Saket Bajoria

Salesforce and RSA NetWitness Integration

Blog Post created by Saket Bajoria Employee on Feb 20, 2018

The Salesforce event monitoring product gathers information about an organization's Salesforce operational events.  This information can be used to analyze usage trends and user behavior. Event monitoring allows querying fields on the EventLogFile object (such as Event Type and LogDate). The Event Type determines the schema of this field. For more information, see EventLogFile Supported Event Types on the Salesforce Developers Website. 


RSA NetWitness uses OAuth Username-password flow to authenticate between a Connected App and the Salesforce API. Creating a read-only custom profile restricts the users to have read-only access to Salesforce API logs.


RSA provides steps to configure the Salesforce event source using either the Classic View or the Lightning Experience View.





This plugin supports all the 45 different Event Types provided by Salesforce, for Login, LoginAS, Logout etc. All the types are explained here:


Also, the raw events in Salesforce only exposes User Ids and not the actual user names. Salesforce maintains a separate mapping of UserID to username. This integration polls the UserID to user mapping on a configurable time interval so that it can  provide the actual user names for every userID given in the events. 


Configuration GuideSalesforce Event Source Configuration Guide 

Collector Package on RSA Live: "Salesforce Log Collector Configuration"

Parser on RSA Live: CEF (Parsed as device.type=salesforce)