Collect Salesforce Security Logs

Salesforce Security is a part of the Salesforce ecommerce, which has an API for Security Logs. This requires a Basic Token to be generated every five minutes in order to generate a new bearer token. This request will pull down and append to a flat file without re-ingesting older data.

Objective

Our objective is to get the security logs from the Salesforce system into a flat file so that those logs can be processed in the SIEM along with its dedicated log source type (LST) and base rules in order to achieve the parsing capabilities for the logs.

Prerequisites

• The following scripts/files to pull the Salesforce Security logs, saved to the machine which will be collecting logs:

  • credentials.ini

  • README.md

  • main.ps1

The credentials file must be configured with the Salesforce API credentials for the basic and bearer token.

• Powershell version of 7 or above.

Implementation

Step 1: Run Script

The following steps outline the process to execute the script required to collect Salesforce Security logs.

The scripts shown in step 2’s screenshot can be found in the links listed as Prerequisites above. Save the scripts found there into the script folder as shown below.

To execute the required scripts:

1. Open the script folder in your machine as shown below:

   

2. In the folder TAP-Salesforce_SecurityLogs, you can see the main.ps1 script for the PowerShell:

   

As a reminder, PowerShell version 7 or above is required to execute this script.

3. Execute the PowerShell script using the following command:

   CODE

   .\main.ps1

   

   Once the command has executed and completes its operation, data is pulled from the Salesforce system as shown below:

   

4. Verify that the collected Salesforce Security logs are now present, saved as a flat file, in the same folder where the script has been stored, as shown below:

   

Step 2: Configure the Log Source Type

The next step is to configure the settings for the flat file log source type, i.e. Flat File - Salesforce Security Logs, in order to send the data from the flat file to the SIEM.

1. Open the LogRhythm console and go to the Deployment Manager, and then to System Monitors.

   

2. Select and double-click on the desired System Monitor agent for which to configure the Salesforce Security log source type.
   The System Monitor Agent Properties window opens.

3. Right-click in the highlighted area shown in the screenshot below, and then click on New.

   

   The Log Message Source Properties window opens.

4. In the Log Message Source Type drop-down, select Flat File - Salesforce Security Logs.

5. In the Log Message Processing Engine (MPE) Policy drop-down, select LogRhythm Default.

   

6. Click Apply.

7. Click the Flat File Settings tab at the top of the window.

8. Enter the file path containing the Salesforce Security logs obtained in Step 1.

9. In the Date Parsing Format field, select Flat File - LogRhythm System Monitor Log File (<d>/<M>/<yy>\s<h>:<m>:<s>).

10. Check the Is Directory box.

11. Set the Recursion Depth to 3.

12. In the Inclusions field, type *.log, and in the Exclusions field, type error_logs.log.

    

13. Click Apply.

14. Click the Additional Settings tab.

15. Check Start collection from the beginning of the log.

    

16. Click Apply, and then click OK.

17. Navigate to the log source to verify the newly configured log source type for the flat file:

    

18. In the Log Information window, you can verify that logs are coming in to the log source type and are processed to parse the metadata, as shown below: