Splunk Enterprise Security

Splunk Add-on for SalesForce - Can't find events

guarisma
Contributor

Hello,

We got the Splunk Add-on for SalesForce and configured the API User but it's only pulling Authentication logs (Login/Logout), we are able to see other Audit trail logs in the SalesForce console, but it seems the Add-on is not pulling those logs.
Basically we need logs that will capture:

Password policy was changed
A user account has been granted API access
A user account has been granted privileged access
Verify invalid & valid logical access attempts is logged
Verify changes, additions, deletions to root or administrative accounts is logged
Verify initialization stopping or pausing of audit logs is logged
Verify creation and deletion of system level objects is logged
Verify affected system component, resource or data is including in log entries

Would anyone know how to pull this from SalesForce? Should the Add-on be getting these events?

0 Karma
1 Solution

guarisma
Contributor

To answer my own question, all this information can be found in the Setup Audit Trail which is not a default input for the Add-on, you will need to add it by creating a New Input.

alt text

View solution in original post

ADRIANODL
Explorer

Hi guarisma, did you find an answer to you question? I'm still going through the same issue.

0 Karma

guarisma
Contributor

I've answer my own question but I'm having another issue

Object Fields should be = Id,Action,Section,CreatedDate,CreatedById,Display,DelegateUser,ResponsibleNamespacePrefix
Orther By field should be = CreatedDate

But it pulls the initial 90 days of logs and then it never pulls again.

0 Karma

guarisma
Contributor

To answer my own question, all this information can be found in the Setup Audit Trail which is not a default input for the Add-on, you will need to add it by creating a New Input.

alt text

guarisma
Contributor

This actually pulled the first 90 days of events as expected by default but after that it stopped pulling data
The logs in _internal are not showing any errors, but the API call seems to have gotten stuck in the last checkpoint forever.

0 Karma

guarisma
Contributor
0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...