Salesforce Threat Detection
Salesforce Threat Detection uses machine learning to detect threats within a Salesforce organization. Detections occur when:
- A user session is hijacked
- A user successfully logs in during an identified credential-stuffing attack
- There are anomalies in a user's report views or exports
- There are anomalies in how users make API calls
Salesforce detections can be ingested into InsightIDR by querying the Salesforce Event Monitoring REST API for Salesforce detection objects. InsightIDR can then use these detection objects to determine the severity of the detections and trigger Third Party Alerts, if warranted.
To set up Salesforce Threat Detection, you'll need to:
- Review the requirements.
- Configure Salesforce Threat Detection to send data to InsightIDR.
- Configure InsightIDR to receive data from the event source.
- Test the configuration.
- Troubleshoot common issues.
To complete the tasks outlined in this topic, you must:
- Ensure your Salesforce subscription includes Salesforce Shield or the Event Monitoring add-on.
- Ensure the URL "https://login.salesforce.com" is open and available for the InsightIDR Collector.
- Ensure you have a production instance of Salesforce. The InsightIDR Collector isn't compatible with trial instances.
- Ensure you have set up the Salesforce Threat Detection app within your Salesforce UI. To configure the Threat Detection app, follow the Salesforce documentation: https://help.salesforce.com/s/articleView?id=sf.real_time_em_td_ui_enable_app.htm&type=5
Configure Salesforce Threat Detection to send data to InsightIDR
To configure the Salesforce Threat Detection event source in InsightIDR, you must first configure Salesforce API permissions and create a Salesforce security token.
Configure Salesforce API permissions
You must provide a user that has access to the API with the API Enabled permission. You can grant this permission in two ways:
Edit the User Profile permissions
When you assign a certain profile to a user, that user inherits the permissions of the profile.
To add the API Enabled permission to a user in their profile:
- Sign in to your Salesforce instance.
- Navigate to Setup > Administration > Users > Users and find the user you want to use for this integration. Alternately, you can search for the integration user.
- Click the Profile link.
- On the Profile page, click the Edit button.
- Under the Administrative Permissions section, ensure that API Enabled is selected. If not, select it and click the Save button.
For more information on user permissions, view the Salesforce documentation: https://help.salesforce.com/s/articleView?id=sf.admin_userperms.htm&type=5
Create a Permission Set
The second way to grant a user the necessary API permissions is to create a Permission Set and assign the Permission Set to the user. Permission Sets are additive, which means that - unlike profiles - users can have zero, one, or multiple Permission Sets.
To create a Permission Set for the API Enabled permission:
- Sign in to your Salesforce instance.
- Follow the Salesforce documentation to create a Permission Set and grant API Enabled access: https://help.salesforce.com/s/articleView?id=sf.branded_apps_commun_api_permset.htm&type=5
Create a Salesforce Security Token
After the user has the proper API permissions, you must provide them with a security token.
To create a security token for this user:
- Sign in to Salesforce as the integration user.
- Follow the Salesforce documentation to reset the security token: https://help.salesforce.com/s/articleView?id=sf.user_security_token.htm&type=5
- The token is sent to the email address for the integration user. Copy the token for later use in InsightIDR.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Salesforce.com Threat Detection in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
- Select the Salesforce.com Threat Detections event source tile.
- Name the event source. This name will be used to name the log that contains the event data in Log Search.
- Select a Collector.
- Optionally, choose whether to send unparsed data.
- Select your LDAP account attribution preference.
- In the Login URL field, enter the Login URL to your Salesforce account. You can find this information in Salesforce by viewing your Profile and looking for the Login URL underneath your account name. For example, if your URL value is
- Select your Salesforce Credentials or create a new credential.
- In the Security Token field, enter the security token that you generated from your Salesforce account.
- Click Save.
Test the configuration
To test that event data is flowing into InsightIDR through the Collector:
- From the Data Collection Management page, click the Event Sources tab.
- Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
- After approximately 7 minutes, log entries start to appear in Log Search. From the left menu, go to Log Search.
- In the Log Sources panel, filter for the Third Party Alerts log set.
- Select the Salesforce Threat Detection log.
- Set the time range to Last 10 minutes and click Run.
The Results table displays all log entries that flowed into InsightIDR in the last 10 minutes. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.
Troubleshoot common issues
If you experience issues with the Salesforce Threat Detection event source, try the solutions provided in this section.
Security token and password issues
If you see this error code, then you must reset the Salesforce security token or password:
[LoginFault [ApiFault exceptionCode='INVALID_LOGIN' exceptionMessage='Invalid username, password, security token; or user locked out.' ] ]