead = true
GROUP BY Field.EntityDefinition.QualifiedApiName, Field.QualifiedApiName, Field.DataType, Field.IsEncrypted
ORDER BY Profiles_With_Access DESC
```
#### 8. Session Security Configuration
```sql
-- Query 8: Session Settings Assessment
SELECT
SessionTimeout AS Timeout_Minutes,
CASE
WHEN SessionTimeout <= 120 THEN 'COMPLIANT'
WHEN SessionTimeout <= 240 THEN 'WARNING'
ELSE 'NON-COMPLIANT'
END AS Timeout_Compliance,
ForceLogoutOnSessionTimeout AS Force_Logout,
EnableCSRFOnGet AS CSRF_GET_Protection,
EnableCSRFOnPost AS CSRF_POST_Protection,
EnableClickjackProtectionForNonSetupPages AS Clickjack_Protection
FROM SecuritySettings
```
### APPLICATION LOGIC LAYER (20% Weight)
#### 9. Apex Security Analysis
```sql
-- Query 9A: Apex Sharing Model Compliance
SELECT
COUNT(*) AS Total_Classes,
COUNT(CASE WHEN Body LIKE '%with sharing%' THEN 1 END) AS With_Sharing,
COUNT(CASE WHEN Body LIKE '%without sharing%' THEN 1 END) AS Without_Sharing,
COUNT(CASE WHEN Body NOT LIKE '%sharing%' THEN 1 END) AS No_Sharing_Keyword,
ROUND((COUNT(CASE WHEN Body LIKE '%without sharing%' THEN 1 END) * 100.0 / COUNT(*)), 2) AS Risk_Percentage
FROM ApexClass
WHERE Status = 'Active'
-- Query 9B: Dynamic SOQL Risk Assessment
SELECT
Name AS Class_Name,
ApiVersion,
CreatedBy.Name AS Created_By,
LastModifiedDate,
'HIGH' AS Risk_Level,
'Dynamic SOQL Detected' AS Risk_Type
FROM ApexClass
WHERE Body LIKE '%Database.query%'
AND Status = 'Active'
ORDER BY LastModifiedDate DESC
```
#### 10. Flow Security Analysis
```sql
-- Query 10: Flow Execution Mode Analysis
SELECT
ProcessType AS Flow_Type,
RunInMode AS Execution_Mode,
COUNT(*) AS Flow_Count,
CASE RunInMode
WHEN 'DefaultMode' THEN 'User Context'
WHEN 'SystemModeWithSharing' THEN 'System Mode WITH Sharing'
WHEN 'SystemModeWithoutSharing' THEN 'System Mode WITHOUT Sharing'
ELSE RunInMode
END AS Security_Context,
CASE
WHEN RunInMode = 'SystemModeWithoutSharing' THEN 'HIGH'
WHEN RunInMode = 'SystemModeWithSharing' THEN 'MEDIUM'
ELSE 'LOW'
END AS Risk_Level
FROM FlowDefinitionView
WHERE IsActive = true
GROUP BY ProcessType, RunInMode
ORDER BY Risk_Level DESC
```
### DATA LAYER (25% Weight)
#### 11. Data Access Permissions Matrix
```sql
-- Query 11A: Organization-Wide Critical Permissions Summary
SELECT
'View All Data' AS Permission_Type,
COUNT(DISTINCT Id) AS Profiles_Count,
(SELECT COUNT(*) FROM User WHERE Profile.PermissionsViewAllData = true AND IsActive = true) AS Active_Users
FROM Profile
WHERE PermissionsViewAllData = true
UNION ALL
SELECT
'Modify All Data' AS Permission_Type,
COUNT(DISTINCT Id) AS Profiles_Count,
(SELECT COUNT(*) FROM User WHERE Profile.PermissionsModifyAllData = true AND IsActive = true) AS Active_Users
FROM Profile
WHERE PermissionsModifyAllData = true
UNION ALL
SELECT
'Data Export' AS Permission_Type,
COUNT(DISTINCT Id) AS Profiles_Count,
(SELECT COUNT(*) FROM User WHERE Profile.PermissionsDataExport = true AND IsActive = true) AS Active_Users
FROM Profile
WHERE PermissionsDataExport = true
```
#### 12. Object-Level Access Analysis
```sql
-- Query 12: Object Permission Risk Matrix
SELECT
SobjectType AS Object_Name,
COUNT(CASE WHEN PermissionsViewAllRecords = true THEN 1 END) AS View_All_Count,
COUNT(CASE WHEN PermissionsModifyAllRecords = true THEN 1 END) AS Modify_All_Count,
COUNT(DISTINCT Parent.ProfileId) AS Profiles_Affected,
COUNT(DISTINCT Parent.ParentId) AS PermSets_Affected,
CASE
WHEN COUNT(CASE WHEN PermissionsModifyAllRecords = true THEN 1 END) > 5 THEN 'CRITICAL'
WHEN COUNT(CASE WHEN PermissionsModifyAllRecords = true THEN 1 END) > 2 THEN 'HIGH'
WHEN COUNT(CASE WHEN PermissionsViewAllRecords = true THEN 1 END) > 5 THEN 'MEDIUM'
ELSE 'LOW'
END AS Risk_Level
FROM ObjectPermissions
WHERE (PermissionsViewAllRecords = true OR PermissionsModifyAllRecords = true)
GROUP BY SobjectType
ORDER BY Risk_Level DESC, Modify_All_Count DESC
```
#### 13. Sharing Model Assessment
```sql
-- Query 13A: OWD Settings Analysis
SELECT
QualifiedApiName AS Object_Name,
DefaultAccess AS OWD_Setting,
CASE DefaultAccess
WHEN 'None' THEN 'Private'
WHEN 'Read' THEN 'Public Read Only'
WHEN 'Edit' THEN 'Public Read/Write'
WHEN 'All' THEN 'Public Full Access'
ELSE DefaultAccess
END AS Access_Level,
CASE
WHEN DefaultAccess IN ('Edit', 'All') THEN 'HIGH RISK'
WHEN DefaultAccess = 'Read' THEN 'MEDIUM RISK'
ELSE 'SECURE'
END AS Security_Assessment
FROM EntityDefinition
WHERE IsCustomizable = true
ORDER BY Security_Assessment DESC
-- Query 13B: Manual Sharing Analysis
SELECT
'Account' AS Object_Type,
COUNT(*) AS Manual_Share_Count,
COUNT(DISTINCT ParentId) AS Records_Affected,
COUNT(DISTINCT UserOrGroupId) AS Users_Groups_Granted
FROM AccountShare
WHERE RowCause = 'Manual'
```
### INTEGRATION LAYER (10% Weight)
#### 14. API Security Analysis
```sql
-- Query 14A: API User Assessment
SELECT
Profile.Name AS API_Profile,
COUNT(*) AS User_Count,
COUNT(CASE WHEN IsActive = true THEN 1 END) AS Active_Users,
COUNT(CASE WHEN LastLoginDate > LAST_N_DAYS:30 THEN 1 END) AS Recently_Active
FROM User
WHERE ProfileId IN (SELECT Id FROM Profile WHERE PermissionsApiUserOnly = true)
GROUP BY Profile.Name
-- Query 14B: API Permission Set Usage
SELECT
PermissionSet.Name AS API_PermSet,
COUNT(DISTINCT AssigneeId) AS Assigned_Users
FROM PermissionSetAssignment
WHERE PermissionSet.PermissionsApiUserOnly = true
AND PermissionSet.IsOwnedByProfile = false
GROUP BY PermissionSet.Name
```
#### 15. Connected App Security
```sql
-- Query 15A: Connected App Risk Assessment
SELECT
Name AS App_Name,
CASE
WHEN IsAdminApproved = false THEN 'NOT APPROVED'
ELSE 'ADMIN APPROVED'
END AS Approval_Status,
CASE IpRelaxation
WHEN 'ENFORCE' THEN 'IP ENFORCED'
WHEN 'RELAX' THEN 'IP RELAXED'
ELSE 'NO IP RESTRICTION'
END AS IP_Policy,
RefreshTokenPolicy AS Token_Policy,
CreatedDate,
CASE
WHEN IsAdminApproved = false OR IpRelaxation != 'ENFORCE' THEN 'HIGH'
WHEN RefreshTokenPolicy = 'infinite' THEN 'MEDIUM'
ELSE 'LOW'
END AS Risk_Level
FROM ConnectedApplication
ORDER BY Risk_Level DESC
-- Query 15B: OAuth Token Analysis
SELECT
'Active Tokens' AS Token_Status,
COUNT(*) AS Token_Count
FROM OAuthToken
WHERE LastUsedDate > LAST_N_DAYS:30
UNION ALL
SELECT
'Stale Tokens (30-90 days)' AS Token_Status,
COUNT(*) AS Token_Count
FROM OAuthToken
WHERE LastUsedDate BETWEEN LAST_N_DAYS:90 AND LAST_N_DAYS:30
UNION ALL
SELECT
'Unused Tokens (>90 days)' AS Token_Status,
COUNT(*) AS Token_Count
FROM OAuthToken
WHERE LastUsedDate < LAST_N_DAYS:90
```
---
## 📈 TREND ANALYSIS QUERIES
### 16. Security Posture Trends
```sql
-- Query 16A: User Growth vs Security Controls
SELECT
CALENDAR_MONTH(CreatedDate) AS Month,
COUNT(*) AS New_Users,
COUNT(CASE WHEN Profile.PermissionsModifyAllData = true THEN 1 END) AS New_Admin_Users,
COUNT(CASE WHEN TwoFactorEnabled = true THEN 1 END) AS New_Users_With_MFA
FROM User
WHERE CreatedDate = LAST_N_DAYS:180
GROUP BY CALENDAR_MONTH(CreatedDate)
ORDER BY Month DESC
-- Query 16B: Login Activity Patterns
SELECT
CALENDAR_WEEK(LoginTime) AS Week,
COUNT(*) AS Total_Logins,
COUNT(DISTINCT UserId) AS Unique_Users,
COUNT(CASE WHEN LoginType = 'Login As' THEN 1 END) AS LoginAs_Events,
COUNT(CASE WHEN Status != 'Success' THEN 1 END) AS Failed_Logins
FROM LoginHistory
WHERE LoginTime = LAST_N_DAYS:30
GROUP BY CALENDAR_WEEK(LoginTime)
ORDER BY Week DESC
```
### 17. Compliance Readiness Score
```sql
-- Query 17: Compliance Control Assessment
SELECT
'MFA Coverage' AS Control_Name,
ROUND((SELECT COUNT(*) FROM User WHERE TwoFactorEnabled = true AND IsActive = true) * 100.0 /
(SELECT COUNT(*) FROM User WHERE IsActive = true), 2) AS Compliance_Score,
'GDPR Art. 32' AS Regulation
FROM Organization
UNION ALL
SELECT
'Password Policy Strength' AS Control_Name,
CASE
WHEN (SELECT MIN(MinPasswordLength) FROM PasswordPolicy) >= 12 THEN 100
WHEN (SELECT MIN(MinPasswordLength) FROM PasswordPolicy) >= 8 THEN 75
ELSE 50
END AS Compliance_Score,
'ISO 27001 A.9' AS Regulation
FROM Organization
UNION ALL
SELECT
'Data Encryption' AS Control_Name,
ROUND((SELECT COUNT(*) FROM FieldDefinition WHERE IsEncrypted = true AND DataType IN ('Email','Phone')) * 100.0 /
(SELECT COUNT(*) FROM FieldDefinition WHERE DataType IN ('Email','Phone')), 2) AS Compliance_Score,
'GDPR Art. 25' AS Regulation
FROM Organization
```
---
## 🚨 CRITICAL FINDINGS SUMMARY QUERY
### 18. Executive Risk Dashboard Data
```sql
-- Query 18: Aggregate Risk Summary
SELECT
'Critical' AS Risk_Level,
COUNT(CASE WHEN Profile.Name = 'System Administrator' AND TwoFactorEnabled = false THEN 1 END) +
(SELECT COUNT(*) FROM Profile WHERE PermissionsModifyAllData = true) +
(SELECT COUNT(*) FROM User WHERE UserType = 'Guest' AND IsActive = true) AS Finding_Count,
'Immediate Action Required' AS Action_Required
FROM User
UNION ALL
SELECT
'High' AS Risk_Level,
(SELECT COUNT(*) FROM ApexClass WHERE Body LIKE '%without sharing%') +
(SELECT COUNT(*) FROM Profile WHERE PermissionsViewAllData = true) +
(SELECT COUNT(*) FROM ConnectedApplication WHERE IsAdminApproved = false) AS Finding_Count,
'Fix within 7 days' AS Action_Required
FROM Organization
UNION ALL
SELECT
'Medium' AS Risk_Level,
(SELECT COUNT(*) FROM FlowDefinitionView WHERE RunInMode = 'SystemModeWithSharing' AND IsActive = true) +
(SELECT COUNT(*) FROM Profile WHERE PermissionsDataExport = true) AS Finding_Count,
'Fix within 30 days' AS Action_Required
FROM Organization
```
---
## 📝 DATA EXTRACTION INSTRUCTIONS
### Step 1: Execute Queries
1. Open Developer Console or Workbench
2. Execute each query section
3. Export results to CSV
### Step 2: Generate Reports
1. Use the Dashboard Template (security-audit-dashboard.md)
2. Populate metrics from query results
3. Calculate risk scores using the scoring matrix
### Step 3: Create Visualizations
1. Use the data to create charts in Excel/Google Sheets
2. Generate heat maps for risk areas
3. Create trend lines for monitoring
### Step 4: Document Findings
1. Compile results into the Audit Report Template
2. Add screenshots of critical findings
3. Include remediation recommendations
---
## 🎯 KEY PERFORMANCE INDICATORS (KPIs)
Based on query results, calculate:
1. **Overall Security Score**: Weighted average across all layers
2. **MFA Coverage Rate**: % of privileged users with MFA
3. **Permission Hygiene Score**: Based on View/Modify All usage
4. **API Security Score**: Based on connected apps and API users
5. **Compliance Readiness**: % of controls meeting requirements
---
## 📅 RECOMMENDED QUERY EXECUTION SCHEDULE
- **Daily**: Queries 1A, 3, 5B (Critical access monitoring)
- **Weekly**: Queries 2A, 2B, 11A, 15A (Permission analysis)
- **Monthly**: All queries for comprehensive assessment
- **Quarterly**: Full audit with trend analysis