Acknowledgements: Many thanks to Tomás García Hidalgo and Roberto Moreda for their creation and contribution of this collector!

Salesforce provides an API endpoint to execute a SOQL query to get records of the requested object.

Salesforce defines standard objects, such as LoginHistory or SetupAuditTrail, whose records are useful in a SIEM pipeline. EventLogFile is a special case because its records contain data about event log files ready to be downloaded from a different endpoint.

This Cribl REST Collector enables a compact way to get:

• Salesforce records using the Query endpoint
• Salesforce event monitoring content from EventLogFile records using the sObject Blob Get endpoint

Find the collector here.

Usage Instructions

1. Import the Event Breaker Ruleset:
   1. Go to Processing -> Knowledge -> Event Breaker Rules -> Add Ruleset.
   2. Click on Manage as JSON and paste the content of breaker.json.
2. Import the REST Collector:
   1. Go to Data -> Sources -> Collectors -> REST -> Add Collector.
   2. Go to Configure as JSON tab and click on Import.
   3. Import the collector.json file.
   4. Provide the required values: domain of the customer, API version, user name, password, client ID and client secret.
3. (Optional) Edit the queries on object records in the format discovery result code of the collector to suit your needs.
4. Commit and Deploy.

How it Works

The basic steps follow the usual workflow in Cribl collectors:

1. Discover the event log files to be downloaded using a HTTP request to get EventLogFile records.
2. Add a static list of discover results for records of other objects that don't require subsequent downloads using format discover result.
3. Collect event log files and records using the appropriate URL and event breaker rules.

All files included are meant to be adapted for your specific case. Depending on your needs you can decide to create a collector just for records and just for event log files. They are based on an actual deployment and they were developed by the teams of Repsol and Allenta.

Get Started

Find the latest instructions and information on the official Cribl GitHub page for the collector.