Salesforce
For prerequisites and installation steps see Salesforce Quick Start Setup Guide.
Table of Contents
Policies
Cisco Cloudlock monitors Salesforce in the following policies:
Data Loss Prevention (DLP)
- Predefined
- Build Your Own: Context Only
- Build Your Own: Custom Regex
User Events and Behavior Analytics (UEBA)
- Build Your Own: Event Analysis
See UEBA for more information and a complete list of Salesforce Events
Salesforce also has its own unique policy:
Salesforce Report Export Activity
This policy triggers incidents for Salesforce Report Export events.
Frequency—The range for which reports are expected to be exported within a certain number of days. Any frequency beyond this range will trigger an incident.
Location—Choose the countries where exporting reports is acceptable. Any countries not listed will trigger an incident a user exports a report.
Profile—List any users that do not need to be flagged for exporting reports.
*Business Hours —Define the range of time reports can be exported. Any reports exported outside of this range will trigger an incident.
Report Export Activity Prerequisites
The Salesforce Report Export Activity Policy requires Salesforce Shield Even Monitoring and must be enabled. Contact [email protected] for more information.
Response Actions
In addition to the Global Response Actions available in all platforms, Salesforce also has three unique Response Actions:
Transaction Security
Blocks the export for 24 hours including accounts, contacts, cases, leads, and opportunities.
Flag For Community Moderator
Flags chatter or files for the Salesforce community moderator.
Selective Encryption
Encrypts fields on objects
Salesforce Response Actions
Please Note:
- Flag for Community Moderator and Selective Encryption can only be used in a policy where Salesforce is the only platform selected for monitoring
- These two response actions cannot be used together but can be used with Transaction Security
View an Object
For DLP incident you can click View Object in the uppermost right corner to view the file that violated the policy.
When viewing an object with Salesforce you will be redirected to log into Salesforce to view the object. Only Salesforce users with permissions to view SObjects can view the incident object. Permissions for SObjects may vary, but in general system administrators in Salesforce can view all objects.
Updated over 1 year ago