Home

Awesome

Salesforce Plugin for Falco

Introduction

The Salesforce Plugin for Falco ingests Real-Time Event Monitoring Objects from Salesforce and makes them available as fields in Falco. You can find more about these real-time objects here

With the Salesforce fields available in Falco, you can create Falco rules to detect Salesforce threats in real-time, and alert on them through your configured notification channels. You will find some sample Falco rules in the rules directory.

What's the value in ingesting Salesforce events into Falco?

Well - because Falco can perform threat detection across a number of cloud platforms in parallel, it allows you to correlate security events across multiple sources in real-time, to detect active lateral movement as it is occurring.

Prerequisites

The plugin needs to compile with a minimum of Go version 1.20

Accessing Real-Time Event Monitoring Objects requires either the Salesforce Shield or Salesforce Event Monitoring add-on subscription. There may additional costs associated with streaming these objects, please contact your Salesforce representative to confirm.

The plugin is configured to ingest events from the following event streams.

These streams must be enabled by clicking Enable Streaming next to them in the Event Manager. You can find information on enabling these in the Enabling real-time events section of this document here

Configuring the Falco Salesforce plugin as a Salesforce Connected App

The plugin is integrated into Salesforce as a Connected App using the Client Credentials Flow. The Client Credentials Flow method requires you to provide a Consumer Key, Consumer Secret and SFDC Login URL to the plugin which it uses to authenticate. You can find out more about using Client Credentials Flow for API authentication here: Using the Client Credentials Flow for Easier API Authentication

Creating a Connected App

The first step to getting the plugin integrated is to create a Salesforce Connected App.

NOTE: the user account that you configure the Connect App to Run As must have the View Real-Time Event Monitoring Data permission

  1. Follow the steps in this document to create a Salesforce Connected app with oAuth Client Credentials Flow: Configure a Connected App for the OAuth 2.0 Client Credentials Flow
  2. If you followed the steps correctly, you should now have your Consumer Key and Consumer Secret. But if you some how missed the location, you can find it's location and how to rotate it here: Rotating Client Secret

Locating your Salesforce Login URL

You will also need to locate your SFDC login URL (My Domain) which typically uses the following format https://mydomain.my.salesforce.com You can find out more about your My Domain here: What Is My Domain?

Finding more info

You can find out more about Connected App and oAuth Terminology here: Connected App and OAuth Terminology

Building the Salesforce plugin

  1. Download the plugin from GitHub using git
  2. Change directory to falco-plugin-salesforce
  3. Compile the plugin using make
  4. Copy libsalesforce.so to /usr/share/falco/plugins
  5. Copy the rules to /etc/falco/rules.d/
git clone https://github.com/an1245/falco-plugin-salesforce
cd falco-plugin-salesforce
make
cp libsalesforce.so /usr/share/falco/plugins/
cp rules/* /etc/falco/rules.d/

Configuring the plugin in Falco.yaml

Now that you have collected your Consumer Key, Consumer Secret and SFDC Login URL, you can provide them as values in the falco.yaml file.

plugins:
  - name: salesforce
    library_path: libsalesforce.so
    init_config:
         sfdcclientid: (your consumer key)
         sfdcclientsecret: (your consumer secret)
         sfdcloginurl: (your sfdc login url)
         Debug: False

We recommend leaving Debug set to False unless you are trying to troubleshoot the plugin.

Now that you've got the plugin configuration done, you can enable it by adding the plugin name to the load_plugins configuration setting.

load_plugins: [salesforce]

Exported Fields

There are a number of fields exported by the plugin.

NOTE: Not all fields will be available for all events - please refer to the Salesforce Real-Time Event Monitoring Object documentation here

Field NameTypeDescription
salesforce.eventtypestringThe type of SFDC event - possible options include: <ul><li>LoginEvent, LogoutEvent, LoginAsEvent</li><li>SessionHijackingEvent, CredentialStuffingEvent</li><li>PermissionSetEvent</li><li>ApiAnomalyEvent</li></ul>
salesforce.acceptlanguagestringList of HTTP Headers that specify the natural language, such as English, that the client understands.
salesforce.apitypestringThe API that was used (SOAP Enterprise, SOAP Partner, None)
salesforce.apiversionstringThe version number of the API.
salesforce.applicationstringThe application used to access the org
salesforce.authmethodreferencestringWhat authentication method was used
salesforce.authserviceidstringThe authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol
salesforce.browserstringThe browser name and version if known
salesforce.ciphersuitestringThe TLS cipher suite used for the login
salesforce.citystringThe city where the user’s IP address is physically located
salesforce.clientversionstringThe version number of the login client
salesforce.countrystringThe country where the user’s IP address is physically located
salesforce.countryisostringThe ISO 3166 code for the country where the user’s IP address is physically located
salesforce.createdbyidstringWho was this created by?
salesforce.createddatestringWhat date was this created?
salesforce.currentipstringThe IP address of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred
salesforce.currentplatformstringThe platform of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred
salesforce.currentscreenstringThe screen of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred
salesforce.currentuseragentstringThe user agent of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred
salesforce.currentwindowstringThe browser window of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred
salesforce.delegatedusernamestringUsername of the admin who is logging in as another user.
salesforce.delegatedorganizationidstringOrganization Id of the user who is logging in as another user
salesforce.evaluationtimestringThe amount of time it took to evaluate the policy in milliseconds
salesforce.eventdatestringThe time when the specified event occurred
salesforce.eventidentifierstringThe unique ID of the event
salesforce.eventuuidstringA universally unique identifier (UUID) that identifies a platform event message
salesforce.eventsourcestringThe source of the event (API, Classic etc)
salesforce.hasexternalusersstringWhen true, external users are impacted by the operation that triggered a permission change.
salesforce.httpmethodstringThe HTTP method of the request
salesforce.impacteduseridsstringA comma-separated list of IDs of the users affected by the event
salesforce.loginascategorystringRepresents how the user logs in as another user
salesforce.logingeoidstringThe Salesforce ID of the LoginGeo object associated with the login user’s IP address
salesforce.loginhistoryidstringTracks a user session so you can correlate user activity with a particular series of API events.
salesforce.loginlatitudestringThe latitude where the user’s IP address is physically located
salesforce.loginlongitudestringThe longitude where the user’s IP address is physically located
salesforce.loginkeystringThe string that ties together all events in a given user’s login session
salesforce.logintypestringThe type of login used to access the session
salesforce.loginsubtypestringThe type of login flow used. See the LoginSubType field of LoginHistory in the Object Reference guide
salesforce.loginurlstringThe URL of the login page.
salesforce.operationstringThe type of operation that generated the event. For example, Query.
salesforce.parentidliststringIDs affected by the permisson change
salesforce.parentnameliststringThe names of the affected permission sets or permission set groups.
salesforce.permissionexpirationliststringA comma separated list of timestamps from the PermissionSetAssignment.
salesforce.permissionliststringList of permissions
salesforce.permissiontypestringThe type of permission that is updated in the event
salesforce.platformstringThe operating system on the login machine.
salesforce.postalcodestringThe postal code where the user’s IP address is physically located
salesforce.policyidstringThe ID of the transaction policy associated with this event
salesforce.policyoutcomestringThe result of the transaction policy.
salesforce.previousipstringThe IP of the session that was hijacked?
salesforce.previousscreenstringThe screen of the session that was hijacked?
salesforce.previousplatformstringThe platform of the session that was hijacked?
salesforce.previoususeragentstringThe user agent of the session that was hijacked?
salesforce.previouswindowstringThe window of the session that was hijacked?
salesforce.queriedentitiesstringThe entities in the SOQL query.
salesforce.relatedeventidentifierstringRepresents the EventIdentifier of the related event.
salesforce.requestidentifierstringThe unique ID of a single transaction.
salesforce.rowsprocessedstringTotal row count for the current operation
salesforce.scorestringThe score of the event. Review developer docs for score explanation
salesforce.securityeventdatastringWhat is the security event data of the hijacked session
salesforce.sessionlevelstringSession-level security controls user access to features that support it
salesforce.sessionkeystringThe user’s unique session ID.
salesforce.sourceipstringThe source IP address of the client that is logged in
salesforce.summarystringA text summary of the threat that caused this event to be created.
salesforce.loginstatusstringWhat was the status of the login? (success etc.)
salesforce.subdivisionstringThe name of the subdivision where the user’s IP address is physically located
salesforce.targeturlstringThe URL redirected to after logging in as another user succeeds.
salesforce.tlsprotocolstringThe TLS protocol version used for the login
salesforce.useragentstringThe User-Agent header of the request
salesforce.usercountstringThe number of users affected by the event
salesforce.useridstringThe origin user’s unique ID
salesforce.usertypestringThe category of user license of the user
salesforce.usernamestringThe origin username in the format of user@company.com
salesforce.uristringThe URI of the page that’s receiving the request.