Just because you don't have any value from the logs doesn't mean someone else can't figure out a way to get value from them ;-)
So even though I couldn't tell the -specific content- accessed, I could tell that the pattern of access was such that he couldn't have gotten to the parts where the sensitive thing I was concerned about were located.
And that's why metadata is important, and that's why "but it's worthless" is bogus ;-)
Because while the URIs themselves were, essentially, all the same - because salesforce's application workflow apparently works through a single URI - the pattern of fetches indicated a specific sequence of events:
Front page load
Nothing more [thankfully] - which is good, because had he gone one more page in it'd have been a problem
So, handling an event that came up, I needed logs from salesforce [ugh].
The guy who could give me the logs kept saying that they were useless - that they didn't tell you anything. But since this was my only source of truth for what happened -on- said event, I kept asking, and eventually got 'em.
And yes, the URIs accessed do not, of themselves, tell you -squat-
The -metadata-, however, was very instructive.
Memorial Info for d3vnull
Some folks may have heard already, but d3vnull passed away over the weekend.
Obit and memorial info here - https://www.cressfuneralservice.com/obituary/282690/Nolan-Berry/#obituary
The family is asking for donations to an epilepsy research fund in lieu of flowers.
Oh good, now I have some IOCs.
I have just tongue-in-cheek recommended that the DFIR/monitoring section of infosec where I work be called the "Security Monitoring and Event Response SHop" - so the acronym can be SMERSH.
Wait I -had- one of these?
A Mastodon instance for info/cyber security-minded people.