Ingest logs and data from Salesforce - Learn more about configuring the Cortex XSIAM Salesforce data source. - Administrator Guide - Cortex XSIAM - Cortex

Ingest logs and data from Salesforce - Learn more about configuring the Cortex XSIAM Salesforce data source. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Note

Both methods collect the Setup Audit Trail from Salesforce.

Important

Existing customers keep in mind: Changing your collection method updates the log schema, which will impact existing correlation rules. While it is strongly recommended to use NRT security logs for improved detection, you can keep both methods enabled in parallel during a transition period to ensure continuous protection while you update your rules.

Cortex XSIAM collects various data types from Salesforce. Use the table below to understand what is collected and where to find more information.

Data Category	Included Objects / Description	More Information
Real-time events	High-speed security events (such as `ApiEvent`, `ReportAnomalyEvent`).	For more information, see Real-Time Event Monitoring Objects.
Setup Audit Trail	Tracks recent configuration changes made by administrators.	For more information, see SetupAuditTrail.
Event log files	Legacy batch logs generated hourly or daily.	For more information, see EventLogFile.
Content metadata	`"Document"`, `"ContentFolder"`, `"Attachment"`, `"ContentDistribution"`	For more information, see Salesforce Objects.
Accounts	`Account` objects	For more information, see Salesforce Objects.
Snapshots	`ConnectedApplication`, `PermissionSet`, `Profile`, `Group`, `GroupMember`, `User`, `UserRole`, `TenantSecurityLogin`, `TenantSecurityUserPerm`, `UserAccountTeamMember`	For more information, see Salesforce Objects.

Prerequisite

Cortex XSIAM:
- To manage collection integration in Cortex XSIAM, requires View/Edit RBAC permissions for Log Collections and Data Sources (under Configurations → Data Collection).
Salesforce:
- Edition: Professional (with API access), Enterprise, or higher.
- License: A Salesforce Shield license is required to avoid limited data fetching and errors. For more information, see Salesforce Shield.
- To use the client credentials flow required for Salesforce–Cortex XSIAM integration, you must create a connected app for Cortex XSIAM in Salesforce, and configure its OAuth settings and access policies, as described in this procedure. The connected app must be created by a Full System Admin.
- Ensure your organization has a Salesforce Shield license.
  For more information, see Salesforce Shield.
  For more information, see Event Monitoring Introduction.
  Note
  Ensure that you have the required licenses. If these prerequisites are not met, fetching of security and NRT event data will be severely limited, and errors will be generated.
- In Setup → Event Monitoring Settings, ensure that Generate event log files is enabled.
  - In Setup, verify that there are event log files in the Event Log File Browser.
  - In Setup → Permissions Sets, verify that there is a permission set called Event Monitoring.
- Near-real-time event settings: You must manually toggle each desired event, such as ApiEvent and ReportAnomalyEvent, to Enabled under Setup → Event Monitoring Settings.
- Legacy Batch access: If collecting EventLogFiles, ensure Generate event log files is enabled under Setup → Event Monitoring Settings; in Setup, verify that files exist in the Event Log File Browser, and in Setup → Permissions Sets verify a permission set named Event Monitoring exists.
- Administrative access: To use the client credentials flow required for the Salesforce and Cortex XSIAM integration, a Full System Admin must create an External Client App in Salesforce and configure its OAuth settings and access policies as described in the configuration tasks below.
  Note
  For more detailed reference information, see the following:
  Create an External Client App
  Configure an External Client App for the OAuth 2.0 Client Credentials Flow
  Unlike other data collector setups, in this case, the setup includes obtaining an OAuth 2.0 code from Salesforce, and this code is only valid for 15 minutes. Therefore, make sure that you enable the data collector within 15 minutes of obtaining the authorization code.

Perform the following procedures in the order that they appear, below.

Salesforce is deprecating "Connected Apps"; it is recommended to use an External Client App.

In Salesforce on the Setup page, search for App Manager and click New External Client App.
Provide a name (such as panw_cortex_integration), and your email address (used to retrieve the Consumer Key and Consumer Secret).
Under API (enable OAuth settings), select Enable OAuth.
Enter the following Callback URLs on separate lines (replacing {tenant external URL} with your tenant name):
- https://login.salesforce.com/services/oauth2/callback
- https://{tenant external URL}.paloaltonetworks.com/configuration/data-sources
Select these OAuth Scopes: Manage user data via APIs (api) and Perform requests at any time (refresh_token, offline_access).
Enable only these checkboxes after OAuth Scopes: Require Secret for Web Server Flow, Require Secret for Refresh Token Flow, and Enable Client Credentials Flow. For more information, see Salesforce Client Credentials Flow.
Click Save, then Continue.

Consumer Key will be used for client_id, and Consumer Secret will be used for client_secret in OAuth 2.0.

On the Setup page, search for External Client App Manager.
Find your application (the one that you defined for Cortex XSIAM), click the arrow button in the last column, and select Edit Settings.
In the OAuth Settings area, click Consumer Key and Secret.
Go back to the Salesforce Verify Your Identity page, paste the code received via email in the Verification Code box, and click Verify. One of the following will happen:
- The Consumer Key and Consumer Secret will be sent to the email address that you configured earlier for the Cortex XSIAM External Client App.
- On the Salesforce External Client App Name page, the Consumer Details area will display the Consumer Key and Consumer Secret, and you will be able to copy them from here when required in the following procedures.

On the Setup page, search for External Client App Manager.
Find your application (the one that you defined for Cortex XSIAM), click the arrow button in the last column, and select Edit Policies.
In the OAuth Policies area:
- Under Plugin Policies - Permitted Users, select All users can self-authorize.
- Set the refresh token policy to Expire refresh token if not used for specific time (recommended). For example, select this option and set it for 7 days.

In Cortex XSIAM, create a Salesforce.com data collector instance:
1. Select Settings → Data Sources & Integrations.
2. On the Data Sources & Integrations page, click Add Data Source, search for and select Salesforce.com, and click Connect.
Enter a unique Name for the instance, the Salesforce Domain Name, and the Consumer Key (client_id) and the Consumer Secret (client_secret) credentials obtained earlier in this workflow. For example, the domain could be the API URL from which logs are received, such as https://MyDomainName.my.salesforce.com/services/data/vXX.X/resource/.
(Optional) Clear unwanted data types (Content metadata (default), Accounts, and Event Log Files). When these options are cleared, only these data types will be omitted from collection. All other data will be collected as usual.
Note
Selecting Event Log Files enables Batch mode instead of near-real-time.
Click Enable.
A popup which redirects you to your Salesforce instance appears, to get OAuth 2.0 authorization credentials and access.
Click OK.
In Salesforce, a new tab appears.
Enter your username and password, and Log In.
When you are asked to allow access, select Allow.
A Salesforce data collection instance is created, and an authorization token is created and returned to Cortex XSIAM. Data collection begins.

You can edit and test an existing collector instance after a successful initial connection between Salesforce and Cortex XSIAM. Do this by clicking Edit (pencil icon) for the collector instance. The log collection window will be displayed, where you can make changes or test, by clicking Test.

Important

If a “connected application” for Cortex XSIAM data collection already exists, there is no obligation to migrate to an “External Client App” - but as Connected Applications are deprecated by Salesforce, it is recommended to migrate.

Troubleshooting

If for any reason the authorization token is not created and sent to Cortex XSIAM after the 15-minute timeout period, an authorization failure error will be returned. To retry:

Click Edit (pencil icon) for the collector instance in Cortex XSIAM.
The log collection window will display again, allowing you to edit settings and retry getting the authorization code.