Salesforce to Sentinel Integration

Steel Contributor

Hello Tech community,

 

With one of our customers, we are working on an integration of Salesforce with Sentinel and everything seems to work well but there are a few doubts. 

 

Has anyone worked on such integration? Is it worth ingesting Salesforce logs into Sentinel (asking because currently, we see only Login and Logout logs)?

Do you know if we need to configure anything on Salesforce or Sentinel (Azure) side to get more logs?

8 Replies
Have you seen the Salesforce Service Cloud solution in the Content Hub? Not sure if your Salesforce is on-prem or in the cloud.
Hello GBushey,
Yes, we have. This is the connector we are using.
For those who will be looking for information about Salesforce logs in the future.
Login, Logout, and API usage logs are seen for the following Salesforce licenses: Enterprise, Unlimited, and Performance Edition.
Additional 50 types of logs can be gathered with Developer license.
If you don't want to change the license, Shield Event Monitoring feature should be purchased.

https://trailhead.salesforce.com/content/learn/modules/event_monitoring/event_monitoring_intro
Hi @mikhailf,

Can you please help me with the documentation which you followed.

I followed the microsoft documentation for Salesforce integration and still the connector status is disconnected. I tried with ARM template but no luck, can someone please guide me how to get this done.

Appreciate your help.

Hello @Prasanthdas545 ,

 

The fastest way is to deploy the Function App offered by Sentinel (in the Salesforce connector menu).

Before that you need to create an application on the SalesForce side (we did it with their support).

And the last, the events that you receive from SalesForce depend on the type of license you have.

@mikhailf 

 

Can you please elaborate your explination. I tried with ARM template and its created function App, when i go the function app invocation there i found failed counts only and getting below error. 

 

Result: Failure Exception: TypeError: 'NoneType' object is not iterable Stack: File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py", line 604, in _handle__invocation_request call_result = await self._loop.run_in_executor( File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py", line 933, in _run_sync_func return ExtensionManager.get_sync_invocation_wrapper(context, File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/extension.py", line 215, in _raw_invocation_wrapper result = function(**args) File "/home/site/wwwroot/SalesforceSentinelConnector/__init__.py", line 220, in main for line in pull_log_files():

 

Can you please send me the documentation or video link to email address removed for privacy reasons would be highly appreciated. 

Hello @Prasanthdas545,

 

Yes, first, you need to deploy the Function App.

Second, you need to configure Environment variables in that Function App (check here how it looks like: Configure function app settings in Azure Functions | Microsoft Learn)

These variables should contain info about the connection to Salesforce (URLs, API keys, etc.).

To obtain those variables from Salesforce you need to create an application on Salesforce. This part is the trickiest and we did it with Salesforce team. 

 

Unfortunately, I don't have any videos of the process.

@mikhailf 

 

When using out of the box the Sentinel Salesforce connector, ingested logs have little security value.

I recommend ingesting the Salesforce audit trail and login history logs.

Obtaining those logs would require modifications to the Azure function Python code.