Salesforce Threat Detection

Salesforce Threat Detection uses machine learning to detect threats within a Salesforce organization. Detections occur when:

  • A user session is hijacked
  • A user successfully logs in during an identified credential-stuffing attack
  • There are anomalies in a user's report views or exports
  • There are anomalies in how users make API calls

Salesforce detections can be ingested into InsightIDR by querying the Salesforce Event Monitoring REST API for Salesforce detection objects. InsightIDR can then use these detection objects to determine the severity of the detections and trigger Third Party Alerts, if warranted.

To set up Salesforce Threat Detection, you'll need to:

  1. Review the requirements.
  2. Configure Salesforce Threat Detection to send data to InsightIDR.
  3. Configure InsightIDR to receive data from the event source.
  4. Test the configuration.
  5. Troubleshoot common issues.

Requirements

To complete the tasks outlined in this topic, you must:

Configure Salesforce Threat Detection to send data to InsightIDR

To configure the Salesforce Threat Detection event source in InsightIDR, you must first configure Salesforce API permissions and create a Salesforce security token.

Configure Salesforce API permissions

You must provide a user that has access to the API with the API Enabled permission. You can grant this permission in two ways:

  1. Edit the User Profile permissions.
  2. Create a Permission Set to apply to the integration user.

Edit the User Profile permissions

When you assign a certain profile to a user, that user inherits the permissions of the profile.

To add the API Enabled permission to a user in their profile:

  1. Sign in to your Salesforce instance.
  2. Navigate to Setup > Administration > Users > Users and find the user you want to use for this integration. Alternately, you can search for the integration user.
  3. Click the Profile link.
  4. On the Profile page, click the Edit button.
  5. Under the Administrative Permissions section, ensure that API Enabled is selected. If not, select it and click the Save button.

For more information on user permissions, view the Salesforce documentation: https://help.salesforce.com/s/articleView?id=sf.admin_userperms.htm&type=5

Create a Permission Set

The second way to grant a user the necessary API permissions is to create a Permission Set and assign the Permission Set to the user. Permission Sets are additive, which means that - unlike profiles - users can have zero, one, or multiple Permission Sets.

To create a Permission Set for the API Enabled permission:

  1. Sign in to your Salesforce instance.
  2. Follow the Salesforce documentation to create a Permission Set and grant API Enabled access: https://help.salesforce.com/s/articleView?id=sf.branded_apps_commun_api_permset.htm&type=5

Create a Salesforce Security Token

After the user has the proper API permissions, you must provide them with a security token.

To create a security token for this user:

  1. Sign in to Salesforce as the integration user.
  2. Follow the Salesforce documentation to reset the security token: https://help.salesforce.com/s/articleView?id=sf.user_security_token.htm&type=5
  3. The token is sent to the email address for the integration user. Copy the token for later use in InsightIDR.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Salesforce.com Threat Detection in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Salesforce.com Threat Detections event source tile.
  4. Name the event source. This name will be used to name the log that contains the event data in Log Search.
  5. Select a Collector.
  6. Optionally, choose whether to send unparsed data.
  7. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  8. In the Login URL field, enter the Login URL to your Salesforce account. You can find this information in Salesforce by viewing your Profile and looking for the Login URL underneath your account name. For example, if your URL value is example-org.my.salesforce.com, enter https://example-org.my.salesforce.com.
  9. Select your Salesforce Credentials or create a new credential.
  10. In the Security Token field, enter the security token that you generated from your Salesforce account.
  11. Click Save.

Test the configuration

To test that event data is flowing into InsightIDR through the Collector:

  1. From the Data Collection Management page, click the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. After approximately 7 minutes, log entries start to appear in Log Search. From the left menu, go to Log Search.
  4. In the Log Sources panel, filter for the Third Party Alerts log set.
  5. Select the Salesforce Threat Detection log.
  6. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Troubleshoot common issues

If you experience issues with the Salesforce Threat Detection event source, try the solutions provided in this section.

Security token and password issues

If you see this error code, then you must reset the Salesforce security token or password: [LoginFault [ApiFault exceptionCode='INVALID_LOGIN' exceptionMessage='Invalid username, password, security token; or user locked out.' ] ]