Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Salesforce Security

The JSA DSM for Salesforce Security can collect Salesforce Security Auditing audit trail logs and Salesforce Security Monitoring event logs from your Salesforce console by using a RESTful API in the cloud.

The following table identifies the specifications for the Salesforce Security DSM:

Table 1: Salesforce Security DSM Specifications






Salesforce Security

RPM file name



Salesforce REST API Protocol

JSA recorded events

Login History, Account History, Case History, Entitlement History, Service Contract History, Contract Line Item History, Contract History, Contact History, Lead History, Opportunity History, Solution History, Salesforce Security Auditing audit trail

Automatically discovered


Includes identity


More information

Salesforce website (

Salesforce Security DSM Integration Process

To integrate Salesforce Security DSM with JSA, use the following procedures:

  1. If automatic updates are not enabled, download and install the most recent versions of the following RPMs on your JSA Console.

    • Protocol Common RPM

    • SalesforceRESTAPI Protocol RPM

    • DSMCommon RPM

    • Salesforce Security Auditing RPM

    • Salesforce Security RPM

  2. Configure the Salesforce Security server to communicate with JSA.

  3. Obtain and install a certificate to enable communication between Salesforce Security and JSA. The certificate must be in the /opt/qradar/conf/trusted_certificates/ folder and be in .DER format.

  4. For each instance of Salesforce Security , create a log source on the JSA Console.

Configuring the Salesforce Security Monitoring Server to Communicate with JSA

To allow JSA communication, you need to configure Connected App on the Salesforce console and collect information that the Connected App generates. This information is required for when you configure the JSA log source.

If the RESTful API is not enabled on your Salesforce server, contact Salesforce support.

  1. Configure and collect information that is generated by the Connected App.

    1. Log in to your Salesforce Security Monitoring server.

    2. Click the Setup button

    3. In the navigation pane, click Create > Apps > New.

    4. Type the name of your application.

    5. Type the contact email information.

    6. Select Enable OAuth Settings.

    7. From the Selected OAuth Scopes list, select Access and manage your data (api).

    8. In the Info URL field, type a URL where the user can go for more information about your application.

    9. Configure the remaining optional parameters.

    10. Click Save.

  2. Turn on Entitlement History.

    1. Click the Setup button.

    2. In the navigation pane, select Build > Customize > Entitlement Management > Enablement Settings.

    3. From the Entitlement Management Settings window, select the Enable Entitlement Management check box.

    4. Click Save.

The Connected App generates the information that is required for when you to configure a log source on JSA. Record the following information:

Consumer Key

Use the Consumer Key value to configure the Client ID parameter for the JSA log source.

Consumer Secret

You can click the link to reveal the consumer secret. Use the Consumer Secret value to configure the Secret ID parameter for the JSA log source.


The Consumer Secret value is confidential. Do not store the consumer secret as plain text.

Security token

A security token is sent by email to the email address that you configured as the contact email.

Salesforce Rest API Log Source Parameters for Salesforce Security

If JSA does not automatically detect the log source, add a Salesforce Security log source on the JSA Console by using the Salesforce Rest API protocol.

When using the Salesforce Rest API protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Salesforce Rest API events from Salesforce Security:

Table 2: Salesforce Rest API Log Source Parameters for the Salesforce Security DSM



Log Source type

Salesforce Security

Protocol Configuration

Salesforce Rest API

Login URL

The URL of the Salesforce security console.


The user name of the Salesforce security console.

Security Token

The security token that was sent to the email address configured as the contact email for the Connected App on the Salesforce security console.

Client ID

The Consumer Key that was generated when you configured the Connected App on the Salesforce security console.

Secret ID

The Consumer Secret that was generated when you configured the Connected App on the Salesforce security console.

Use Proxy

When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access the Salesforce Security buckets.

Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Advanced Options

By default the Salesforce Rest API collects Audit Trail and Security Monitoring events. Configure available options as required.