This is feature will be made available in version 1.17
Panther has the ability to fetch Salesforce Event Monitoring logs for the following event types:
Salesforce customers must enable Event Monitoring first. An additional license may be required for this Salesforce add-on.

Create an API User

Panther requires a user account with API and Event Log File permissions in order to retrieve Event Monitoring logs.
We recommend creating a new, dedicated user with the minimum permissions required by Panther. Salesforce requires each user to have a unique username, but the same email address can be included in multiple users. Thus, you can create a Panther-only account without having to manage an additional email address in your organization.
In order to create and add permissions to the new user, the 'Manage Users' permission is required.
Follow the instructions in the Salesforce documentation to add a new user. For the User License and Profile fields, make sure "Salesforce" and Read Only" are selected, respectively. (see below)
User License and Profile
Complete the user registration process by setting a new password.

Retrieve Security Token

Salesforce API access requires, in addition to the username and password, a credential named Security Token.
In order to request a security token for new Salesforce user account, you can follow the instructions here. The security token will be sent via email to the account email address.

Create and assign a new Permission Set

In order to assign permissions to the new user we need to create a new Permission Set. Follow the instructions in the Salesforce documentation to add a new permission set that will grant Panther access to the Event Monitoring data via the SOAP/REST API.
After creating the permission set, go to System Permissions by clicking on the link:
System Permissions Link
Click on the Edit button and select the following permissions:
API Enabled
Event Log Files
After the System Permissions have been updated, you can assign the Permission Set to the designated user by following the instructions here.

Create a new Salesforce Source in Panther

    Login to your Panther deployment
    Go to Integrations > Log Sources
    Click the "plus" icon at the top right of the page to add a new log source
    Select Salesforce from the list of available sources
    Click Start Source Setup
    Enter a friendly name for the source, e.g. Salesforce Logs
    Select which log types you would like to monitor
    Next, fill in the credentials of the account that Panther will use to connect to the Salesforce API:
      Account Username: e.g. [email protected]
      Account Password: the account password
      Security Token: the Security Token (see here for instructions)
    Click Continue Setup. At this step the credentials are also verified.
You are done! You can now start writing detections and exploring your Salesforce data.
New Salesforce Log Source
Last modified 5mo ago