Salesforce Service Event Tracking

As more and more services to move to the cloud, security professionals must become more vigilant at monitoring usage and tracking access.  SecurityCenter Continuous View (CV) users have a new tool in their arsenal: the LCE Web Query Client. The new LCE Web Query Client can monitor Salesforce cloud services, and this dashboard assembles the data in a fashion that is easy to read and understand.

The LCE Web Query Client is used to request event data from RESTful web services. The logs returned from queries are stored and normalized in LCE, allowing the information to be searchable in SecurityCenter CV. The process to configure the LCE Web Query Client begins with supplying API configuration details to the agent for the Salesforce services.  The agent is then directed to send logs to LCE.  The resulting events have the prefix of “Salesforce.”

The Salesforce events are mostly around user access and account changes.  The organization can track the user, IP address where the user connected from, and whether the credentials were valid or not.  This information allows the organization to understand the usage of Salesforce and monitor for unauthorized access attempts.

The dashboard is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring. The dashboard requirements are:

• SecurityCenter 5.2.0
• LCE 4.6.1
• LCE Web Query Client

Tenable covers all types of users and services, regardless of location, providing continuous monitoring for the new IT landscape. SecurityCenter Continuous View (CV) allows for the most comprehensive and integrated view of network health. Log Correlation Engine (LCE) provides tight integration with SIEMs, log management tools, malware defenses, the PVS network sensor, NetFlow, BYOD, firewalls, web, authentication systems and cloud services. LCE also provides deep event inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.

Components

Salesforce Events - Events Detected over 7 Days: This matrix provides indicators for each of the Salesforce events monitored.  The LCE Web Query Client has the ability to detect three events using the RESTful API.  Each cell in the indicator uses a saved query for each event.  If the indicator turns purple, then matching logs are detected.

Salesforce Events – Event Vulnerability Summary: This chart provides a summary of the event-based vulnerabilities discovered from event correlation.  The component will display the top ten vulnerabilities, with the plugin IDs in the description matrix to the left of the chart.

Salesforce Events - Accessed From: This table provides the source IP address extracted from the Salesforce events.  The table is sorted based on event count and displays the source IP address, LCE reporting the event, and number of events detected.  The IP addresses on the list should remain relatively the same; when new or uncommon IP addresses appear on the list, their events should be reviewed to determine whether or not they are authorized.

Salesforce Events - User Summary: This table provides a list of user accounts that have logged into Salesforce.  LCE has the ability to extract usernames and provide a brief history of events for each.  The table shows the user, event count, and trend chart.  If the users are marked as unknown, there could be an issue parsing the username from the logs.  Check the “Valid Username Characters” setting in the LCE configuration and increase the value if needed.