Salesforce customers must enable Event Monitoring first. An additional license may be required for this Salesforce add-on.
Create an API User
Panther requires a user account with API and Event Log File permissions in order to retrieve Event Monitoring logs.
We recommend creating a new, dedicated user with the minimum permissions required by Panther. Salesforce requires each user to have a unique username, but the same email address can be included in multiple users. Thus, you can create a Panther-only account without having to manage an additional email address in your organization.
Follow the instructions in the Salesforce documentation to add a new user. For the User License and Profile fields, make sure "Salesforce" and Read Only" are selected, respectively. (see below)
User License and Profile
Complete the user registration process by setting a new password.
Retrieve Security Token
Salesforce API access requires, in addition to the username and password, a credential named Security Token.
In order to request a security token for new Salesforce user account, you can follow the instructions here. The security token will be sent via email to the account email address.
Create and assign a new Permission Set
In order to assign permissions to the new user we need to create a new Permission Set. Follow the instructions in the Salesforce documentation to add a new permission set that will grant Panther access to the Event Monitoring data via the SOAP/REST API.
After creating the permission set, go to System Permissions by clicking on the link:
System Permissions Link
Click on the Edit button and select the following permissions:
Event Log Files
After the System Permissions have been updated, you can assign the Permission Set to the designated user by following the instructions here.
Create a new Salesforce Source in Panther
Login to your Panther deployment
Go to Integrations > Log Sources
Click the "plus" icon at the top right of the page to add a new log source
Select Salesforce from the list of available sources
Click Start Source Setup
Enter a friendly name for the source, e.g. Salesforce Logs
Select which log types you would like to monitor
Next, fill in the credentials of the account that Panther will use to connect to the Salesforce API: