Salesforce Service Cloud: New ASIM WebSession Parser Enables Normalized API/Web Request Monitoring

What Changed

New ASIM WebSession parser for Salesforce Service Cloud V2, providing normalized monitoring of Salesforce API requests and web session activity through the SalesforceServiceCloudV2_CL table.

Parser Impact

Schema: Normalizes to ASIM WebSession v0.2.7 schema from SalesforceServiceCloudV2_CL table
Event Coverage: Maps 15 Salesforce event types including API calls (RestApi, BulkApi2, ApexCallout, MetadataApiOperation) and web sessions (URI, AuraRequest, LightningPageView, LightningInteraction)
Field Mapping: Extracts user identity (UserId, UserEmail), source IP, HTTP details, response codes, and device information
Entity Types: Maps Account (SrcUsername), IP (SrcIpAddr), URL (Url), Host (DstHostname) entities

Detection Surface Unlocked

Enables monitoring of:

API Abuse: Unusual API call patterns, failed authentication attempts, excessive data access via REST/Bulk APIs
Session Anomalies: Abnormal geographic access, device changes, concurrent sessions
Privilege Escalation: Admin user type changes, unexpected metadata operations
Data Exfiltration: Large response sizes, bulk API usage patterns
Application Security: CSP violations, Lightning framework security events

Parser includes comprehensive filtering parameters for starttime, endtime, source IP prefixes, URLs, user agents, and event results — enabling efficient threat hunting across Salesforce activity.

Affected Files

Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json
Parsers/ASimWebSession/ARM/ASimWebSessionSalesforceServiceCloudV2/ASimWebSessionSalesforceServiceCloudV2.json
Parsers/ASimWebSession/ARM/ASimWebSessionSalesforceServiceCloudV2/README.md
Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json
Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json
Parsers/ASimWebSession/ARM/vimWebSessionSalesforceServiceCloudV2/README.md
Parsers/ASimWebSession/ARM/vimWebSessionSalesforceServiceCloudV2/vimWebSessionSalesforceServiceCloudV2.json
Parsers/ASimWebSession/CHANGELOG/ASimWebSession.md
Parsers/ASimWebSession/CHANGELOG/ASimWebSessionSalesforceServiceCloudV2.md
Parsers/ASimWebSession/CHANGELOG/imWebSession.md
Parsers/ASimWebSession/CHANGELOG/vimWebSessionSalesforceServiceCloudV2.md
Parsers/ASimWebSession/Parsers/ASimWebSession.yaml
Parsers/ASimWebSession/Parsers/ASimWebSessionSalesforceServiceCloudV2.yaml
Parsers/ASimWebSession/Parsers/imWebSession.yaml
Parsers/ASimWebSession/Parsers/vimWebSessionSalesforceServiceCloudV2.yaml
Sample Data/ASIM/Salesforce_Salesforce Service Cloud_WebSession_IngestedLogs.csv

What Changed#

Parser Impact#

Detection Surface Unlocked#

Affected Files#

What Changed

Parser Impact

Detection Surface Unlocked

Affected Files