Configure Salesforce cloud for Arctic Wolf monitoring

You can configure Salesforce® cloud to send the necessary logs to Arctic Wolf for security monitoring.

Limitations of this configuration include:

• Salesforce imposes a strict limit on the number of API calls that all users and applications sharing a Salesforce tenant can perform in a 24-hour period. If this API request limit is exceeded, further API calls are denied until the number of API calls in the last 24 hours falls below the limit. The Arctic Wolf Sensor typically makes fewer than 250 API calls per hour or 6,000 per day. Sometimes, the number of API calls is higher than this average, but it should never exceed 10,000 API calls per day.

  Caution: Before proceeding with this configuration process, confirm with your Salesforce administrator that Arctic Wolf API usage rates will not exceed your API request limit for your organization. For more information, see API Request Limits and Allocations.

• Arctic Wolf does not support monitoring for the Group Edition of Salesforce.

• Arctic Wolf supports Salesforce monitoring when SSO and MFA are enabled at the organization level for Salesforce logins. SSO and MFA enforcement at the permission set or profile levels are not supported. For examples, these methods of enforcement are not supported:

  • MFA enforced through the Multi-Factor Authentication for API Logins permission.
  • MFA enforced by setting the Session Security Level Required at Login for a profile to High Assurance.
  • SSO enforced through the Is Single Sign-On Enabled permission.

  See Salesforce MFA FAQ for more information about these features.

Requirements

• System administrator permissions for the Salesforce organization you want Arctic Wolf to monitor.
• Integration API access. If your organization uses the Professional Edition of Salesforce, you can purchase the required API access from Salesforce for an additional fee. Contact your Salesforce account executive to enable this functionality.

  Note: The required integration APIs are enabled automatically in the Enterprise, Unlimited, and Performance editions of Salesforce.

Steps

1. Create a new user for log collection.
2. Create a security token for the user.
3. Assign permissions to the profile.
4. Provide credentials to Arctic Wolf.

Step 1: Create a new user for log collection

Arctic Wolf strongly recommends that you create a new Salesforce administrative user for log collection and forwarding to the Arctic Wolf Sensor. Having a dedicated user limits access to the permissions that the Arctic Wolf Sensor requires and allows for better visibility over Arctic Wolf Sensor activities.

1. Sign in to Salesforce as a system administrator.
2. From the Salesforce portal, click Setup > Manage Users > Users.
3. Click New User, and then complete these steps:
   1. Enter the required user details, including the email address.
   2. In the User License field, select Salesforce.
   3. In the Profile field, select System Administrator.
   4. Select Generate new password and notify user immediately.
   5. Click Save.
4. Sign out of Salesforce.
5. Complete the steps in the email sent to the email address for the new user.
6. Click Verify.

Step 2: Create a security token for the user

Based on your action in Create a new user for log collection, you can either create a new security token for a user or reuse a token for an existing user.

1. Sign in to Salesforce as the user.
2. Click Settings > My Personal Information > Reset My Security Token.
3. Select Reset Security Token. This sends the new security token to the email address of the user.
4. Retrieve the token from the email, and then save the email in a secure place for possible future use.

Step 3: Assign permissions to the profile

You need to assign the required permissions to the profile associated with the new system administrator. Arctic Wolf strongly recommends creating a new profile to provide greater isolation and visibility for the additional permissions, and to make sure that SSO or MFA enforcement for other users will not affect the log collection user. For all limitations, see Configure Salesforce cloud for Arctic Wolf monitoring.

1. Click Settings > My Personal Information > Advanced User Details.

2. Click the Profile name, such as System Administrator.

   

3. Do one of these actions:

   • To update the existing profile, click Edit.
   • To create a new profile, click Clone.

   

4. Under Administrative Permissions, select:

   • API Enabled

   • View All Data

   • View Setup and Configuration

   • Manage Users

     Arctic Wolf can retrieve LoginHistory events for all Salesforce users.

   • Password Never Expires

     Note: If the password on the account changes, the security token is invalidated and needs to be reset. If this happens, contact your Concierge Security® Team (CST) with the updated password and security token. Arctic Wolf is unable to monitor logs in your Salesforce account until new values are received.

   Note: Selecting these options automatically includes relevant subcategories of permissions. For example, enabling Manage Users automatically applies permissions to reset user credentials and lock accounts.

Step 4: Provide credentials to Arctic Wolf

1. Sign in to the Arctic Wolf Unified Portal.

2. In the menu bar, click Telemetry Management > Connected Accounts.

3. Click Add Account +.

4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

5. From the list of cloud services, select Salesforce.

6. On the Add Account page, configure these fields:

   • Account Name — Enter a unique and descriptive name for the account.
   • Username — Enter the sign-in credentials for your organization.
   • Password — Enter the sign-in credentials for your organization.
   • Security Token — Enter the security token from the previous email.
   • Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.

7. Click Test and Submit Credentials.

   After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

See also

• API Request Limits and Allocations
• Salesforce MFA FAQ