Data Source

Ingests audit events from Salesforce orgs via REST API, targeting two critical log types:

  • Setup Audit Trail: Administrative changes, configuration modifications, and permission updates
  • Login History: User authentication events, failed login attempts, and access patterns

Ingestion Mechanism

CCF-based connector using Data Collection Rules with OAuth2 authentication (client credentials or username-password flows). Populates two custom tables:

  • SalesforceAuditTrail (Setup Audit Trail events)
  • SalesforceLoginHistory (Login History events)

Detection Surface Unlocked

Administrative oversight blind spots are addressed with visibility into:

  • Privilege escalation through permission changes and role modifications
  • Unauthorized configuration changes to security controls
  • Suspicious authentication patterns and credential compromise indicators
  • Cross-domain administrative activity for multi-org environments

The connector supports both production and sandbox environments with multi-domain configurations, enabling SOC teams to monitor Salesforce administrative security across complex deployments.

Affected Files

Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_DCR.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_DataConnectorDefinition.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_PollingConfig.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DataConnectorDefinition.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_PollingConfig.json
Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1
(packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_TSalesforceCloudtemplateSpec.json, createUiDefinition.json, mainTemplate.json)