Providing Salesforce Credentials to Arctic Wolf

Configuration Guide

Overview

This document describes how to configure credentials with the necessary permissions for Arctic Wolf® to monitor Salesforce audit logs through the Salesforce administration Web UI.

After you complete this process, you need to provide the following information about the SalesForce API to Arctic Wolf on the Arctic Wolf Portal:

Before you begin

These notes apply to this process:

Creating a new Salesforce user for log collection

Arctic Wolf recommends that you create a new Salesforce user for the purposes of log collection and forwarding to the Arctic Wolf sensor. Having a separate user limits access to the permissions that the Arctic Wolf sensor requires, and allows for better visibility over Arctic Wolf sensor activities. However, you could instead assign the required permissions to an existing Salesforce user.

Confirm that you have access to both the username and password of the Salesforce user that you are using for this process.

Creating a security token for the user

Based on your action in Creating a new Salesforce user for log collection, you can either create a security token for a new user or reuse a token for an existing user.

Note: If you do not have access to the existing security token, you must create a new one. Creating a new security token invalidates any previous token. Therefore, if you need to create the security token, verify that nothing is using the existing token.

To create a new security token for the user:

  1. Sign in as the user.

  2. Select Settings > My Personal Information > Reset My Security Token.

  3. Select Reset Security Token. This emails the new security token to the email address of the user.

  4. Retrieve the token from the email, and save the email in a secure place for possible future use.

Assigning the required permissions to the profile associated with the user

You need to assign permissions to the profile associated with the user that you configured. You can either update the existing profile for the user, or create a new profile for the user.

Arctic Wolf recommends creating a new profile as it provides greater isolation and visibility for the additional permissions.

Note: If you choose to update an existing profile, be aware of how the additional permissions granted could affect other users sharing that profile.

Add the following permissions to the associated profile:

  1. Select Settings > My Personal Information > Advanced User Details.

  2. Click Profile name, such as System Administrator.

    Profile name selected

  3. Edit or clone to profile:

    • To update the profile of an existing user - Select Edit.
    • To create a new profile for an existing user - Select Clone.

    Edit and Clone buttons

  4. Under Administrative Permissions, select:

    • API Enabled

    • View All Data

    • View Setup and Configuration

    • Manage Users

      Tip: This lets Arctic Wolf retrieve LoginHistory events for all Salesforce users.

    • Password Never Expires

      Tip: If the password on the account changes, the security token is invalidated and needs to be reset. If this happens, contact your Concierge Security® Team (CST) with the updated password and security token. Arctic Wolf is unable to monitor logs in your Salesforce account until new values are received.

Providing credentials to Arctic Wolf

To provide the Salesforce username, and the associated password and security token to Arctic Wolf:

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select + Add Account to open the Add Account form.

  4. Select Cloud Threat Detection as the Account Type.

  5. Select Salesforce from the list of cloud services, and fill in the form:

    1. Specify a descriptive name for the credentials.

    2. Enter the Username and Password of your organization.

    3. Copy the security token from the previous email into the Security Token field.

    Salesforce credential form

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission and then click Done. This returns you to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your CST provisions security monitoring for your Salesforce application, the status of your Salesforce credentials changes to Connected.