Collect Salesforce logs

Supported in:

Overview

This parser handles Salesforce logs in LEEF, CSV, and JSON formats. It extracts fields, performs format-specific processing (handling LEEF key-value pairs, CSV columns, and JSON structures), maps them to the UDM, and enriches the data with metadata and derived fields. The parser also handles various Salesforce event types, applying specific logic for logins, logouts, and other actions, categorizing events, and setting appropriate UDM event types.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to AWS IAM, S3 and AppFlow.

Configure Amazon S3 bucket

  1. Create an Amazon S3 bucket following this user guide: Creating a bucket
  2. Save the bucket Name and Region for future reference.
  3. Create a User following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select Security credentials tab.
  6. Click Create Access Key in the Access Keys section.
  7. Select Third-party service as the Use case.
  8. Click Next.
  9. Optional: Add a description tag.
  10. Click Create access key.
  11. Click Download .csv file. (Save Access Key and Secret Access Key for future reference).
  12. Click Done.
  13. Select the Permissions tab.
  14. Click Add permissions in the Permissions policies section.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for the AmazonS3FullAccess policy.
  18. Select the policy.
  19. Click Next.
  20. Click Add permissions.

Configure Amazon AppFlow

  1. Create an Amazon AppFlow flow:
    • Flow name: Add a flow name and click Next.
    • Data source: Choose Salesforce as the data source.
    • Create a new connection.
    • A Salesforce sign-in window appears. Sign in with your Salesforce credentials.
    • Select the object name (choose the data you want to transfer from Salesforce to the S3 bucket).
    • Select Amazon S3 as the data destination.
    • Select Schedule as the flow trigger.
    • In Choose Source Fields, you can either Map all fields directly or you can specify which fields to map.
  2. Validate the configuration:
    • In Amazon AppFlow, select the flow you created, and click Run flow to fetch data from Salesforce.
    • The logs should now be in your S3 bucket.

Configure a feed in Google SecOps to ingest Salesforce logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Salesforce Logs).
  4. Select Amazon S3 as the Source type.
  5. Select Salesforce as the Log type.
  6. Click Next.

  7. Specify values for the following input parameters:

    • Region: the region where the Amazon S3 bucket is located.
    • S3 URI: the bucket URI. s3:/BUCKET_NAME Replace the following:
      • BUCKET_NAME: the name of the bucket.
    • URI is a: select URI TYPE according to S3 stream configuration: Single file | Directory | Directory which includes subdirectories.
    • Source deletion options: select deletion option according to your preference.
    • Access Key ID: the User access key with access to the s3 bucket.
    • Secret Access Key: the User secret key with access to the s3 bucket.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label to be applied to the events from this feed.

  8. Click Next.

  9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
Account.Name target.resource.name The value of Account.Name from the raw log.
AccountId target.resource.id The value of AccountId from the raw log.
Action security_result.description The value of Action from the raw log.
AdditionalInfo - Not mapped to the IDM object.
ApiType target.application The value of ApiType from the raw log.
ApiVersion - Not mapped to the IDM object.
Application principal.application The value of Application from the raw log, or "Browser" for LoginAsEvent, or "Integration JWT Token" for LoginEvent, or "SfdcSiqActivityPlatform" for LoginHistory with objecttype LoginHistory, or "N/A" for ApiEvent, or "Browser" for LoginAsEventStream.
attributes.url target.url The value of attributes.url from the raw log, or specific URLs for various event types from the raw log.
attributes.type metadata.product_event_type The value of attributes.type from the raw log.
AuthSessionId network.session_id The value of AuthSessionId from the raw log.
Browser principal.resource.name The value of Browser from the raw log, or "Unknown" if Browser is not available in raw log and Application is "Insights", or "Java (Salesforce.com)" for LoginHistory with ApiType as "SOAP Partner", or "Unknown" for LoginHistory with Application as "SfdcSiqActivityPlatform", or from data.properties.Browser.str for LoginAsEventStream.
Case.Subject target.resource.name The value of Case.Subject from the raw log.
CaseId target.resource.id The value of CaseId from the raw log.
cat metadata.product_event_type The value of cat from the raw log.
City principal.location.city The value of City from the raw log, or from LoginGeo.City for LoginHistory.
Client principal.labels The value of Client from the raw log, formatted as a label.
CLIENT_IP principal.ip, principal.asset.ip The value of CLIENT_IP from the raw log.
ClientVersion - Not mapped to the IDM object.
CipherSuite network.tls.cipher The value of CipherSuite from the raw log.
ColumnHeaders principal.labels The value of ColumnHeaders from the raw log, formatted as a label.
ConnectedAppId principal.labels The value of ConnectedAppId from the raw log, formatted as a label.
Contact.Name target.resource.name The value of Contact.Name from the raw log.
ContactId target.resource.id The value of ContactId from the raw log.
Country principal.location.country_or_region The value of Country from the raw log, or LoginGeo.Country for LoginHistory.
CreatedByContext principal.user.userid The value of CreatedByContext from the raw log.
CreatedById principal.resource.attribute.labels The value of CreatedById from the raw log, formatted as a label.
CreatedDate metadata.collected_timestamp The value of CreatedDate from the raw log, or the current timestamp if not available.
CPU_TIME target.resource.attribute.labels The value of CPU_TIME from the raw log, formatted as a label.
data - Contains various fields that are extracted and mapped individually.
DATASET_IDS target.resource.name The value of DATASET_IDS from the raw log.
DelegatedOrganizationId target.administrative_domain The value of DelegatedOrganizationId from the raw log.
DelegatedUsername observer.user.userid The value of DelegatedUsername from the raw log.
Description metadata.description The value of Description from the raw log.
DevicePlatform principal.resource.type The value of DevicePlatform from the raw log, parsed to extract the resource type.
Display metadata.description The value of Display from the raw log.
DOWNLOAD_FORMAT target.resource.attribute.labels The value of DOWNLOAD_FORMAT from the raw log, formatted as a label.
Duration target.resource.attribute.labels The value of Duration from the raw log, formatted as a label.
ENTITY_NAME target.resource.attribute.labels The value of ENTITY_NAME from the raw log, formatted as a label.
ErrorCode security_result.action The value of ErrorCode from the raw log, transformed to ALLOW or BLOCK.
EventDate timestamp The value of EventDate from the raw log, or data.properties.TIMESTAMP_DERIVED.str if available, or data.properties.TIMESTAMP_DERIVED_FIRST.str if available, or @timestamp if available, or created_date if available, or timestamp if available, or LoginTime for LoginHistory.
EventIdentifier metadata.product_log_id The value of EventIdentifier from the raw log.
EventType metadata.product_event_type The value of EventType from the raw log.
Id principal.user.userid The value of Id from the raw log, or metadata.product_log_id for SetupAuditTrail and other events.
IdentityUsed principal.user.email_addresses The value of IdentityUsed from the raw log.
Lead.Name target.resource.name The value of Lead.Name from the raw log.
LeadId target.resource.id The value of LeadId from the raw log.
LoginAsCategory - Not mapped to the IDM object.
LoginGeo.Country principal.location.country_or_region The value of LoginGeo.Country from the raw log.
LoginHistoryId - Not mapped to the IDM object.
LoginKey principal.user.userid, network.session_id The value of LoginKey from the raw log, or CreatedByContext for SetupAuditTrail.
LoginTime timestamp The value of LoginTime from the raw log.
LoginType security_result.description The value of LoginType from the raw log, or "Other Apex API" for LoginHistory with ApiType as "SOAP Partner", or "Remote Access 2.0" for LoginHistory with Application as "SfdcSiqActivityPlatform".
LoginUrl target.url, principal.url The value of LoginUrl from the raw log.
LogFile principal.resource.attribute.labels The value of LogFile from the raw log, formatted as a label.
LogFileContentType principal.resource.attribute.labels The value of LogFileContentType from the raw log, formatted as a label.
LogFileLength principal.resource.attribute.labels The value of LogFileLength from the raw log, formatted as a label.
Message - Not mapped to the IDM object.
METHOD network.http.method The value of METHOD from the raw log.
Name target.application The value of Name from the raw log.
NewValue - Used in conjunction with OldValue to generate security_result.summary.
NUMBER_FIELDS target.resource.attribute.labels The value of NUMBER_FIELDS from the raw log, formatted as a label.
OldValue - Used in conjunction with NewValue to generate security_result.summary.
Operation security_result.description, target.resource.attribute.labels The value of Operation from the raw log, or Display for SetupAuditTrail.
OperationStatus security_result.action The value of OperationStatus from the raw log, transformed to ALLOW or BLOCK.
ORGANIZATION_ID target.administrative_domain The value of ORGANIZATION_ID from the raw log.
OsName principal.platform The value of OsName from the raw log.
OsVersion principal.platform_version The value of OsVersion from the raw log.
Platform principal.platform The value of Platform from the raw log, or from data.properties.OsName.str for LightningUriEventStream, or from data.properties.OsName.str for LoginEventStream.
QueriedEntities target.resource.name, principal.labels The value of QueriedEntities from the raw log, or component_name for UriEvent and ApiEvent.
Query target.process.command_line, principal.labels The value of Query from the raw log.
RecordId target.resource.id The value of RecordId from the raw log.
Records principal.labels The value of Records from the raw log, formatted as a label.
REQUEST_ID metadata.product_log_id, target.resource.product_object_id The value of REQUEST_ID from the raw log.
REQUEST_SIZE network.sent_bytes The value of REQUEST_SIZE from the raw log.
REQUEST_STATUS security_result.summary The value of REQUEST_STATUS from the raw log.
RESPONSE_SIZE network.received_bytes The value of RESPONSE_SIZE from the raw log.
RowsProcessed target.resource.attribute.labels The value of RowsProcessed from the raw log, formatted as a label.
RUN_TIME target.resource.attribute.labels The value of RUN_TIME from the raw log, formatted as a label.
SamlEntityUrl - Not mapped to the IDM object.
SdkAppType - Not mapped to the IDM object.
SdkAppVersion - Not mapped to the IDM object.
SdkVersion - Not mapped to the IDM object.
Section security_result.summary The value of Section from the raw log.
SessionKey network.session_id The value of SessionKey from the raw log.
SessionLevel target.resource.attribute.labels The value of SessionLevel from the raw log, formatted as a label.
SourceIp principal.ip, principal.asset.ip The value of SourceIp from the raw log.
src principal.ip, principal.asset.ip The value of src from the raw log.
SsoType target.resource.attribute.labels The value of SsoType from the raw log, formatted as a label.
STATUS_CODE network.http.response_code The value of STATUS_CODE from the raw log.
Status security_result.action, security_result.action_details The value of Status from the raw log, transformed to ALLOW or BLOCK, or used as action details for LoginEventStream.
Subject target.resource.name The value of Subject from the raw log.
TargetUrl - Not mapped to the IDM object.
TIMESTAMP metadata.collected_timestamp The value of TIMESTAMP from the raw log.
TIMESTAMP_DERIVED timestamp The value of TIMESTAMP_DERIVED from the raw log.
TlsProtocol network.tls.version_protocol The value of TlsProtocol from the raw log.
URI target.url The value of URI from the raw log.
USER_AGENT network.http.user_agent The value of USER_AGENT from the raw log.
USER_ID principal.user.userid The value of USER_ID from the raw log.
USER_ID_DERIVED principal.user.product_object_id, target.resource.attribute.labels The value of USER_ID_DERIVED from the raw log.
UserId principal.user.userid The value of UserId from the raw log.
USER_TYPE target.resource.attribute.labels The value of USER_TYPE from the raw log, formatted as a label.
Username principal.user.userid, principal.user.email_addresses, target.user.email_addresses The value of Username from the raw log, or src_email for various events, or IdentityUsed for IdentityProviderEventStore, or data.properties.Email.str for Search and SearchAlert, or data.properties.Username.str for LoginAsEventStream and LoginEventStream.
UserType target.resource.attribute.labels The value of UserType from the raw log, formatted as a label.
usrName principal.user.userid, principal.user.email_addresses, target.user.email_addresses The value of usrName from the raw log.
VerificationMethod target.resource.attribute.labels The value of VerificationMethod from the raw log, formatted as a label.
Parser Logic metadata.event_type Derived based on the event_id and operation fields, or set to "USER_LOGIN" for LoginEventStream, "USER_LOGOUT" for Logout and LogoutEvent, "USER_RESOURCE_UPDATE_CONTENT" for various events, "USER_RESOURCE_UPDATE_PERMISSIONS" for PlatformEncryption, "RESOURCE_READ" for QueuedExecution, ApexExecution, LightningInteraction, LightningPerformance, LightningPageView, URI, RestApi, API, AuraRequest, ApexCallout, OneCommerceUsage, Sites, MetadataApiOperation, OneCommerceUsage, VisualforceRequest, Dashboard, Search, ListViewEvent, "RESOURCE_CREATION" for UriEvent and TimeBasedWorkflow with Operation as "Create" or "INSERT", "RESOURCE_WRITTEN" for UriEvent and LightningUriEvent with Operation as "Update", "RESOURCE_DELETION" for UriEvent with Operation as "Delete" or "ROLLBACK", "USER_UNCATEGORIZED" for SetupAuditTrail and AuditTrail, "USER_CHANGE_PASSWORD" for SetupAuditTrail with operation as "namedCredentialEncryptedFieldChange", "GENERIC_EVENT" for ApiEventStream and LightningUriEventStream, or based on network and principal presence.
Parser Logic metadata.ingestion_labels Labels indicating the source of the event, either "Event Log File" or "Real-Time Event Monitoring" or "SetupAuditTrail".
Parser Logic metadata.log_type Always set to "SALESFORCE".
Parser Logic metadata.product_name Always set to "SALESFORCE".
Parser Logic metadata.vendor_name Always set to "SALESFORCE".
Parser Logic metadata.url_back_to_product Constructed from various fields like LoginUrl, attributes.url, data.properties.PageUrl.str, data.properties.LoginUrl.str.
Parser Logic network.application_protocol Set to "HTTPS" if the uri field starts with "http".
Parser Logic network.http.referral_url Extracted from the user_agent field if it contains "Referer=".
Parser Logic network.http.response_code Derived from request_status for various events.
Parser Logic network.http.user_agent The value of user_agent from the raw log, or from data.properties.UserAgent.str for ApiEventStream and LoginEventStream, or from Sites events, or "User-Agent" from Sites events.
Parser Logic network.session_id The value of session_key or SESSION_KEY from the raw log, or constructed from other fields like LoginKey or AuthSessionId.
Parser Logic network.tls.version The value of tls_protocol from the raw log, or from data.properties.TlsProtocol.str for LoginEventStream.
Parser Logic principal.application The value of application from the raw log, or "Salesforce for Outlook" for Login: Success events, or "Insights" for Login: Success events with no Application, or extracted from device_platform for Lightning events.
Parser Logic principal.asset.hostname The value of client_ip if it is a hostname.
Parser Logic principal.asset.ip The value of client_ip or src_ip or SourceIp or CLIENT_IP if it is an IP address.
Parser Logic principal.hostname The value of client_ip if it is a hostname.
Parser Logic principal.ip The value of client_ip or src_ip or SourceIp or CLIENT_IP if it is an IP address.
Parser Logic principal.labels Labels constructed from various fields like FederationIdentifier, ApiType, OrgId, channel.
Parser Logic principal.location.city The value of geoip_src.city_name or City or LoginGeo.City from the raw log.
Parser Logic principal.location.country_or_region The value of geoip_src.country_name or Country or LoginGeo.Country or client_geo from the raw log.
Parser Logic principal.location.region_latitude The value of data.properties.LoginLatitude.number from the raw log.
Parser Logic principal.location.region_longitude The value of data.properties.LoginLongitude.number from the raw log.
Parser Logic principal.location.state The value of geoip_src.region_name from the raw log.
Parser Logic principal.platform The value of Platform or OsName or os_name from the raw log, or "WINDOWS" for LoginEventStream with Platform containing "Windows".
Parser Logic principal.platform_version The value of OsVersion or os_version from the raw log, or extracted from Platform for LoginEventStream with Platform containing "Windows".
Parser Logic principal.resource.attribute.labels Labels constructed from various fields like CreatedById, ApiVersion, LogFile, LogFileContentType, LogFileLength.
Parser Logic principal.resource.name The value of Browser or browser_name from the raw log, or "Java (Salesforce.com)" for LoginHistory with ApiType as "SOAP Partner".
Parser Logic principal.resource.type Extracted from device_platform for Lightning events, or "Browser" for LoginAsEvent and LoginAsEventStream.
Parser Logic principal.url The value of LoginUrl from the raw log.
Parser Logic principal.user.email_addresses The value of usrName or Username or src_email or IdentityUsed or data.properties.Username.str or data.properties.Email.str from the raw log.
Parser Logic principal.user.product_object_id The value of attrs.USER_ID_DERIVED or data.properties.USER_ID_DERIVED.str from the raw log.
Parser Logic principal.user.userid The value of usrName or Username or user_id or UserId or USER_ID or Id or LoginKey or CreatedByContext or data.properties.Username.str or data.properties.USER_ID.str or data.properties.LoginKey.str from the raw log.
Parser Logic security_result.action Derived from Status or OperationStatus or ErrorCode or action or operation_status from the raw log, transformed to ALLOW or BLOCK.
Parser Logic security_result.action_details The value of Status from the raw log for LoginEventStream.
Parser Logic security_result.description The value of LoginType or logintype or Operation or Action or Display from the raw log.
Parser Logic security_result.rule_name The value of Policy or rule_name from the raw log.
Parser Logic security_result.summary Constructed from NewValue and OldValue or REQUEST_STATUS or Section or forecastcategory from the raw log.
Parser Logic target.administrative_domain The value of ORGANIZATION_ID or DelegatedOrganizationId or organization_id or data.properties.OrgName.str from the raw log.
Parser Logic target.application The value of Application or app_name or ApiType or Name or data.properties.Application.str from the raw log.
Parser Logic target.asset.hostname The value of target_hostname extracted from the uri field.
Parser Logic target.asset.ip The value of data.properties.CLIENT_IP.str from the raw log.
Parser Logic target.asset_id Constructed from device_id or REQUEST_ID.
Parser Logic target.file.mime_type The value of file_type from the raw log.
Parser Logic target.file.size The value of size_bytes from the raw log.
Parser Logic target.hostname The value of target_hostname extracted from the uri field.
Parser Logic target.process.command_line The value of query_exec or Query or data.properties.Query.str from the raw log.
Parser Logic target.process.pid The value of job_id from the raw log.
Parser Logic target.resource.attribute.labels Labels constructed from various fields like CPU_TIME, RUN_TIME, USER_TYPE, DB_TOTAL_TIME, MEDIA_TYPE, ROWS_PROCESSED, NUMBER_FIELDS, DB_BLOCKS, DB_CPU_TIME, ENTITY_NAME, EXCEPTION_MESSAGE, USER_ID_DERIVED, DOWNLOAD_FORMAT, USER_TYPE, CPU_TIME, RUN_TIME, WAVE_SESSION_ID, SessionLevel, verification_method, cpu_time, run_time, db_total_time, db_cpu_time, exec_time, callout_time, number_soql_queries, duration, user_type, entry_point, operation, session_level, rows_processed, sso_type, dashboard_type, Operation, SessionLevel.
Parser Logic target.resource.id The value of REQUEST_ID or RecordId or caseid or leadid or contactid or opportunityid or accountid from the raw log.
Parser Logic target.resource.name The value of QueriedEntities or resource_name or component_name or DATASET_IDS or field or StageName or Subject from the raw log.
Parser Logic target.resource.product_object_id The value of REQUEST_ID from the raw log.
Parser Logic target.resource.resource_type Set to "ACCESS_POLICY" for ApexCallout and PlatformEncryption, or "DATABASE" for ApexTrigger, or "FILE" for ContentTransfer, or "TABLE" for ApiEvent.
Parser Logic target.resource.type Set to "BATCH" for QueuedExecution and ApexExecution, or "FILE" for ContentTransfer, or "DATABASE_TRIGGER" for ApexTrigger, or "Case", "Lead", "Contact", "Opportunity", "Account" based on the presence of corresponding ID fields.
Parser Logic target.url The value of LoginUrl or URI or attributes.url or login_url or uri from the raw log.
Parser Logic target.user.email_addresses The value of Username or attrs.usrName or email_address from the raw log.
Parser Logic target.user.user_display_name The value of target_user_display_name or user_name or username from the raw log.
Parser Logic target.user.userid The value of target_user_name or data.properties.UserId.str or data.properties.CreatedById.str from the raw log.
Parser Logic extensions.auth.auth_details Set to "ACTIVE" if Status is not "Success", otherwise set to "UNKNOWN_AUTHENTICATION_STATUS".
Parser Logic extensions.auth.mechanism Set to "REMOTE" for Login: Success and Login events with logintype containing "Remote", or "USERNAME_PASSWORD" for LoginEventStream, or "MECHANISM_OTHER" for events with login_url present, or "AUTHTYPE_UNSPECIFIED" for Login: Success and Logout events.
Parser Logic extensions.auth.type Set to "SSO" for Login, Logout, LogoutEvent, LoginAs, IdentityProviderEventStore, LoginHistory, LoginAsEvent with LoginType as "SAML Sfdc Initiated SSO", or "AUTHTYPE_UNSPECIFIED" for Login: Success, Logout, LoginAsEvent with LoginType as "Application".

Changes

2024-06-04

  • Added support for newly ingested logs.

2024-03-06

  • Changed mapping of the field "Id" from "metadata.product_log_id" to "principal.user.userid".
  • Changed mapping of the field "CreatedById" from "principal.user.userid" to "principal.resource.attribute.labels".
  • Mapped "IsDeleted" to "principal.resource.attribute.labels".
  • Mapped "LogFileLength" to "principal.resource.attribute.labels".
  • Mapped "LogFileContentType" to "principal.resource.attribute.labels".
  • Mapped "ApiVersion" to "principal.resource.attribute.labels".
  • Mapped "LogFile" to "principal.resource.attribute.labels".

2023-02-24

  • Enhancement-
  • "security_result.action" mapped to ALLOW instead of BLOCK if the action is "LOGIN_NO_ERROR".
  • For "Login" events :
  • "action" mapped to "security_result.action".
  • "target_user_name" mapped to "target.user.userid".
  • "tls_protocol" mapped to "network.tls.version_protocol".
  • "cipher_suite" mapped to "network.tls.cipher".
  • Added "on_error" check for "OsVersion" and "date" block.

2022-12-13

  • Enhancement-
  • Mapped "LoginType" to "security_result.description".
  • Mapped "LoginUrl" to "principal.url".
  • Added empty check for "ApiType" and "LoginGeo.City".

2022-09-02

  • Enhancement-
  • Migrated the custom parsers into default parser.

2022-07-04

  • Enhancement-
  • Enhanced the parser to parse the logs having event_type 'LoginHistory'.
  • Added condition to parse different formats of timestamp.
  • Added condition for event_type 'USER_UNCATEGORIZED' where 'user_id' or 'UserId' or 'target_user_name' is not null.
  • Added validation for parsing src_ip.

2022-04-18

  • Enhancement-Modified mapping for DOWNLOAD_FORMAT from 'metadata.ingestion_labels' to 'target.resource.attribute.labels'.

2022-03-30

  • Enhancement-Changed event_type for 'LoginEventStream' to USER_LOGIN.
  • Corrected mapping for the fields DOWNLOAD_FORMAT and ConnectedAppId.
  • Added mappings for certain fields when log is of type LoginEventStream, WaveDownload, ApiEventStream.