Salesforce cloud monitoring
- Salesforce cloud monitoring limitations
Requirements
Configure Salesforce monitoring

Salesforce cloud monitoring Direct link to this section

Arctic Wolf® can use the Salesforce API to monitor Salesforce audit logs and alert you about suspicious or malicious activity.

To implement this monitoring, you must provide the following information about the SalesForce API to Arctic Wolf:

The username used to access the Salesforce API, such as user@example.com
The password associated with that username
The security token associated with that username

Salesforce cloud monitoring limitations Direct link to this section

Salesforce imposes a strict limit on the number of API calls that can be performed in a 24 hour period by all users and applications that share a Salesforce tenant. If this API request limit is exceeded, further API calls are denied until the number of API calls in the last 24 hours falls below the limit. The Arctic Wolf Sensor typically makes fewer than 250 API calls per hour or 6000 per day. Sometimes, the number of API calls is higher than this average, but it should never exceed 10,000 API calls per day.

Caution: Before proceeding with this configuration process, confirm with your Salesforce administrator that Arctic Wolf API usage rates will not cause your API request limit for your organization to be exceeded. For more information see API Request Limits and Allocations in the Salesforce documentation.
Arctic Wolf does not support monitoring for the Group Edition of Salesforce at this time.
Arctic Wolf does not support monitoring for Salesforce organizations that have implemented single sign-on (SSO), even if SSO is disabled.

Requirements Direct link to this section

System administrator access for the Salesforce organization you want Arctic Wolf to monitor.
Integration API access. If your organization uses the Professional Edition of Salesforce, you can purchase the required API access from Salesforce for an additional fee. Contact your Salesforce account executive to enable this functionality.

The required integration APIs are enabled automatically in the Enterprise, Unlimited, and Performance editions of Salesforce.

Configure Salesforce monitoring Direct link to this section

Create a new user for log collection.
Create a security token for the user.
Assign permissions to the profile.
Provide credentials to Arctic Wolf.

1. Create a new user for log collection Direct link to this section

Arctic Wolf strongly recommends that you create a new Salesforce administrative user for log collection and forwarding to the Arctic Wolf Sensor. Having a dedicated user limits access to the permissions that the Arctic Wolf Sensor requires, and allows for better visibility over Arctic Wolf Sensor activities.

Note: If you choose to use an existing Salesforce user instead of creating a new one, confirm that you have access to both the username and password of the user and proceed to Create a security token for the user.

To create a new Salesforce administrative user:

Sign in to Salesforce as a system administrator.
From the Salesforce portal, navigate to Setup > Manage Users > Users.
Click New User and complete the following fields:
1. Enter the required user details, including email address.
2. In the User License field, select Salesforce.
3. In the Profile field, select System Administrator.
4. Select Generate new password and notify user immediately.
5. Click Save.
Sign out of Salesforce.
Follow the steps in the email sent to the email address entered for your new user. Make sure to click Verify.

2. Create a security token for the user Direct link to this section

Based on your action in Create a new user for log collection, you can either create a new security token for a user or reuse a token for an existing user.

Note: If you do not have access to the existing security token, you must create a new one. Creating a new security token invalidates any previous token. Therefore, if you need to create a new security token, verify that nothing is using the existing token.

To create a new security token for the user:

Sign in to Salesforce as the user.
Navigate to Settings > My Personal Information > Reset My Security Token.
Select Reset Security Token. This sends the new security token to the email address of the user.
Retrieve the token from the email, and save the email in a secure place for possible future use.

3. Assign permissions to the profile Direct link to this section

You need to assign the required permissions to the profile associated with the new system adminstrator. Arctic Wolf recommends creating a new profile to provide greater isolation and visibility for the additional permissions.

Note: If you choose to update an existing profile instead if creating a new one, be aware of how the additional permissions granted could affect other users sharing that profile.

To add the required permissions to the profile:

Select Settings > My Personal Information > Advanced User Details.
Click the Profile name, such as System Administrator.
Edit or clone the profile:
- To update the existing profile, select Edit.
- To create a new profile, select Clone.
Under Administrative Permissions, select:
- API Enabled
- View All Data
- View Setup and Configuration
- Manage Users
  
  Tip: This lets Arctic Wolf retrieve LoginHistory events for all Salesforce users.
- Password Never Expires
  
  Tip: If the password on the account changes, the security token is invalidated and needs to be reset. If this happens, contact your Concierge Security® Team (CST) with the updated password and security token. Arctic Wolf is unable to monitor logs in your Salesforce account until new values are received.
Note: Selecting these options automatically includes relevant subcategories of permissions. For example, enabling Manage Users automatically applies permissions to reset user credentials and lock accounts.

4. Provide credentials to Arctic Wolf Direct link to this section

To provide the Salesforce username, and the associated password and security token to Arctic Wolf:

Sign in to the Arctic Wolf Portal.
Select Connected Accounts in the banner menu to open the Connected Accounts page.
Select +Add Account to open the Add Account form.
Select Cloud Detection and Response as the Account Type.
Select Salesforce from the list of cloud services, and fill in the form:
1. In the Account Name field, specify a descriptive name for the credentials.
2. Enter the sign-in credentials for your organization in the Username and Password fields.
3. Copy the security token from the previous email into the Security Token field.
Select Submit to CST.
When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team provisions security monitoring for your account, the status of your credentials changes to Connected.

Salesforce Monitoring

Configuration Guide