Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Salesforce Security Monitoring

 

The JSA DSM for Salesforce Security Monitoring can collect event logs from your Salesforce console by using a RESTful API in the cloud.

The following table identifies the specifications for the Salesforce Security Salesforce Security Monitoring DSM:

Table 1: Salesforce Security Salesforce Security Monitoring DSM Specifications

Specification

Value

Manufacturer

Salesforce

DSM

Salesforce Security Monitoring

RPM file name

DSM-SalesforceSecurityMonitoring-JSA_Version-Build_Number.noarch.rpm

Protocol

Salesforce REST API Protocol

JSA recorded events

Login History, Account History, Case History, Entitlement History, Service Contract History, Contract Line Item History, Contract History, Contact History, Lead History, Opportunity History, Solution History

Automatically discovered

No

Includes identity

Yes

More information

Salesforce website (http://www.salesforce.com/)

Salesforce Security Monitoring DSM Integration Process

To integrate Salesforce Security Monitoring DSM with JSA, use the following procedures:

  1. If automatic updates are not enabled, download and install the most recent versions of the following RPMs on your JSA Console.

    • DSMCommon RPM

    • SalesforceRESTAPI Protocol RPM

    • Salesforce Security Monitoring RPM

  2. Configure the Salesforce Security Monitoring server to communicate with JSA.

  3. Obtain and install a certificate to enable communication between Salesforce Security Monitoring and JSA. The certificate must be in the /opt/qradar/conf/trusted_certificates/ folder and be in .DER format.

  4. For each instance of Salesforce Security Monitoring, create a log source on the JSA Console.

Configuring the Salesforce Security Monitoring Server to Communicate with JSA

To allow JSA communication, you need to configure Connected App on the Salesforce console and collect information that the Connected App generates. This information is required for when you configure the JSA log source.

If the RESTful API is not enabled on your Salesforce server, contact Salesforce support.

  1. Configure and collect information that is generated by the Connected App.
    1. Log in to your Salesforce Security Monitoring server.

    2. Click the Setup button

    3. In the navigation pane, click Create > Apps > New.

    4. Type the name of your application.

    5. Type the contact email information.

    6. Select Enable OAuth Settings.

    7. From the Selected OAuth Scopes list, select Access and manage your data (api).

    8. In the Info URL field, type a URL where the user can go for more information about your application.

    9. Configure the remaining optional parameters.

    10. Click Save.

  2. Turn on Entitlement History.
    1. Click the Setup button.

    2. In the navigation pane, select Build > Customize > Entitlement Management > Enablement Settings.

    3. From the Entitlement Management Settings window, select the Enable Entitlement Management check box.

    4. Click Save.

The Connected App generates the information that is required for when you to configure a log source on JSA. Record the following information:

Consumer KeyUse the Consumer Key value to configure the Client ID parameter for the JSA log source.
Consumer SecretYou can click the link to reveal the consumer secret. Use the Consumer Secret value to configure the Secret ID parameter for the JSA log source.
Note

The Consumer Secret value is confidential. Do not store the consumer secret as plain text.

Security tokenA security token is sent by email to the email address that you configured as the contact email.

Configuring a Salesforce Security Monitoring Log Source in JSA

To collect Salesforce Security Monitoring events, configure a log source in JSA.

When you configured a Connected App on the Salesforce Security Monitoring server, the following information was generated:

  • Consumer Key

  • Consumer Secret

  • Security token

This information is required to configure a Salesforce Security Monitoring log source in JSA.

Ensure that the trusted certificate from the Salesforce Security Monitoring instance is copied to the /opt/qradar/conf/trusted_certificates/ folder in .DER format on JSA system.

  1. Log in toJSA.
  2. Click the Admin tab.
  3. In the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. From the Log Source Type list, select Salesforce Security Monitoring.
  7. From the Protocol Configuration list, select Salesforce Rest API.
  8. Configure the following values:

    Parameter

    Description

    Login URL

    The URL of the Salesforce security console.

    Username

    The user name of the Salesforce security console.

    Security Token

    The security token that was sent to the email address configured as the contact email for the Connected App on the Salesforce security console.

    Client ID

    The Consumer Key that was generated when you configured the Connected App on the Salesforce security console.

    Secret ID

    The Consumer Secret that was generated when you configured the Connected App on the Salesforce security console.

    Use Proxy

    When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access the Salesforce Security buckets.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.

Related Documentation