The JSA DSM for Salesforce Security can collect Salesforce Security Auditing audit trail logs and Salesforce Security Monitoring event logs from your Salesforce console by using a RESTful API in the cloud.
The following table identifies the specifications for the Salesforce Security DSM:
Table 1: Salesforce Security DSM Specifications
RPM file name
Salesforce REST API Protocol
JSA recorded events
Login History, Account History, Case History, Entitlement History, Service Contract History, Contract Line Item History, Contract History, Contact History, Lead History, Opportunity History, Solution History, Salesforce Security Auditing audit trail
Salesforce website (http://www.salesforce.com/)
Salesforce Security DSM Integration Process
To integrate Salesforce Security DSM with JSA, use the following procedures:
If automatic updates are not enabled, download and install the most recent versions of the following RPMs on your JSA Console.
Protocol Common RPM
SalesforceRESTAPI Protocol RPM
Salesforce Security Auditing RPM
Salesforce Security RPM
Configure the Salesforce Security server to communicate with JSA.
Obtain and install a certificate to enable communication between Salesforce Security and JSA. The certificate must be in the
/opt/qradar/conf/trusted_certificates/folder and be in
For each instance of Salesforce Security , create a log source on the JSA Console.
Configuring the Salesforce Security Monitoring Server to Communicate with JSA
To allow JSA communication, you need to configure Connected App on the Salesforce console and collect information that the Connected App generates. This information is required for when you configure the JSA log source.
If the RESTful API is not enabled on your Salesforce server, contact Salesforce support.
- Configure and collect information that is generated by the Connected
Log in to your Salesforce Security Monitoring server.
Click the Setup button
In the navigation pane, click Create > Apps > New.
Type the name of your application.
Type the contact email information.
Select Enable OAuth Settings.
From the Selected OAuth Scopes list, select Access and manage your data (api).
In the Info URL field, type a URL where the user can go for more information about your application.
Configure the remaining optional parameters.
- Turn on Entitlement History.
Click the Setup button.
In the navigation pane, select Build > Customize > Entitlement Management > Enablement Settings.
From the Entitlement Management Settings window, select the Enable Entitlement Management check box.
The Connected App generates the information that is required for when you to configure a log source on JSA. Record the following information:
The Consumer Secret value is confidential. Do not store the consumer secret as plain text.
Configuring a Salesforce Security Log Source in JSA
To collect Salesforce Security events, configure a log source in JSA.
When you configured a Connected App on the Salesforce Security server, the following information was generated:
This information is required to configure a Salesforce Security log source in JSA.
Ensure that the trusted certificate from the Salesforce Security
instance is copied to the
/opt/qradar/conf/trusted_certificates/ folder in .DER format on JSA system.
- Log in toJSA.
- Click the Admin tab.
- In the navigation menu, click Data Sources.
- Click the Log Sources icon.
- Click Add.
- From the Log Source Type list, select Salesforce Security Monitoring.
- From the Protocol Configuration list, select Salesforce Rest API.
- Configure the following values:
The URL of the Salesforce security console.
The user name of the Salesforce security console.
The security token that was sent to the email address configured as the contact email for the Connected App on the Salesforce security console.
The Consumer Key that was generated when you configured the Connected App on the Salesforce security console.
The Consumer Secret that was generated when you configured the Connected App on the Salesforce security console.
When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access the Salesforce Security buckets.
Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.
By default the Salesforce Rest API collects Audit Trail and Security Monitoring events. Configure available options as required.
- Click Save.
- On the Admin tab, click Deploy Changes.