Ingest and run Salesforce automation and remediation - Learn more about the Salesforce data source wizard in Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex

Ingest and run Salesforce automation and remediation - Learn more about the Salesforce data source wizard in Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Capability	Functionality	Use Cases	Underlying Integrations Used
Automation and Remediation	Execute automations and commands across Salesforce and its Identity Access Management (IAM) services.	Real-time investigations Automated playbook workflows Employee lifecycle management	Salesforce (CRM services) Salesforce IAM (Identity operations)
Security Posture	Detect, monitor, and alert on your cloud application settings.	Identifying misconfigurations Security health monitoring Compliance and risk visibility	N/A

Prerequisite

Cortex XSIAM

RBAC permissions: Requires View/Edit permissions for Log Collections, Data Sources, and Integrations (under Configurations & Data Collections).
Content packs: Ensure the Salesforce and Base content packs are installed or updated to the latest version.
Gateway permissions: Requires Account Admin or Instance Administrator permissions for configuring egress settings in the Cortex Gateway to allow communication with your Salesforce Domain URL.

Salesforce

Salesforce requirements depend on the capabilities you use:

Perform the following procedures in the order that they appear, below.

Salesforce is deprecating "Connected Apps"; it is recommended to use an External Client App.

In Salesforce, on the Setup page, search for App Manager and click New External Client App.
Provide a name (such as panw_cortex_integration), and your email address (used to retrieve the Consumer Key and Consumer Secret).
Under API (enable OAuth settings), select Enable OAuth.
Enter the following Callback URLs on separate lines (replacing {tenant external URL} with your tenant name):
- https://login.salesforce.com/services/oauth2/callback
- https://{tenant external URL}.paloaltonetworks.com/configuration/data-sources
Select these OAuth Scopes:
- Access and manage your Chatter data (chatter_api)
- Manage user data via APIs (api)
- Perform requests at any time (refresh_token, offline_access)
Enable only these checkboxes after OAuth Scopes: Require Secret for Web Server Flow, Require Secret for Refresh Token Flow, and Enable Client Credentials Flow. For more information, see Salesforce Client Credentials Flow.
Click Save, then Continue.

Consumer Key will be used for client_id, and Consumer Secret will be used for client_secret in OAuth 2.0.

On the Setup page, search for External Client App Manager.
Find your application (the one that you defined for Cortex XSIAM), click the arrow button in the last column, and select Edit Settings.
In the OAuth Settings area, click Consumer Key and Secret.
Go back to the Salesforce Verify Your Identity page, paste the code received via email in the Verification Code box, and click Verify. One of the following will happen:
- The Consumer Key and Consumer Secret will be sent to the email address that you configured earlier for the Cortex XSIAM External Client App.
- On the Salesforce External Client App Name page, the Consumer Details area will display the Consumer Key and Consumer Secret, and you will be able to copy them from here when required in the following procedures.

On the Setup page, search for External Client App Manager.
Find your application (the one that you defined for Cortex XSIAM), click the arrow button in the last column, and select Edit Policies.
In the OAuth Policies area:
- Under Plugin Policies - Permitted Users, select All users can self-authorize.
- Set the refresh token policy to Expire refresh token if not used for specific time (recommended). For example, select this option and set it for 7 days.

An Account Admin or Instance Administrator must configure egress settings in the Cortex Gateway to allow communication with your Salesforce Domain URL. For more information, see Egress Configurations.

Log in to the Cortex Gateway with Account Admin or Instance Administrator permissions and click Permission Management.
From the side menu, select Egress Configurations.
In the TENANT dropdown, select the tenant where you are configuring the Salesforce integration.
Click +Path to initiate a new path request.
In the New Path dialog box, configure the following:
- Requester: In the dropdown, select the requester from the list of users.
- Flow: In the dropdown, select the appropriate data service option for a generic webhook/host out (or Salesforce if it is explicitly listed).
- Path: Enter the domain name or host of your Salesforce instance (for example, your-company.my.salesforce.com).
  Note
  Do not include https:// or trailing slashes.
Click Add to create the path.
Once the status of the path shows as Approved in the Egress Configuration table, Cortex XSIAM can successfully authenticate and execute commands against your Salesforce environment.

In Cortex XSIAM, navigate to Settings → Data Sources & Integrations .
Click + Add new.
In the Add Data Source page, search for Salesforce.
Under Recommended, hover over the new Salesforce integration and click Add Instance to launch the Salesforce wizard.
Note
The new Salesforce integration has the description: Salesforce CRM services for identity management, automation, remediation and SaaS Posture Security.
Set up your Salesforce instance by following the wizard steps in the various tabs.
Capabilities tab
Configure the following.
Instance name: Enter a unique name for your instance.
Select capabilities: Choose the specific instance functionality:
Automation and Remediation: Enables executing commands, running automated workflows, managing cases, updating Chatter, or executing access control and CRUD (create, read, update, delete) operations across Salesforce and its IAM services. This capability includes commands for automation and remediation.
Automation and remediation commands
Once the wizard configuration is complete and the connection is established, you can use the following commands in your playbooks or the War Room:
General Salesforce and record operations
salesforce-search-records: Search for specific Salesforce records.
salesforce-get-object / salesforce-create-object: Read or create Salesforce objects.
salesforce-get-org: Returns organization details based on a case number.
Case management
salesforce-create-case: Create a new case using a subject and status.
salesforce-get-case / salesforce-get-case-information: Retrieve detailed information about a specific case.
salesforce-post-casecomment / salesforce-get-casecomment: Post or return comments on a specific case.
Chatter operations
salesforce-add-comment-to-chatter: Add a comment or link to a Chatter subject.
salesforce-push-comment-threads: Add a comment directly to a specific Chatter thread.
Identity and Access Management (IAM) operations
iam-create-user: Create a new active user profile.
iam-update-user: Update existing user profile data.
iam-get-user: Retrieve a single user resource via identifier or case number.
iam-disable-user: Disable an active employee user profile
Security Posture: (Cloud Posture license only) Enables detecting, monitoring, and alerting on your cloud application settings.
Click Next.
Connection tab
Enter credentials to securely authorize the connection.
Domain URL: Copy the URL from your browser's address bar while logged into Salesforce and paste it into this field. This must be identical to the domain URL defined in the Cortex Gateway egress configuration in the Path field as explained in Task 5. If you did not configure egress in Cortex Gateway, you will get an error during verification. You can continue with instance configuration without verifying and set up egress at a later point.
Click Apply.
Important
You cannot proceed with the authentication configuration until you provide a domain URL and click Apply.When you click Apply, the instance is connected to a unique URL in Salesforce, and it cannot be changed. To change it, you need to exit the wizard and start over.
Select Recommended or Advanced.
Recommended applies he suggested authentication method for all capabilities.
Advanced enables configuring unique credentials for each capability individually.
Authenticate using the OAuth 2.0 Web Server Flow or OAuth 2.0 Client Credentials.
For more information about the web server flow, see OAuth 2.0 Web Server Flow.
For more information about the client credentials flow, see Configure an External Client App OAuth 2.0 Client Credentials Flow.
Click Done for each authentication method.
Configuration tab
Configure the following.
Under Automation and remediation:
Allow creating users, Allow updating users, Allow enabling users, and Allow disabling users: Toggle these specific user permissions on or off. You can also choose to automatically create a user if they are not found during an update command.
Default Locale SID Key: Choose how dates, times, numbers, and currency are displayed throughout the application based on your geographic region. The default is en_US.
Default Email Encoding Key: Sets the standard used to display characters in your outgoing emails. This ensures that special characters, symbols, and different languages appear correctly for your recipients. The default is ISO-8859-1.
Integration Log Level: Possible values are Off (default), Debug, and Verbose.
Under Security Posture:
Sync Interval: Defines how often the system checks your cloud environment for security risks, misconfigurations, and compliance updates. More frequent syncs may impact API rate limits. The default is every 15 minutes.
Application Tag: Assigns a category to your cloud resources based on their operational purpose. This helps you filter security alerts and apply different compliance policies to specific environments. The default is None.
Summary tab
A confirmation is displayed that your Salesforce instance is successfully connected and a real-time status of the security capabilities activated (if relevant).
You can edit and test an existing instance after a successful initial connection between Salesforce and Cortex XSIAM by clicking Test.
Once you confirm the summary details, click Create instance.

Prerequisite

Note

Note

Note

Important

Important