Salesforce Service Cloud logs into Microsoft Sentinel

Brass Contributor

Hi,

 

has anyone managed to successfully ingest SF logs into Microsoft Sentinel using the data connector. The connector uses Azure functions to connect to the SF lightening platform REST API to pull data into Sentinel. The function app for SF shows connected but we are getting the following error looking at the Function > Monitor > Invocations :

 

Result: Failure Exception: TypeError: 'NoneType' object is not iterable Stack: File "/azure-functions-host/workers/python/3.6/LINUX/X64/azure_functions_worker/dispatcher.py", line 405, in _handle__invocation_request invocation_id, fi_context, fi.func, args) File "/usr/local/lib/python3.6/concurrent/futures/thread.py", line 56, in run result = self.fn(*self.args, **self.kwargs) File "/azure-functions-host/workers/python/3.6/LINUX/X64/azure_functions_worker/dispatcher.py", line 612, in _run_sync_func func)(params) File "/azure-functions-host/workers/python/3.6/LINUX/X64/azure_functions_worker/extension.py", line 215, in _raw_invocation_wrapper result = function(**args) File "/home/site/wwwroot/SalesforceSentinelConnector/__init__.py", line 216, in main for line in pull_log_files():

 

any ideas?

 

Thanks

2 Replies
Hi BcyberS,

were you able to fix this error? I am facing the same while connecting salesforce instance.
Hi avelamb,

yes we did manage to fix it. See below:

So we saw the API was successfully connected; if you go to your Azure portal - search for Function App - you should see the Salesforce function - if it has successfully deployed from where you have followed the instructions and configuration on the Salesforce connector page.

If you click on this Function you should see it the status: Running then on the left pane under Functions click Functions and select the Function for Salesforce > click Monitor and here you will see any Errors.

So the error we got was about the API not being able to pull from a certain Salesforce operator.

this is the query the API uses:
/services/data/v44.0/query?q=SELECT+Id+,+EventType+,+Interval+,+LogDate+,+LogFile+,+LogFileLength+FROM+EventLogFile

We worked with MS Support to confirm that our Salesforce required the EventLogFile Operator which contains the Interval field which is required for MS Sentinel to log events.

https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_...

Salesforce Event Monitoring License (part of Salesforce Shield) is required for this.

Hope this helps.