Skip to content

Salesforce Real-Time Event Monitoring Integration GuideπŸ”—

The following instructions are for configuring the Salesforce Real-Time Event Monitoring integration to facilitate log ingestion into Secureworks® Taegis™ XDR. XDR consumes logs from the Salesforce Real-Time Event Monitoring feature.

Note

Real-Time Event Monitoring is available in the Enterprise, Unlimited, and Developer Editions and requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

Data Provided from IntegrationπŸ”—

Log Types Normalized by XDRπŸ”—

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Salesforce Real-Time Event Monitoring Auth, CloudAudit, HTTP, Thirdparty Thirdparty

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure Real-Time Event MonitoringπŸ”—

Information Required to Complete IntegrationπŸ”—

  • Domain URL — Domain URL of org (e.g., https://mycompany.my.salesforce.com)
  • Consumer Key — Connected App’s key
  • Consumer Secret — Connected App’s secret

Create a Connected AppπŸ”—

  1. Reference the vendor’s documentation to create an External Client App.
  2. Select New External Client App.

  3. Fill in the Basic Information:

    • External Client App Name: Enter any descriptive string.
    • Enter the Contact Email.
    • The remaining fields can be left at their default values.

  4. Reference the vendor's documentation to configure the External Client App OAuth Settings.

  5. Fill in the OAuth Settings:

    • Callback URL: Enter your domain URL.
    • OAuth Scopes: Select Manage user data via APIs (api).

  6. Select Enable Client Credentials Flow in Flow Enablement.

  7. Accept the default Security settings.
  8. Save changes to create the app.

Enable Client Credentials UserπŸ”—

Note

Refer to the vendor's documentation for details on how the user being created is leveraged by the integration.

  1. Navigate to the External Client App created in the preceding steps. Configure the External Client App Policy.

  2. Edit the policy for the External Client App:

  3. Save the policy.

Collect the External Client App CredentialsπŸ”—

  1. Navigate to the External Client App created in the preceding steps.
  2. Navigate to the Settings tab.
  3. Scroll down to Oauth Settings and click on the Consumer Key and Secret buttons.
  4. Note these values, as they are required for the integration in XDR.

Enable Streaming of All EventsπŸ”—

To enable streaming in the Event Manager, follow these steps:

Important

XDR can only receive the events for which streaming is enabled.

  1. From Setup, in the Quick Find box, enter Event Manager, then select it.
  2. Next to the event for which you want to enable streaming, click the dropdown menu.
  3. Select Enable streaming.

Add Integration in XDRπŸ”—

  1. From the Taegis Menu, select Integrations → Cloud APIs.
  2. Select Add an Integration from the top of the page.

  3. From the Optimized tab, select Salesforce.

    Create a New Salesforce integration

  4. Enter the following values:

    • Name — This serves as a unique name for your integration, which can include any valid values up to 100 characters.
    • Domain URL
    • Consumer Key
    • Consumer Secret

  5. Select Done. The Cloud API Integrations page displays with the successfully added Salesforce integration.