Salesforce

  • Updated on Mar 5, 2025
  • Published on Jul 11, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Salesforce Event Logs

✅

✅

salesforce_event_logs

NDJSON

API

Overview

imageSalesforce is a cloud-based Customer Relationship Management (CRM) platform that enables businesses to manage customer data, sales operations, and marketing campaigns.

Integrating Salesforce into Hunters allows collection and ingestion of event logs into the data lake. Furthermore, the logs are mapped to Hunters Detection & Investigation capabilities.

Supported data types

Salesforce Event Logs

Table name: salesforce_event_logs

The event log files offer a detailed record of user activities, system processes, and security-related events occurring within the Salesforce environment. These logs are invaluable for understanding how Salesforce is being used, monitoring for malicious activity, assessing system performance, and complying with regulatory requirements.

Learn more here.

Send data to Hunters

Hunters supports the collection of logs from Salesforce using API. Follow the steps below (based on this Salesforce guide) to complete the process.

📘Note

Turning Event Monitoring for Salesforce requires buying it as an additional add-on. See more details here.

To connect Salesforce logs:

  1. Allocate a new/existing Salesforce user for the periodic API collection.

  2. Follow this guide to create a new permission set for the API collection, including the permissions below:

    • View Event Log Files

    • API Enabled

    • Password Never Expires (can also be set on the user level solely)

  3. Follow this guide to assign the permission set to the user.

  4. Create a new connected app, following this guide (the JWT part is not needed).

    📘Note

    When entering the OAuth Scopes, the ones in the guide are not enough, and you should enable the following:

    • Manage user data via APIs (api)

    • Access Connect REST API resources (chatter_api)

    • Perform requests at any time (refresh_token, offline_access)

    • Access unique user identifiers (openid)

    After the setup, you will get the following keys for the new app:

    • Consumer Key

    • Consumer Secret

  5. Create an access token using Authorization Code Grant Type:

    1. Browse to the URL below. Make sure to replace the <DOMAIN_NAME> and <CONSUMER_KEY>.

      https://<DOMAIN_NAME>.my.salesforce.com/services/oauth2/authorize?response_type=code&client_id=<CONSUMER_KEY>&redirect_uri=https://login.salesforce.com/

    2. Now copy the resulted URL, which is the code. It should look like this:

      https://login.salesforce.com/?code=aPrxYXyxzkuBzbDGdwv67qekAQredtrsWqty38LsdhfREyTRbvdjvTqdbvxPVC__4Cb9xGKDGErtOw%3D%3D

  6. Retrieve a refresh_token. Make sure to replace the <DOMAIN_NAME>, <CONSUMER_KEY>, <CUSTOMER_SECRET>, and <CODE>.

    curl --location 'https://<DOMAIN_NAME>.my.salesforce.com/services/oauth2/token' \
--header 'Content-Type: application/json' \
--data '{
    "grant_type":"authorization_code",
    "code": "<authorization_code>",
    "client_id":"<consumer_code>",
    "client_secret":"<your_client_secret_here>",
    "redirect_uri":"https://login.salesforce.com/"
}'

  7. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

Salesforce Event Logs

{"EVENT_TYPE": "Login", "TIMESTAMP": "20230531130021.623", "REQUEST_ID": "ID123", "ORGANIZATION_ID": "JOJO1234", "USER_ID": "ID321", "RUN_TIME": "113", "CPU_TIME": "42", "URI": "/services/oauth2/token", "SESSION_KEY": "", "LOGIN_KEY": "KEY876332", "USER_TYPE": "Standard", "REQUEST_STATUS": "", "DB_TOTAL_TIME": "71644565", "LOGIN_TYPE": "i", "BROWSER_TYPE": "python-requests/2.28.2", "API_TYPE": "", "API_VERSION": "9998.0", "USER_NAME": "", "TLS_PROTOCOL": "TLSv1.2", "CIPHER_SUITE": "ECDHE-RSA-AES256-GCM-SHA384", "AUTHENTICATION_METHOD_REFERENCE": "", "LOGIN_SUB_TYPE": "", "TIMESTAMP_DERIVED": "2023-05-31T13:00:21.623Z", "USER_ID_DERIVED": "ID9182312", "CLIENT_IP": "Salesforce.com IP", "URI_ID_DERIVED": "", "LOGIN_STATUS": "LOGIN_NO_ERROR", "SOURCE_IP": "4.3.2.1"}
{"EVENT_TYPE": "URI", "TIMESTAMP": "20230531130000.197", "REQUEST_ID": "ID456", "ORGANIZATION_ID": "KOKO1234", "USER_ID": "ID654", "RUN_TIME": "33", "CPU_TIME": "28", "URI": "/uri/uri2", "SESSION_KEY": "KEY9990", "LOGIN_KEY": "KEY8765", "USER_TYPE": "Standard", "REQUEST_STATUS": "", "DB_TOTAL_TIME": "1012443", "DB_BLOCKS": "", "DB_CPU_TIME": "", "REFERRER_URI": "some/uri/", "TIMESTAMP_DERIVED": "2023-05-31T13:00:00.197Z", "USER_ID_DERIVED": "ID32432", "CLIENT_IP": "1.2.3.4", "URI_ID_DERIVED": ""}