Data Source
Ingests audit events from Salesforce orgs via REST API, targeting two critical log types:
- Setup Audit Trail: Administrative changes, configuration modifications, and permission updates
- Login History: User authentication events, failed login attempts, and access patterns
Ingestion Mechanism
CCF-based connector using Data Collection Rules with OAuth2 authentication (client credentials or username-password flows). Populates two custom tables:
- SalesforceAuditTrail (Setup Audit Trail events)
- SalesforceLoginHistory (Login History events)
Detection Surface Unlocked
Administrative oversight blind spots are addressed with visibility into:
- Privilege escalation through permission changes and role modifications
- Unauthorized configuration changes to security controls
- Suspicious authentication patterns and credential compromise indicators
- Cross-domain administrative activity for multi-org environments
The connector supports both production and sandbox environments with multi-domain configurations, enabling SOC teams to monitor Salesforce administrative security across complex deployments.
Affected Files
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_DCR.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_DataConnectorDefinition.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_PollingConfig.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_DataConnectorDefinition.json
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceSentinelConnector_CCP/SalesforceServiceCloud_PollingConfig.json
Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1
(packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_TSalesforceCloudtemplateSpec.json, createUiDefinition.json, mainTemplate.json)