Salesforce.com 2.0

You can connect your Salesforce account to SIEM (InsightIDR) to monitor your Salesforce user accounts and authentication events. This integration relies on configuring access to the Salesforce API.

The Salesforce event source polls for users to pair future logins with.

After this event source is configured, Salesforce login events, such as ingress activity and disabled account incidents, appear in the Ingress Authentication log set in Log Search.

Data can be sent from your Salesforce account to SIEM (InsightIDR) by event collection through the Cloud.

To set up the Salesforce event source, complete these steps:

1. Read the requirements and complete the prerequisite steps.
2. Configure Salesforce to send data to SIEM (InsightIDR).
3. Configure SIEM (InsightIDR) to receive data from the event source.
4. Test the configuration.

You can also:

• Review sample logs
• Troubleshoot common issues

Requirements

Before you start the configuration:

• Ensure that you have a license for the Salesforce Enterprise Edition.
• You must have a production instance of Salesforce. The integration will not work with a trial or developer instance.
• Ensure that you have Salesforce System Administrator privileges.
• To configure this integration, you must create a dedicated read-only user that has the API Enabled permission turned on. This user must have at least read-only access to the User and LoginHistory objects.
  • This must be a non-SSO user. If SSO is enabled for this user, authentication to the Salesforce API will fail.
• Salesforce uses OAuth, an open source authentication standard, to integrate with other applications. For more information, visit the documentation at: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm .

Configure Salesforce to send data to SIEM (InsightIDR)

To allow SIEM (InsightIDR) to receive data from Salesforce, you must set up a connected app in Salesforce and configure specific permissions in your Salesforce account.

To receive logs from Salesforce in SIEM (InsightIDR), you must obtain these credentials:

• My Domain URL
• Consumer ID
• Consumer Secret

Step 1: Find your My Domain URL

To find your My Domain URL:

1. Log in to your Salesforce account.
2. Go to Setup.
3. In the Quick Find search bar, find and select My Domain.
4. Go to My Domain Details on the top of the page.
5. Record your Current My Domain URL: https://<yourcompany>.my.salesforce.com.

Step 2: Configure Salesforce API Permissions

You must provide the user with access to the API with a setting called API Enabled.

To grant a user the necessary API permissions, create a Permission Set and assign the Permission Set to the user. Permission Sets are additive, which means that unlike profiles, users can have zero, one, or multiple Permission Sets.

To create a Permission Set for the API Enabled setting:

1. In your Salesforce account, go to Setup > Quick Find > Users > Permission Sets.
2. Search for an existing Permission Set.
   • To create a new Permission Set, see Salesforce’s documentation .
3. Search for ‘API Enabled’ in the search bar, or find it under the System Permissions section.
4. Under the System Permissions section, check the API Enabled box.
5. At the top of the page, click Manage Assignments and find the designated user for this integration.
6. Select the user’s name to assign this Permission Set.

Step 3: Create the External Client App

To create the External Client App:

1. In your Salesforce account, go to Setup
2. In the Quick Find search bar, find and select App Manager.
3. Click New External Client App.
4. Enter a name for your External Client App. We recommend using the same name for the event source when you configure the event source in SIEM.
5. In the Contact Email field, enter your admin email address.
6. Set the Distribution State to Local.
7. Under API (Enable OAuth Settings), select Enable OAuth.
8. Under App Settings, enter https://localhost/callback into the Callback URL field.
   • This is a required field and is not used for client credentials.
9. Under OAuth Scopes, select Manage user data via APIs (api).
10. Under Flow Enablement, select the box for Enable Client Credentials Flow.
11. Accept the security warning when prompted.
12. Click Create.

Step 4: Configure Policies (Integration User and Permissions)

After you’ve created the External Client App, you’re taken to the External Client App Manager.

To configure policies:

1. Find the External Client App you created in step 3 and click Edit.
2. Go to the Policies tab.
3. Under OAuth Policies, set the Permitted Users setting to Admin approved users are pre-authorized.
4. Click OK.
5. Under App Policies, select the Permission Set you created in step 2.
6. Under the Enable Client Credentials Flow setting, enter the user you assigned the Permission Set to in step 2.
7. Click Save.

Step 5: Get Consumer Key and Consumer Secret

1. In the External Client App Manager, find and select the External Client App you created step 3.
2. Expand the OAuth Settings section.
3. Click Consumer Key and Secret
4. Enter the verification code that Salesforce sends to your admin email account.
5. Securely record the Consumer Key and Consumer Secret. You need to provide these values when you configure the event source in SIEM.

Configure SIEM (InsightIDR) to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Salesforce.com 2.0

1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Salesforce.com 2.0 in the event sources search bar.
   • In the Product Type filter, select Cloud Service.
3. Select the Salesforce.com 2.0 event source tile.

Task 2: Set up your collection method

1. Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Salesforce.com 2.0.
2. Click Add a New Connection.
3. In the Create a Cloud Connection screen, enter a name for the new connection.
4. In the Client ID field, enter the Salesforce Consumer ID that you obtained in step 5 of Configuring Salesforce to send data to SIEM (InsightIDR).
5. In the Consumer Secret field, add a new credential:
   1. Name your credential.
   2. Describe your credential.
   3. Select the credential type.
   4. In the Secret Key field, enter the Salesforce Consumer Secret that you obtained in step 5 of Configuring Salesforce to send data to SIEM (InsightIDR).
   5. Specify the product access for this credential.
   6. Click Save & Test Connection.
6. Optionally, select the option to send unparsed data.
7. Select your Account Attribution preference:
   • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
   • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
8. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
9. Click Save.

Test the configuration

The event type that SIEM (InsightIDR) parses for this event source is Ingress Authentication.

To test that event data is flowing into SIEM (InsightIDR) through the Cloud Connection:

1. View the raw logs.
   1. From the Data Collection Management page, click the Event Sources tab.
   2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to SIEM (InsightIDR).
2. Use Log Search to find the log entries.
   1. From the left menu, go to Log Search.
   2. In the Log Search filter, search for the new event source you created.
   3. Select the log sets and the log names under each log set. Salesforce logs flow into these log sets:
      • Ingress Authentication
   4. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into SIEM (InsightIDR) in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the Ingress Authentication log set.

To give you an impression of the event logs that this event source generates, here are some sample logs:

Sample Ingress Authentication log

{
"attributes": {
"type": "LoginHistory",
"url": "/services/data/v58.0/sobjects/LoginHistory/0YaHn0000EUyGdHKQV"
},
"loginTime": "2023-07-23T16:18:23.000+0000",
"userId": "005Hn00000H35JtIAJ",
"loginType": "Remote Access 2.0",
"loginUrl": "login.salesforce.com",
"sourceIp": "123.51.123.1",
"status": "Success",
"application": "New Connected App",
"browser": "Unknown",
"dataType": "User Login"
}

Troubleshoot common issues

Invalid credentials

If you receive this error message [LoginFault [ApiFault exceptionCode='INVALID_LOGIN' exceptionMessage='Invalid username, password, security token; or user locked out.' ] ], it means that the user has either inserted incorrect credentials or their security token has expired.

To resolve this issue, you need to reset the Security Token using the instructions at: https://help.salesforce.com/s/articleView?id=sf.user_security_token.htm&type=5 .

Salesforce events are not being ingested

If you notice that Salesforce events have stopped, you may have forgotten to update your credentials (both the password and the token) after changing your Salesforce password.