Use the Cortex XSIAM data collector to collect Audit Trail and Security Monitoring event logs from Salesforce.com.
The Cortex XSIAM data collector can collect Audit Trail and Security Monitoring event logs from Salesforce.com. During setup of this data collector, you can choose to accept the default collection settings, or exclude the collection of content metadata and accounts.
The Salesforce.com data collector fetches events, and objects and metadata, including:
Login history
Setup audit trail
Flow Execution events
Transaction Security events
Content Distribution events
Package Install events
You can create multiple Salesforce.com data collector instances in Cortex XSIAM, for different parts of your organization.
Data are intentionally collected with a delay, to ensure that all the logs have been collected (to mitigate the effects of lags on the Salesforce.com side).
When Cortex XSIAM begins receiving logs, it creates new datasets for them, called salesforce_<object>_raw
. Examples of <object>
include:
connectedapplication
permissionset
profile
groupmember
group
user
userrole
document
contentfolder
attachment
contentdistribution
tenantsecuritylogin
useraccountteammember
tenantsecurityuserperm
account
audit
login
eventlogfile
You can use these datasets to perform XQL search queries. For example queries, refer to the in-app XQL Library.
Prerequisites
To manage collection integration in Cortex XSIAM, ensure that you have the privilege to View/Edit Log Collections (for example, Instance Administrator).
To avoid errors, the minimum required Salesforce.com editions are Professional Edition with API access enabled, or Enterprise Edition, or higher.
How to
To use the client credentials flow required for Salesforce.com–Cortex XSIAM integration, you must create a connected app for Cortex XSIAM in Salesforce.com, and configure its OAuth settings and access policies. Following these activities, configure Cortex XSIAM.
Note
For more detailed reference information, see Configure a Connected App for the OAuth 2.0 Client Credentials Flow.
Unlike other data collector setups, in this case, the setup includes obtaining an OAuth 2.0 code from Salesforce.com, and this code is only valid for 15 minutes. Therefore, make sure that you enable the data collector within 15 minutes of obtaining the authorization code.
Perform the following procedures in the order that they appear, below.
Troubleshooting
If for any reason, the token is not created and sent to Cortex XSIAM, after a timeout period, an authorization failure error will be returned for the collector instance. In this case, try again by clicking Edit (pencil icon) for the collector instance. The log collection window will be displayed again, where you can edit settings and retry getting the authorization code.