Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.7.8 External Systems Configuration Guide
    6.7.8
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Salesforce CRM Audit

    Salesforce CRM Audit

    What is Discovered and Monitored

    Protocol Logs Collected Used For
    Salesforce API Successful/Failed Login, API Query Activity, Dashboard Activity, Opportunity Activity, Report Export Activity, Report Activity, Document Download Activity Security Monitoring

    Event Types

    In ADMIN > Device Support > Event Types, search for "Salesforce Audit" in the Search field to see the event types associated with this device.

    Reports

    There are many reports defined in RESOURCES > Reports > Device > Application > CRM

    • Salesforce Failed Logon Activity
    • Salesforce Successful Logon Activity
    • Top Browsers By Failed Login Count
    • Top Browsers By Successful Login Count
    • Top Salesforce Users By Failed Login Count
    • Top Salesforce Users By Successful Login Count
    • Top Successful Salesforce REST API Queries By Count, Run Time
    • Top Failed Salesforce Failed REST API Queries By Count, Run Time
    • Top Salesforce API Queries By Count, Run Time
    • Top Salesforce Apex Executions By Count, Run Time
    • Top Salesforce Dashboards Views By Count
    • Top Salesforce Document Downloads By Count
    • Top Salesforce Opportunity Reports By Count
    • Top Salesforce Report Exports By Count
    • Top Salesforce Reports By Count, Run Time
    • Top Salesforce Events

    Configuration

    Salesforce Configuration

    Salesforce saves events in a SQL Database, where FortiSIEM will pull the following events from tables: EventLogFile, LoginHistory,User, Dashboard, Opportunity, Report through SQL commands.

    If you get an error about missing columns, please make sure your administrator has enabled Set History Tracking for the missing columns in the tables.

    For more information on how to enable Set History Tracking, please refer to https://help.salesforce.com/articleView?id=sf.updating_picklists.htm&type=5

    The required columns are listed in this table.

    Event Required Columns
    EventLogFile Id, EventType, LogFile, LogDate, LogFileLength, LastModifiedDate, LastModifiedDate
    LoginHistory Id, UserId, LoginTime, Browser, Platform, Status, SourceIp, LoginTime , LoginTime
    Dashboard Id, Description, DeveloperName, FolderName, Title, LastModifiedDate, LastModifiedDate LastModifiedDate
    Opportunity Id, Amount, CloseDate, Name, OwnerId, Type, LastModifiedDate, LastModifiedDate, LastModifiedDate
    Report Id, Name

    User

    Id, Username

    For example, if Type in Opportunity is not enabled in Set History Tracking, FortiSIEM will fail to get events in Opportunity.

    Define Salesforce Audit Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Salesforce Salesforce Audit
      Access Protocol Salesforce API
      Pull Interval 5 minutes
      Timeout 30 seconds

      Password config

      See Password Configuration

      User Name

      User name for device access

      Password

      Password for device access
      Security Token Security token
      Description Description of the device.
    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (From ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Enter "login.salesforce.com" in the IP/Host Name field.
      2. Select the name of the credential created in the "Define Salesforce Audit Credential in FortiSIEM" from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Salesforce Audit Log Collection.

    Sample Events for Salesforce Audit 

    [Salesforce_Activity_Perf]:[activityType]=API,[activityName]=get_user_info,[srcIpAddr]=23.23.13.166,[user]=user1.my@example.com,[deviceTime]=1458112097,[isSuccess]=false,[runTime]=31,[cpuTime]=9,[dbTime]=19434051,[infoURL]=Api
    Previous
    Next

    Salesforce CRM Audit

    Salesforce CRM Audit

    What is Discovered and Monitored

    Protocol Logs Collected Used For
    Salesforce API Successful/Failed Login, API Query Activity, Dashboard Activity, Opportunity Activity, Report Export Activity, Report Activity, Document Download Activity Security Monitoring

    Event Types

    In ADMIN > Device Support > Event Types, search for "Salesforce Audit" in the Search field to see the event types associated with this device.

    Reports

    There are many reports defined in RESOURCES > Reports > Device > Application > CRM

    • Salesforce Failed Logon Activity
    • Salesforce Successful Logon Activity
    • Top Browsers By Failed Login Count
    • Top Browsers By Successful Login Count
    • Top Salesforce Users By Failed Login Count
    • Top Salesforce Users By Successful Login Count
    • Top Successful Salesforce REST API Queries By Count, Run Time
    • Top Failed Salesforce Failed REST API Queries By Count, Run Time
    • Top Salesforce API Queries By Count, Run Time
    • Top Salesforce Apex Executions By Count, Run Time
    • Top Salesforce Dashboards Views By Count
    • Top Salesforce Document Downloads By Count
    • Top Salesforce Opportunity Reports By Count
    • Top Salesforce Report Exports By Count
    • Top Salesforce Reports By Count, Run Time
    • Top Salesforce Events

    Configuration

    Salesforce Configuration

    Salesforce saves events in a SQL Database, where FortiSIEM will pull the following events from tables: EventLogFile, LoginHistory,User, Dashboard, Opportunity, Report through SQL commands.

    If you get an error about missing columns, please make sure your administrator has enabled Set History Tracking for the missing columns in the tables.

    For more information on how to enable Set History Tracking, please refer to https://help.salesforce.com/articleView?id=sf.updating_picklists.htm&type=5

    The required columns are listed in this table.

    Event Required Columns
    EventLogFile Id, EventType, LogFile, LogDate, LogFileLength, LastModifiedDate, LastModifiedDate
    LoginHistory Id, UserId, LoginTime, Browser, Platform, Status, SourceIp, LoginTime , LoginTime
    Dashboard Id, Description, DeveloperName, FolderName, Title, LastModifiedDate, LastModifiedDate LastModifiedDate
    Opportunity Id, Amount, CloseDate, Name, OwnerId, Type, LastModifiedDate, LastModifiedDate, LastModifiedDate
    Report Id, Name

    User

    Id, Username

    For example, if Type in Opportunity is not enabled in Set History Tracking, FortiSIEM will fail to get events in Opportunity.

    Define Salesforce Audit Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Salesforce Salesforce Audit
      Access Protocol Salesforce API
      Pull Interval 5 minutes
      Timeout 30 seconds

      Password config

      See Password Configuration

      User Name

      User name for device access

      Password

      Password for device access
      Security Token Security token
      Description Description of the device.
    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (From ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Enter "login.salesforce.com" in the IP/Host Name field.
      2. Select the name of the credential created in the "Define Salesforce Audit Credential in FortiSIEM" from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Salesforce Audit Log Collection.

    Sample Events for Salesforce Audit 

    [Salesforce_Activity_Perf]:[activityType]=API,[activityName]=get_user_info,[srcIpAddr]=23.23.13.166,[user]=user1.my@example.com,[deviceTime]=1458112097,[isSuccess]=false,[runTime]=31,[cpuTime]=9,[dbTime]=19434051,[infoURL]=Api
    Previous
    Next