Salesforce Monitoring

Updated Sep 27, 2023

Configure Salesforce cloud for Arctic Wolf monitoring

You can configure Salesforce® cloud to send the necessary logs to Arctic Wolf for security monitoring.

Limitations of this configuration include:



  1. Create a new user for log collection.
  2. Create a security token for the user.
  3. Assign permissions to the profile.
  4. Provide credentials to Arctic Wolf.

Step 1: Create a new user for log collection

Arctic Wolf strongly recommends that you create a new Salesforce administrative user for log collection and forwarding to the Arctic Wolf Sensor. Having a dedicated user limits access to the permissions that the Arctic Wolf Sensor requires and allows for better visibility over Arctic Wolf Sensor activities.

Note: If you choose to use an existing Salesforce user instead of creating a new one, confirm that you have access to both the username and password of the user and proceed to Create a security token for the user.

  1. Sign in to Salesforce as a system administrator.
  2. From the Salesforce portal, click Setup > Manage Users > Users.
  3. Click New User, and then complete these steps:
    1. Enter the required user details, including the email address.
    2. In the User License field, select Salesforce.
    3. In the Profile field, select System Administrator.
    4. Select Generate new password and notify user immediately.
    5. Click Save.
  4. Sign out of Salesforce.
  5. Complete the steps in the email sent to the email address for the new user.
  6. Click Verify.

Step 2: Create a security token for the user

Based on your action in Create a new user for log collection, you can either create a new security token for a user or reuse a token for an existing user.

Note: If you do not have access to the existing security token, you must create a new one. Creating a new security token invalidates any previous token. Therefore, if you need to create a new security token, verify that nothing is using the existing token.

  1. Sign in to Salesforce as the user.
  2. Click Settings > My Personal Information > Reset My Security Token.
  3. Select Reset Security Token. This sends the new security token to the email address of the user.
  4. Retrieve the token from the email, and then save the email in a secure place for possible future use.

Step 3: Assign permissions to the profile

You need to assign the required permissions to the profile associated with the new system administrator. Arctic Wolf strongly recommends creating a new profile to provide greater isolation and visibility for the additional permissions, and to make sure that SSO or MFA enforcement for other users will not affect the log collection user. For all limitations, see Configure Salesforce cloud for Arctic Wolf monitoring.

Note: If you choose to update an existing profile instead if creating a new one, be aware of how the additional permissions granted could affect other users sharing that profile.

  1. Click Settings > My Personal Information > Advanced User Details.

  2. Click the Profile name, such as System Administrator.

    Profile name selected

  3. Do one of these actions:

    • To update the existing profile, click Edit.
    • To create a new profile, click Clone.

    Edit and Clone buttons

  4. Under Administrative Permissions, select:

    • API Enabled

    • View All Data

    • View Setup and Configuration

    • Manage Users

      Arctic Wolf can retrieve LoginHistory events for all Salesforce users.

    • Password Never Expires

      Note: If the password on the account changes, the security token is invalidated and needs to be reset. If this happens, contact your Concierge Security® Team (CST) with the updated password and security token. Arctic Wolf is unable to monitor logs in your Salesforce account until new values are received.

    Note: Selecting these options automatically includes relevant subcategories of permissions. For example, enabling Manage Users automatically applies permissions to reset user credentials and lock accounts.

Step 4: Provide credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. In the menu bar, click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, from the Account Type list, select Cloud Detection and Response.

  5. From the list of cloud services, select Salesforce.

  6. On the Add Account page, configure these fields:

    • Account Name — Enter a unique and descriptive name for the account.
    • Username — Enter the sign-in credentials for your organization.
    • Password — Enter the sign-in credentials for your organization.
    • Security Token — Enter the security token from the previous email.
    • Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
  7. Click Test and Submit Credentials.

    After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.

See also