HomeDocumentation and Guides


For prerequisites and installation steps see Salesforce Quick Start Setup Guide.

Table of Contents


Cisco Cloudlock monitors Salesforce in the following policies:

Data Loss Prevention (DLP)

User Events and Behavior Analytics (UEBA)

  • Build Your Own: Event Analysis

See UEBA for more information and a complete list of Salesforce Events

Salesforce also has its own unique policy:

Salesforce Report Export Activity

This policy triggers incidents for Salesforce Report Export events.

Frequency—The range for which reports are expected to be exported within a certain number of days. Any frequency beyond this range will trigger an incident.
Location—Choose the countries where exporting reports is acceptable. Any countries not listed will trigger an incident a user exports a report.
Profile—List any users that do not need to be flagged for exporting reports.
*Business Hours —Define the range of time reports can be exported. Any reports exported outside of this range will trigger an incident.


Report Export Activity Prerequisites

The Salesforce Report Export Activity Policy requires Salesforce Shield Even Monitoring and must be enabled. Contact [email protected] for more information.

Response Actions

In addition to the Global Response Actions available in all platforms, Salesforce also has three unique Response Actions:

Transaction Security

Blocks the export for 24 hours including accounts, contacts, cases, leads, and opportunities.

Flag For Community Moderator

Flags chatter or files for the Salesforce community moderator.

Selective Encryption

Encrypts fields on objects


Salesforce Response Actions

Please Note:

  • Flag for Community Moderator and Selective Encryption can only be used in a policy where Salesforce is the only platform selected for monitoring
  • These two response actions cannot be used together but can be used with Transaction Security

##Incident Examples


Custom Regex Policy Incident


Events Analysis Policy Incident


Events Analysis Policy Incident

View an Object

For DLP incident you can click View Object in the uppermost right corner to view the file that violated the policy.


When viewing an object with Salesforce you will be redirected to log into Salesforce to view the object. Only Salesforce users with permissions to view SObjects can view the incident object. Permissions for SObjects may vary, but in general system administrators in Salesforce can view all objects.