Configure Salesforce for Arctic Wolf monitoring

You can configure Salesforce® to send the necessary logs to Arctic Wolf® for security monitoring.

Arctic Wolf only supports Salesforce monitoring when SSO and MFA are enabled at the organization level for Salesforce sign-ins.

If you have the Group Edition of Salesforce or enable SSO and MFA enforcement at the permission set or profile levels, Arctic Wolf cannot monitor the integration. For example, these enforcement methods are not supported:

  • MFA enforced through the Multi-Factor Authentication for API Logins permission.
  • MFA enforced by setting the Session Security Level Required at Login for a profile to High Assurance.
  • SSO enforced through the Is Single Sign-On Enabled permission.

    For more information about these features, see Salesforce MFA FAQ.

Note:

Salesforce limits the number of API calls that all users and applications sharing a Salesforce tenant can perform in a 24-hour period. If this API request limit is exceeded, new API calls are denied until the number of API calls in the last 24 hours falls below the limit. The Arctic Wolf Sensor typically makes fewer than 250 API calls each hour or 6,000 each day. Sometimes, the number of API calls is higher than this average, but it should never exceed 10,000 API calls each day.

These resources are required:

  • System administrator permissions for the Salesforce organization that you want Arctic Wolf to monitor.
  • A Salesforce Sales Cloud license.
  • Integration API access. If your organization uses the Professional Edition of Salesforce, you can purchase the required API access from Salesforce for an additional fee. Contact your Salesforce account executive to enable this functionality.
    Note:

    The required integration APIs are enabled automatically in the Enterprise, Unlimited, and Performance editions of Salesforce.

These actions are required:

  • Verify with your Salesforce administrator that Arctic Wolf API usage rates will not exceed your API request limit for your organization.

    For more information about Salesforce API request limits, see API Request Limits and Allocations.

Create or select a Salesforce profile

You can either create a Salesforce profile or select an existing profile.

Note:

Arctic Wolf strongly recommends that you create a new Salesforce profile and user for log collection and forwarding to the Arctic Wolf Sensor. Having a dedicated user limits the permissions that the Arctic Wolf Sensor requires and allows for better visibility over Arctic Wolf Sensor activities.

Complete one of these steps:

Create a Salesforce profile

  1. Sign in to Salesforce with system administrator permissions using this URL format: MyDomain.my.salesforce.com.
  2. In the navigation menu, click Setup > Manage Users > Profiles.
    Tip: If you are using Salesforce Lightning, in the navigation menu, click > Setup, and then navigate to Users > Profiles.
  3. Click New Profile, and then complete these steps:
    1. In the Existing Profile list, select Minimum Access - Salesforce.
    2. In the Profile Name field, enter a name for the profile.
    3. Click Save.
  4. On the new profile page, click Edit.
  5. In the Administrative Permissions section, select these permissions:

    • API Enabled

    • Manage Data Integrations

    • Manage Users

    • Password Never Expires
      Note: If the password on the account changes, the security token is invalidated and needs to be reset. If this happens, contact your Concierge Security® Team (CST) and include the updated password and security token. Arctic Wolf is unable to monitor logs in your Salesforce account until we receive the new values.

    • View Setup and Configuration

    Note: Selecting these permissions automatically enables the relevant subcategories. For example, selecting Manage Users automatically enables permissions to manage internal users and manage roles.
  6. Click Save.
  7. Proceed to Create a new user for log collection.

Select a Salesforce profile

  1. Sign in to Salesforce with system administrator permissions using this URL format: MyDomain.my.salesforce.com.
  2. In the navigation menu, click Setup > Manage Users > Profiles.
    Tip: If you are using Salesforce Lightning, in the navigation menu, click > Setup, and then navigate to Users > Profiles.
  3. Click Edit for profile that you want to use for configuration.
  4. In the Administrative Permissions section, select these permissions:

    • API Enabled

    • Manage Data Integrations

    • Manage Users

    • Password Never Expires
      Note:

      If the password on the account changes, the security token is invalidated and needs to be reset. If this happens, contact your CST and include the updated password and security token. Arctic Wolf is unable to monitor logs in your Salesforce account until we receive the new values.

    • View Setup and Configuration

  5. Click Save.
  6. Proceed to Create a security token for the user.

Create a new user for log collection

Note:

Arctic Wolf strongly recommends that you create a new Salesforce profile and user for log collection and forwarding to the Arctic Wolf Sensor. Having a dedicated user limits access to the permissions that the Arctic Wolf Sensor requires and allows for better visibility over Arctic Wolf Sensor activities.

If you want to create a new user for log collection:

  1. Sign in to Salesforce with system administrator permissions using this URL format: MyDomain.my.salesforce.com.
  2. Click Setup > Manage Users > Users.
    Tip: If you are using Salesforce Lightning, in the navigation menu, click > Setup, and then navigate to Users > Users.
  3. Click New User, and then configure these settings:
    • First Name and Last Name — Enter a name for the user.

      The Alias field automatically populates.

    • Email — Enter the email associated with the user.
    • Nickname — Enter a nickname for the user. For example, Arctic Wolf log collection.
    • Role — If you want to assign a specific role, select that role. If not, select Not Specified.
    • User License — Select Salesforce.
    • Profile — Select the profile created in Create or select a Salesforce profile.
    • Complete the remaining required fields.
    • Generate new password and notify user immediately — Select the checkbox.

      A verification email is sent to the address of new user with this subject: Welcome to Salesforce: Verify your account.

  4. Click Save.
  5. Sign out of Salesforce.
  6. Complete the steps in the verification email sent to the new user.
  7. Click Verify.

Create a security token for the user

Note:

Make sure that no other services use the existing security token for an existing user because creating a new security token invalidates previous tokens.

If you created a new user or profile or you do not have access to the existing security token for the existing user, create a new security token:

  1. Sign in to Salesforce as the user that you want to use for log collection, using this URL format: My_Domain.my.salesforce.com.
  2. Click Settings > Personal > Reset My Security Token.
    Tip: If you are using Salesforce Lightning, in the navigation menu, click View profile > Settings, and then click Reset My Security Token.
  3. Click Reset Security Token.

    The new security token is sent to the email address of the user.

  4. Copy the token from the email, and then save it in a safe, encrypted location.
    You will provide it to Arctic Wolf later.

Provide Salesforce credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Salesforce.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Username — Enter the username for your user.
    • Password — Enter the password for your user.
    • Security Token — Enter the security token from Create a security token for the user.
    • Salesforce Authentication Domain — If your credentials are for a Salesforce Sandbox environment, select test. Otherwise, select login.

      For more information about Salesforce Sandboxes, see Salesforce documentation.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.