diff --git a/packages/salesforce/_dev/build/docs/README.md b/packages/salesforce/_dev/build/docs/README.md index d7bfca510c2..38a72ad7c5d 100644 --- a/packages/salesforce/_dev/build/docs/README.md +++ b/packages/salesforce/_dev/build/docs/README.md @@ -16,10 +16,11 @@ As an example, you can use the data from this integration to understand the acti The Salesforce integration collects log events using the REST API of Salesforce. **Logs** help you keep a record of events happening in Salesforce. -Log data streams collected by the Salesforce integration include [Login](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm). +Log data streams collected by the Salesforce integration include [Login](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm), and [Logout](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_logout.htm). Data streams: - `login_rest`: Tracks login activity of users who log in to Salesforce. +- `logout_rest`: Tracks logout activity of users who logout from Salesforce. ## Compatibility @@ -31,7 +32,7 @@ In order to find out the Salesforce version of your Instance, see below: 2. An alternative way to find out the version of Salesforce is by hitting the following URL: - Format: (Salesforce Instance URL)/services/data - - Example: https://elastic1234-dev-ed.my.salesforce.com/services/data + - Example: `https://na9.salesforce.com/services/data` Example response: ```xml @@ -78,11 +79,11 @@ You need the following information from your Salesforce instance to configure th The instance your Salesforce Organization uses is indicated in the URL of your browser's address bar in Salesforce Classic. The value before 'salesforce.com' is your Salesforce Instance. -Example URL: https://na9.salesforce.com/home/home.jsp +Example URL: `https://na9.salesforce.com/home/home.jsp` In the above example, the value before 'salesforce.com' is your Salesforce Instance. In this example, the Salesforce Organization is located on NA9. -The Salesforce Instance URL is: https://na9.salesforce.com +The Salesforce Instance URL is: `https://na9.salesforce.com` In Salesforce Lightning, it is available under the user name in the “View Profile” tab. @@ -167,3 +168,11 @@ This is the `login_rest` data stream. It represents events containing details ab {{event "login_rest"}} {{fields "login_rest"}} + +### Logout Rest + +This is the `logout_rest` data stream. It represents events containing details about your organization's user logout history. + +{{event "logout_rest"}} + +{{fields "logout_rest"}} diff --git a/packages/salesforce/_dev/deploy/docker/files/config.yml b/packages/salesforce/_dev/deploy/docker/files/config.yml index cd5b3ca88e8..354a307bc76 100644 --- a/packages/salesforce/_dev/deploy/docker/files/config.yml +++ b/packages/salesforce/_dev/deploy/docker/files/config.yml @@ -68,4 +68,4 @@ rules: content-type: ["text/csv"] body: |- "EVENT_TYPE","TIMESTAMP","REQUEST_ID","ORGANIZATION_ID","USER_ID","RUN_TIME","CPU_TIME","URI","SESSION_KEY","LOGIN_KEY","TYPE","METHOD","SUCCESS","TIME","REQUEST_SIZE","RESPONSE_SIZE","URL","TIMESTAMP_DERIVED","USER_ID_DERIVED","CLIENT_IP","URI_ID_DERIVED" - "ApexCallout","20221122044615.591","ABCDE","00D5j000000VABC","0055j000000ABCD","1305","10","CALLOUT-LOG","ABCDEF","ABCDEFGH","OData","GET","1","1293","10","256","https://temp.sh/odata/Accounts","2022-11-22T04:46:15.591Z","0055j012345utlPAAQ","127.0.0.1","0055j000000utlPABCD" + "ApexCallout","20221122044615.591","4exLFFQZ1234xFl1cJNwOV","00D5j000000001V","0055j0000000001","1305","10","CALLOUT-LOG","WvtsJ1235oW24EbH","Obv9123BzbaxqCo1","OData","GET","1","1293","10","256","https://temp.sh/odata/Accounts","2022-11-22T04:46:15.591Z","0055j012345utlPAAQ","81.2.69.142","0055j000000utlPAQZB" diff --git a/packages/salesforce/changelog.yml b/packages/salesforce/changelog.yml index ec74a94dd89..7ae28f607c5 100644 --- a/packages/salesforce/changelog.yml +++ b/packages/salesforce/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top +- version: 0.2.0 + changes: + - description: Salesforce integration package with "logout_rest" data stream. + link: https://github.com/elastic/integrations/pull/4323 + type: enhancement - version: 0.1.0 changes: - description: Salesforce integration package with "login_rest" data stream. diff --git a/packages/salesforce/data_stream/login_rest/_dev/test/pipeline/test-login-rest.log-expected.json b/packages/salesforce/data_stream/login_rest/_dev/test/pipeline/test-login-rest.log-expected.json index af62ddb50f1..7662038f200 100644 --- a/packages/salesforce/data_stream/login_rest/_dev/test/pipeline/test-login-rest.log-expected.json +++ b/packages/salesforce/data_stream/login_rest/_dev/test/pipeline/test-login-rest.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2022-09-13T05:22:43.429Z", "ecs": { - "version": "8.4.0" + "version": "8.5.0" }, "event": { "action": "login-attempt", @@ -27,7 +27,7 @@ }, "salesforce": { "login": { - "access_mode": "rest", + "access_mode": "REST", "api": { "type": "Feed", "version": "9998.0" diff --git a/packages/salesforce/data_stream/login_rest/elasticsearch/ingest_pipeline/default.yml b/packages/salesforce/data_stream/login_rest/elasticsearch/ingest_pipeline/default.yml index 12e54c0d480..e5dd7edffdf 100644 --- a/packages/salesforce/data_stream/login_rest/elasticsearch/ingest_pipeline/default.yml +++ b/packages/salesforce/data_stream/login_rest/elasticsearch/ingest_pipeline/default.yml @@ -20,12 +20,12 @@ processors: ignore_missing: true - set: field: salesforce.login.access_mode - value: "rest" + value: "REST" ignore_failure: true ignore_empty_value: true - set: field: ecs.version - value: "8.4.0" + value: "8.5.0" ignore_failure: true ignore_empty_value: true - date: diff --git a/packages/salesforce/data_stream/login_rest/sample_event.json b/packages/salesforce/data_stream/login_rest/sample_event.json index ad0fb388df4..0f7e874adf3 100644 --- a/packages/salesforce/data_stream/login_rest/sample_event.json +++ b/packages/salesforce/data_stream/login_rest/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2022-11-22T04:46:15.591Z", "agent": { - "ephemeral_id": "ce504617-c797-4257-845c-f1d8f57cc9bd", - "id": "4a8a40ad-666c-45db-a9d1-3b027852bef0", + "ephemeral_id": "7091b66c-e647-42f9-9c3e-d0753552a291", + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.1" @@ -13,10 +13,10 @@ "type": "logs" }, "ecs": { - "version": "8.4.0" + "version": "8.5.0" }, "elastic_agent": { - "id": "4a8a40ad-666c-45db-a9d1-3b027852bef0", + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", "snapshot": false, "version": "8.4.1" }, @@ -26,9 +26,9 @@ "category": [ "authentication" ], - "created": "2022-11-29T07:28:46.257Z", + "created": "2022-12-15T10:29:06.958Z", "dataset": "salesforce.login_rest", - "ingested": "2022-11-29T07:28:50Z", + "ingested": "2022-12-15T10:29:10Z", "kind": "event", "module": "salesforce", "original": "{\"API_TYPE\":\"f\",\"API_VERSION\":\"9998.0\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36\",\"CIPHER_SUITE\":\"ECDHE-RSA-AES256-GCM-SHA384\",\"CLIENT_IP\":\"81.2.69.142\",\"CPU_TIME\":\"30\",\"DB_TOTAL_TIME\":\"52435102\",\"EVENT_TYPE\":\"Login\",\"LOGIN_KEY\":\"QfNecrLXSII6fsBq\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"ORGANIZATION_ID\":\"00D5j000000VI3n\",\"REQUEST_ID\":\"4ehU_U-nbQyAPFl1cJILm-\",\"REQUEST_STATUS\":\"Success\",\"RUN_TIME\":\"83\",\"SESSION_KEY\":\"\",\"SOURCE_IP\":\"81.2.69.142\",\"TIMESTAMP\":\"20221122044615.591\",\"TIMESTAMP_DERIVED\":\"2022-11-22T04:46:15.591Z\",\"TLS_PROTOCOL\":\"TLSv1.2\",\"URI\":\"/index.jsp\",\"URI_ID_DERIVED\":\"s4heK3WbH-lcJIL3-n\",\"USER_ID\":\"0055j000000utlP\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"USER_NAME\":\"user@elastic.co\",\"USER_TYPE\":\"Standard\"}", @@ -49,7 +49,7 @@ "salesforce": { "instance_url": "http://elastic-package-service_salesforce_1:8010", "login": { - "access_mode": "rest", + "access_mode": "REST", "api": { "type": "Feed", "version": "9998.0" diff --git a/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-common-config.yml b/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-logout-rest.log b/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-logout-rest.log new file mode 100644 index 00000000000..ac04091f554 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-logout-rest.log @@ -0,0 +1 @@ +{"EVENT_TYPE":"Logout","TIMESTAMP":"20211019050707.13","REQUEST_ID":"4exLFFQZNa5xxFl1cJNwOV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","USER_TYPE":"X","SESSION_TYPE":"C","SESSION_LEVEL":"1","BROWSER_TYPE":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","PLATFORM_TYPE":"1015","RESOLUTION_TYPE":"9999","APP_TYPE":"1000","CLIENT_VERSION":"9998","API_TYPE":"fo","API_VERSION":"54.0","USER_INITIATED_LOGOUT":"1","SESSION_KEY":"/b1/C123g6WXplkT","LOGIN_KEY":"OK123uSUIZVr9YzF","TIMESTAMP_DERIVED":"2021-10-19T05:07:07.128Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"175.16.199.0"} \ No newline at end of file diff --git a/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-logout-rest.log-expected.json b/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-logout-rest.log-expected.json new file mode 100644 index 00000000000..d673f79c5e5 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/_dev/test/pipeline/test-logout-rest.log-expected.json @@ -0,0 +1,74 @@ +{ + "expected": [ + { + "@timestamp": "2021-10-19T05:07:07.128Z", + "ecs": { + "version": "8.5.0" + }, + "event": { + "action": "logout", + "category": [ + "authentication" + ], + "code": "4exLFFQZNa5xxFl1cJNwOV", + "dataset": "salesforce.logout_rest", + "kind": "event", + "module": "salesforce", + "original": "{\"EVENT_TYPE\":\"Logout\",\"TIMESTAMP\":\"20211019050707.13\",\"REQUEST_ID\":\"4exLFFQZNa5xxFl1cJNwOV\",\"ORGANIZATION_ID\":\"00D5j000000VI3n\",\"USER_ID\":\"0055j000000utlP\",\"USER_TYPE\":\"X\",\"SESSION_TYPE\":\"C\",\"SESSION_LEVEL\":\"1\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"PLATFORM_TYPE\":\"1015\",\"RESOLUTION_TYPE\":\"9999\",\"APP_TYPE\":\"1000\",\"CLIENT_VERSION\":\"9998\",\"API_TYPE\":\"fo\",\"API_VERSION\":\"54.0\",\"USER_INITIATED_LOGOUT\":\"1\",\"SESSION_KEY\":\"/b1/C123g6WXplkT\",\"LOGIN_KEY\":\"OK123uSUIZVr9YzF\",\"TIMESTAMP_DERIVED\":\"2021-10-19T05:07:07.128Z\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"CLIENT_IP\":\"175.16.199.0\"}", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "175.16.199.0" + ] + }, + "salesforce": { + "logout": { + "access_mode": "REST", + "api": { + "type": "fo", + "version": "54.0" + }, + "app_type": "Application", + "browser_type": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36", + "client_version": "9998", + "event_type": "Logout", + "login_key": "OK123uSUIZVr9YzF", + "organization_id": "00D5j000000VI3n", + "platform_type": "Windows 10", + "resolution_type": "9999", + "session": { + "level": "Standard Session", + "type": "Content" + }, + "user_id": "0055j000000utlP", + "user_initiated_logout": "1" + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.0" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "0055j000000utlPAAQ", + "roles": "Salesforce Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/salesforce/data_stream/logout_rest/_dev/test/system/test-default-config.yml b/packages/salesforce/data_stream/logout_rest/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c6aa6813ff0 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: httpjson +service: salesforce +vars: + instance_url: http://{{Hostname}}:{{Port}} + client_id: temp_client_id + client_secret: forty_characters_long_secret_key + username: temp_user + password: temp_password + token_url: http://{{Hostname}}:{{Port}}/services/oauth2/token +data_stream: + vars: + preserve_original_event: true diff --git a/packages/salesforce/data_stream/logout_rest/agent/stream/httpjson.yml.hbs b/packages/salesforce/data_stream/logout_rest/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..1ae8292f040 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: 2 +interval: {{period}} +request.method: GET +auth.oauth2: + enabled: true + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} + user: {{username}} + password: {{password}} +request.url: {{instance_url}}/services/data/v54.0/query?q=logout+rest +request.transforms: + - set: + target: url.params.q + value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' AND LogDate > [[.cursor.last_published_logout]] ORDER BY CreatedDate ASC NULLS FIRST" + default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST" +response.split: + target: body.records +chain: + - step: + request.url: {{instance_url}}/services/data/v54.0/sobjects/EventLogFile/$.records[:].Id/LogFile + request.method: GET + replace: $.records[:].Id +cursor: + last_published_logout: + value: '[[.last_event.LogDate]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_fields: + target: salesforce + fields: + instance_url: {{instance_url}} +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/salesforce/data_stream/logout_rest/elasticsearch/ingest_pipeline/default.yml b/packages/salesforce/data_stream/logout_rest/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..8a9b779484c --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,324 @@ +--- +description: Pipeline for parsing Salesforce Logout (REST) logs. +processors: +- json: + field: message + target_field: json + ignore_failure: true +- set: + field: event.original + value: '{{{message}}}' + ignore_failure: true + ignore_empty_value: true +- fingerprint: + fields: + - json.REQUEST_ID + - json.SESSION_KEY + - json.TIMESTAMP_DERIVED + - json.USER_ID + target_field: _id + ignore_missing: true +- set: + field: salesforce.logout.access_mode + value: "REST" + ignore_failure: true + ignore_empty_value: true +- set: + field: ecs.version + value: "8.5.0" + ignore_failure: true + ignore_empty_value: true +- date: + field: json.TIMESTAMP_DERIVED + target_field: "@timestamp" + formats: + - ISO8601 + ignore_failure: true +- rename: + field: json.SESSION_TYPE + target_field: salesforce.logout.session.type + ignore_failure: true + ignore_missing: true +- rename: + field: json.EVENT_TYPE + target_field: salesforce.logout.event_type + ignore_failure: true + ignore_missing: true +- rename: + field: json.SESSION_LEVEL + target_field: salesforce.logout.session.level + ignore_failure: true + ignore_missing: true +- rename: + field: json.BROWSER_TYPE + target_field: salesforce.logout.browser_type + ignore_failure: true + ignore_missing: true +- rename: + field: json.PLATFORM_TYPE + target_field: salesforce.logout.platform_type + ignore_failure: true + ignore_missing: true +- rename: + field: json.RESOLUTION_TYPE + target_field: salesforce.logout.resolution_type + ignore_failure: true + ignore_missing: true +- rename: + field: json.APP_TYPE + target_field: salesforce.logout.app_type + ignore_failure: true + ignore_missing: true +- rename: + field: json.CLIENT_VERSION + target_field: salesforce.logout.client_version + ignore_failure: true + ignore_missing: true +- rename: + field: json.API_TYPE + target_field: salesforce.logout.api.type + ignore_failure: true + ignore_missing: true +- rename: + field: json.API_VERSION + target_field: salesforce.logout.api.version + ignore_failure: true + ignore_missing: true +- rename: + field: json.USER_INITIATED_LOGOUT + target_field: salesforce.logout.user_initiated_logout + ignore_failure: true + ignore_missing: true +- rename: + field: json.LOGIN_KEY + target_field: salesforce.logout.login_key + ignore_failure: true + ignore_missing: true +- rename: + field: json.USER_ID + target_field: salesforce.logout.user_id + ignore_failure: true + ignore_missing: true +- rename: + field: json.ORGANIZATION_ID + target_field: salesforce.logout.organization_id + ignore_failure: true + ignore_missing: true +- set: + field: event.type + value: ["info"] + ignore_failure: true + ignore_empty_value: true +- set: + field: event.kind + value: "event" + ignore_failure: true + ignore_empty_value: true +- set: + field: event.action + value: "logout" + ignore_failure: true + ignore_empty_value: true +- set: + field: event.category + value: ["authentication"] + ignore_failure: true + ignore_empty_value: true +- set: + field: event.dataset + value: "salesforce.logout_rest" + ignore_failure: true + ignore_empty_value: true +- set: + field: event.module + value: "salesforce" + ignore_failure: true + ignore_empty_value: true +- rename: + field: json.REQUEST_ID + target_field: event.code + ignore_failure: true + ignore_missing: true +- rename: + field: json.USER_TYPE + target_field: user.roles + ignore_failure: true + ignore_missing: true +- rename: + field: json.USER_ID_DERIVED + target_field: user.id + ignore_failure: true + ignore_missing: true +- rename: + field: json.CLIENT_IP + target_field: source.ip + ignore_failure: true + ignore_missing: true + if: 'ctx.json?.CLIENT_IP != "Salesforce.com IP" && ctx.json?.CLIENT_IP != ""' +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx.source?.ip != null + allow_duplicates: false + ignore_failure: true +- script: + description: Set api type value from api type character. + lang: painless + ignore_failure: true + source: | + Map map = new HashMap(); + map.put("D", "Apex Class"); + map.put("E", "SOAP Enterprise"); + map.put("I", "SOAP Cross Instance"); + map.put("M", "SOAP Metadata"); + map.put("O", "Old SOAP"); + map.put("P", "SOAP Partner"); + map.put("S", "SOAP Apex"); + map.put("T", "SOAP Tooling"); + map.put("X", "XmlRPC"); + map.put("f", "Feed"); + map.put("l", "Live Agent"); + map.put("p", "SOAP ClientSync"); + String temp = map.get(ctx.salesforce?.logout?.api?.type); + if (temp != null) { + ctx.salesforce.logout.api.type = temp; + } +- script: + description: Set application type value from application type integers. + lang: painless + ignore_failure: true + source: | + Map map = new HashMap(); + map.put("1000", "Application"); + map.put("1007", "SFDC Application"); + map.put("1014", "Chat"); + map.put("2501", "CTI"); + map.put("2514", "OAuth"); + map.put("3475", "SFDC Partner Portal"); + String temp = map.get(ctx.salesforce?.logout?.app_type); + if (temp != null) { + ctx.salesforce.logout.app_type = temp; + } +- script: + description: Set platform type value from platform type integers. + lang: painless + ignore_failure: true + source: | + Map map = new HashMap(); + map.put("1000", "Windows"); + map.put("1008", "Windows 2003"); + map.put("1013", "Windows 8.1"); + map.put("1015", "Windows 10"); + map.put("2003", "Macintosh/Apple OSX"); + map.put("4000", "Linux"); + map.put("5005", "Android"); + map.put("5006", "iPhone"); + map.put("5007", "iPad"); + map.put("5200", "Android 10.0"); + String temp = map.get(ctx.salesforce?.logout?.platform_type); + if (temp != null) { + ctx.salesforce.logout.platform_type = temp; + } +- script: + description: Set session level value from session level integer. + lang: painless + ignore_failure: true + source: | + Map map = new HashMap(); + map.put("1", "Standard Session"); + map.put("2", "High-Assurance Session"); + String temp = map.get(ctx.salesforce?.logout?.session?.level); + if (temp != null){ + ctx.salesforce.logout.session.level = temp; + } +- script: + description: Set session type value from session type character. + lang: painless + ignore_failure: true + source: | + Map map = new HashMap(); + map.put("A", "API"); + map.put("I", "APIOnlyUser"); + map.put("N", "ChatterNetworks"); + map.put("Z", "ChatterNetworksAPIOnly"); + map.put("C", "Content"); + map.put("P", "OauthApprovalUI"); + map.put("O", "Oauth2"); + map.put("T", "SiteStudio"); + map.put("R", "SitePreview"); + map.put("S", "SubstituteUser"); + map.put("B", "TempContentExchange"); + map.put("G", "TempOauthAccessTokenFrontdoor"); + map.put("Y", "TempVisualforceExchange"); + map.put("F", "TempUIFrontdoor"); + map.put("U", "UI"); + map.put("E", "UserSite"); + map.put("V", "Visualforce"); + map.put("W", "WDC_API"); + String temp = map.get(ctx.salesforce?.logout?.session?.type); + if (temp != null) { + ctx.salesforce.logout.session.type = temp; + } +- script: + description: Set user roles value from user roles character. + lang: painless + ignore_failure: true + source: | + Map map = new HashMap(); + map.put("A", "Automated Process"); + map.put("b", "High Volume Portal"); + map.put("C", "Customer Portal User"); + map.put("D", "External Who"); + map.put("F", "Self-Service"); + map.put("G", "Guest"); + map.put("L", "Package License Manager"); + map.put("N", "Salesforce to Salesforce"); + map.put("n", "CSN Only"); + map.put("O", "Power Custom"); + map.put("o", "Custom"); + map.put("P", "Partner"); + map.put("p", "Customer Portal Manager"); + map.put("S", "Standard"); + map.put("X", "Salesforce Administrator"); + String temp = map.get(ctx.user?.roles); + if (temp != null) { + ctx.user.roles = temp; + } +- remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +- script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +- remove: + field: + - json + - message + ignore_failure: true + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + ignore_failure: true + ignore_empty_value: true diff --git a/packages/salesforce/data_stream/logout_rest/fields/base-fields.yml b/packages/salesforce/data_stream/logout_rest/fields/base-fields.yml new file mode 100644 index 00000000000..3500f7ce8c2 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/fields/base-fields.yml @@ -0,0 +1,15 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: input.type + type: keyword + description: Input type. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/salesforce/data_stream/logout_rest/fields/ecs.yml b/packages/salesforce/data_stream/logout_rest/fields/ecs.yml new file mode 100644 index 00000000000..5db552222cc --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/fields/ecs.yml @@ -0,0 +1,48 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.action +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.module +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.ip +- external: ecs + name: source.ip +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.location +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: tags +- external: ecs + name: user.id +- external: ecs + name: user.roles diff --git a/packages/salesforce/data_stream/logout_rest/fields/fields.yml b/packages/salesforce/data_stream/logout_rest/fields/fields.yml new file mode 100644 index 00000000000..8b124e6aedd --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/fields/fields.yml @@ -0,0 +1,60 @@ +- name: salesforce + type: group + fields: + - name: instance_url + type: keyword + description: The Instance URL of the Salesforce instance. + - name: logout + type: group + fields: + - name: access_mode + type: keyword + description: Mode of Salesforce API from which the event is collected. + - name: api + type: group + fields: + - name: type + type: keyword + description: The type of Salesforce API request. + - name: version + type: keyword + description: The version of the Salesforce API that's being used. + - name: app_type + type: keyword + description: The application type that was in use upon logging out. + - name: browser_type + type: keyword + description: The identifier string returned by the browser used at login. + - name: client_version + type: keyword + description: The version of the client that was in use upon logging out. + - name: event_type + type: keyword + description: The type of event. The value is always Logout. + - name: login_key + type: keyword + description: The string that ties together all events in a given user's logout session. It starts with a login event and ends with either a logout event or the user session expiring. + - name: organization_id + type: keyword + description: The 15-character ID of the organization. + - name: platform_type + type: keyword + description: The code for the client platform. If a timeout caused the logout, this field is null. + - name: resolution_type + type: keyword + description: TThe screen resolution of the client. If a timeout caused the logout, this field is null. + - name: session + type: group + fields: + - name: level + type: keyword + description: The security level of the session that was used when logging out (e.g. Standard Session or High-Assurance Session). + - name: type + type: keyword + description: The session type that was used when logging out (e.g. API, Oauth2 or UI). + - name: user_id + type: keyword + description: The 15-character ID of the user who's using Salesforce services through the UI or the API. + - name: user_initiated_logout + type: keyword + description: The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user's session timed out due to inactivity or another implicit logout action, the value is 0. diff --git a/packages/salesforce/data_stream/logout_rest/manifest.yml b/packages/salesforce/data_stream/logout_rest/manifest.yml new file mode 100644 index 00000000000..bbaa28038d8 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/manifest.yml @@ -0,0 +1,40 @@ +type: logs +title: Salesforce logout logs +streams: + - input: httpjson + vars: + - name: period + type: text + title: Period + description: Period of fetching logs, i.e. 1s/1m/1h. + multi: false + required: true + show_user: false + default: 1h + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - salesforce-logout_rest + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: httpjson.yml.hbs + title: Salesforce Logout logs + description: Collect Salesforce Logout logs. diff --git a/packages/salesforce/data_stream/logout_rest/sample_event.json b/packages/salesforce/data_stream/logout_rest/sample_event.json new file mode 100644 index 00000000000..a8b18db97a3 --- /dev/null +++ b/packages/salesforce/data_stream/logout_rest/sample_event.json @@ -0,0 +1,96 @@ +{ + "@timestamp": "2022-11-22T07:37:25.779Z", + "agent": { + "ephemeral_id": "49171880-184e-4712-bef1-97619368d729", + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "data_stream": { + "dataset": "salesforce.logout_rest", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.5.0" + }, + "elastic_agent": { + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "logout", + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "code": "4exLFFQZ1234xFl1cJNwOV", + "created": "2022-12-15T10:29:49.953Z", + "dataset": "salesforce.logout_rest", + "ingested": "2022-12-15T10:29:53Z", + "kind": "event", + "module": "salesforce", + "original": "{\"API_TYPE\":\"f\",\"API_VERSION\":\"54.0\",\"APP_TYPE\":\"1000\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"CLIENT_IP\":\"81.2.69.142\",\"CLIENT_VERSION\":\"9998\",\"EVENT_TYPE\":\"Logout\",\"LOGIN_KEY\":\"Obv9123BzbaxqCo1\",\"ORGANIZATION_ID\":\"00D5j001234VI3n\",\"PLATFORM_TYPE\":\"1015\",\"REQUEST_ID\":\"4exLFFQZ1234xFl1cJNwOV\",\"RESOLUTION_TYPE\":\"9999\",\"SESSION_KEY\":\"WvtsJ1235oW24EbH\",\"SESSION_LEVEL\":\"1\",\"SESSION_TYPE\":\"O\",\"TIMESTAMP\":\"20221122073725.779\",\"TIMESTAMP_DERIVED\":\"2022-11-22T07:37:25.779Z\",\"USER_ID\":\"0055j000000utlP\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"USER_INITIATED_LOGOUT\":\"0\",\"USER_TYPE\":\"S\"}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "ip": [ + "81.2.69.142" + ] + }, + "salesforce": { + "instance_url": "http://elastic-package-service_salesforce_1:8010", + "logout": { + "access_mode": "REST", + "api": { + "type": "Feed", + "version": "54.0" + }, + "app_type": "Application", + "browser_type": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36", + "client_version": "9998", + "event_type": "Logout", + "login_key": "Obv9123BzbaxqCo1", + "organization_id": "00D5j001234VI3n", + "platform_type": "Windows 10", + "resolution_type": "9999", + "session": { + "level": "Standard Session", + "type": "Oauth2" + }, + "user_id": "0055j000000utlP", + "user_initiated_logout": "0" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "tags": [ + "preserve_original_event", + "salesforce-logout_rest", + "forwarded" + ], + "user": { + "id": "0055j000000utlPAAQ", + "roles": "Standard" + } +} \ No newline at end of file diff --git a/packages/salesforce/docs/README.md b/packages/salesforce/docs/README.md index d719205417f..dc6e92ba823 100644 --- a/packages/salesforce/docs/README.md +++ b/packages/salesforce/docs/README.md @@ -16,10 +16,11 @@ As an example, you can use the data from this integration to understand the acti The Salesforce integration collects log events using the REST API of Salesforce. **Logs** help you keep a record of events happening in Salesforce. -Log data streams collected by the Salesforce integration include [Login](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm). +Log data streams collected by the Salesforce integration include [Login](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm), and [Logout](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_logout.htm). Data streams: - `login_rest`: Tracks login activity of users who log in to Salesforce. +- `logout_rest`: Tracks logout activity of users who logout from Salesforce. ## Compatibility @@ -31,7 +32,7 @@ In order to find out the Salesforce version of your Instance, see below: 2. An alternative way to find out the version of Salesforce is by hitting the following URL: - Format: (Salesforce Instance URL)/services/data - - Example: https://elastic1234-dev-ed.my.salesforce.com/services/data + - Example: `https://na9.salesforce.com/services/data` Example response: ```xml @@ -78,11 +79,11 @@ You need the following information from your Salesforce instance to configure th The instance your Salesforce Organization uses is indicated in the URL of your browser's address bar in Salesforce Classic. The value before 'salesforce.com' is your Salesforce Instance. -Example URL: https://na9.salesforce.com/home/home.jsp +Example URL: `https://na9.salesforce.com/home/home.jsp` In the above example, the value before 'salesforce.com' is your Salesforce Instance. In this example, the Salesforce Organization is located on NA9. -The Salesforce Instance URL is: https://na9.salesforce.com +The Salesforce Instance URL is: `https://na9.salesforce.com` In Salesforce Lightning, it is available under the user name in the “View Profile” tab. @@ -170,8 +171,8 @@ An example event for `login_rest` looks as following: { "@timestamp": "2022-11-22T04:46:15.591Z", "agent": { - "ephemeral_id": "ce504617-c797-4257-845c-f1d8f57cc9bd", - "id": "4a8a40ad-666c-45db-a9d1-3b027852bef0", + "ephemeral_id": "7091b66c-e647-42f9-9c3e-d0753552a291", + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.4.1" @@ -182,10 +183,10 @@ An example event for `login_rest` looks as following: "type": "logs" }, "ecs": { - "version": "8.4.0" + "version": "8.5.0" }, "elastic_agent": { - "id": "4a8a40ad-666c-45db-a9d1-3b027852bef0", + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", "snapshot": false, "version": "8.4.1" }, @@ -195,9 +196,9 @@ An example event for `login_rest` looks as following: "category": [ "authentication" ], - "created": "2022-11-29T07:28:46.257Z", + "created": "2022-12-15T10:29:06.958Z", "dataset": "salesforce.login_rest", - "ingested": "2022-11-29T07:28:50Z", + "ingested": "2022-12-15T10:29:10Z", "kind": "event", "module": "salesforce", "original": "{\"API_TYPE\":\"f\",\"API_VERSION\":\"9998.0\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36\",\"CIPHER_SUITE\":\"ECDHE-RSA-AES256-GCM-SHA384\",\"CLIENT_IP\":\"81.2.69.142\",\"CPU_TIME\":\"30\",\"DB_TOTAL_TIME\":\"52435102\",\"EVENT_TYPE\":\"Login\",\"LOGIN_KEY\":\"QfNecrLXSII6fsBq\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"ORGANIZATION_ID\":\"00D5j000000VI3n\",\"REQUEST_ID\":\"4ehU_U-nbQyAPFl1cJILm-\",\"REQUEST_STATUS\":\"Success\",\"RUN_TIME\":\"83\",\"SESSION_KEY\":\"\",\"SOURCE_IP\":\"81.2.69.142\",\"TIMESTAMP\":\"20221122044615.591\",\"TIMESTAMP_DERIVED\":\"2022-11-22T04:46:15.591Z\",\"TLS_PROTOCOL\":\"TLSv1.2\",\"URI\":\"/index.jsp\",\"URI_ID_DERIVED\":\"s4heK3WbH-lcJIL3-n\",\"USER_ID\":\"0055j000000utlP\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"USER_NAME\":\"user@elastic.co\",\"USER_TYPE\":\"Standard\"}", @@ -218,7 +219,7 @@ An example event for `login_rest` looks as following: "salesforce": { "instance_url": "http://elastic-package-service_salesforce_1:8010", "login": { - "access_mode": "rest", + "access_mode": "REST", "api": { "type": "Feed", "version": "9998.0" @@ -330,3 +331,159 @@ An example event for `login_rest` looks as following: | user.roles | Array of user roles at the time of the event. | keyword | | | | user_agent.name | Name of the user agent. | keyword | | | + +### Logout Rest + +This is the `logout_rest` data stream. It represents events containing details about your organization's user logout history. + +An example event for `logout_rest` looks as following: + +```json +{ + "@timestamp": "2022-11-22T07:37:25.779Z", + "agent": { + "ephemeral_id": "49171880-184e-4712-bef1-97619368d729", + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.4.1" + }, + "data_stream": { + "dataset": "salesforce.logout_rest", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.5.0" + }, + "elastic_agent": { + "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97", + "snapshot": false, + "version": "8.4.1" + }, + "event": { + "action": "logout", + "agent_id_status": "verified", + "category": [ + "authentication" + ], + "code": "4exLFFQZ1234xFl1cJNwOV", + "created": "2022-12-15T10:29:49.953Z", + "dataset": "salesforce.logout_rest", + "ingested": "2022-12-15T10:29:53Z", + "kind": "event", + "module": "salesforce", + "original": "{\"API_TYPE\":\"f\",\"API_VERSION\":\"54.0\",\"APP_TYPE\":\"1000\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"CLIENT_IP\":\"81.2.69.142\",\"CLIENT_VERSION\":\"9998\",\"EVENT_TYPE\":\"Logout\",\"LOGIN_KEY\":\"Obv9123BzbaxqCo1\",\"ORGANIZATION_ID\":\"00D5j001234VI3n\",\"PLATFORM_TYPE\":\"1015\",\"REQUEST_ID\":\"4exLFFQZ1234xFl1cJNwOV\",\"RESOLUTION_TYPE\":\"9999\",\"SESSION_KEY\":\"WvtsJ1235oW24EbH\",\"SESSION_LEVEL\":\"1\",\"SESSION_TYPE\":\"O\",\"TIMESTAMP\":\"20221122073725.779\",\"TIMESTAMP_DERIVED\":\"2022-11-22T07:37:25.779Z\",\"USER_ID\":\"0055j000000utlP\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"USER_INITIATED_LOGOUT\":\"0\",\"USER_TYPE\":\"S\"}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "related": { + "ip": [ + "81.2.69.142" + ] + }, + "salesforce": { + "instance_url": "http://elastic-package-service_salesforce_1:8010", + "logout": { + "access_mode": "REST", + "api": { + "type": "Feed", + "version": "54.0" + }, + "app_type": "Application", + "browser_type": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36", + "client_version": "9998", + "event_type": "Logout", + "login_key": "Obv9123BzbaxqCo1", + "organization_id": "00D5j001234VI3n", + "platform_type": "Windows 10", + "resolution_type": "9999", + "session": { + "level": "Standard Session", + "type": "Oauth2" + }, + "user_id": "0055j000000utlP", + "user_initiated_logout": "0" + } + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "tags": [ + "preserve_original_event", + "salesforce-logout_rest", + "forwarded" + ], + "user": { + "id": "0055j000000utlPAAQ", + "roles": "Standard" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| input.type | Input type. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| salesforce.instance_url | The Instance URL of the Salesforce instance. | keyword | +| salesforce.logout.access_mode | Mode of Salesforce API from which the event is collected. | keyword | +| salesforce.logout.api.type | The type of Salesforce API request. | keyword | +| salesforce.logout.api.version | The version of the Salesforce API that's being used. | keyword | +| salesforce.logout.app_type | The application type that was in use upon logging out. | keyword | +| salesforce.logout.browser_type | The identifier string returned by the browser used at login. | keyword | +| salesforce.logout.client_version | The version of the client that was in use upon logging out. | keyword | +| salesforce.logout.event_type | The type of event. The value is always Logout. | keyword | +| salesforce.logout.login_key | The string that ties together all events in a given user's logout session. It starts with a login event and ends with either a logout event or the user session expiring. | keyword | +| salesforce.logout.organization_id | The 15-character ID of the organization. | keyword | +| salesforce.logout.platform_type | The code for the client platform. If a timeout caused the logout, this field is null. | keyword | +| salesforce.logout.resolution_type | TThe screen resolution of the client. If a timeout caused the logout, this field is null. | keyword | +| salesforce.logout.session.level | The security level of the session that was used when logging out (e.g. Standard Session or High-Assurance Session). | keyword | +| salesforce.logout.session.type | The session type that was used when logging out (e.g. API, Oauth2 or UI). | keyword | +| salesforce.logout.user_id | The 15-character ID of the user who's using Salesforce services through the UI or the API. | keyword | +| salesforce.logout.user_initiated_logout | The value is 1 if the user intentionally logged out of the organization by clicking the Logout button. If the user's session timed out due to inactivity or another implicit logout action, the value is 0. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.roles | Array of user roles at the time of the event. | keyword | + diff --git a/packages/salesforce/img/salesforce-logout.png b/packages/salesforce/img/salesforce-logout.png new file mode 100644 index 00000000000..2f7b931ebf3 Binary files /dev/null and b/packages/salesforce/img/salesforce-logout.png differ diff --git a/packages/salesforce/kibana/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10-pkg.json b/packages/salesforce/kibana/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10-pkg.json new file mode 100644 index 00000000000..064190c7fb6 --- /dev/null +++ b/packages/salesforce/kibana/dashboard/salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10-pkg.json @@ -0,0 +1,717 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"e849ee36-e98b-4e7c-bb77-4e65eb6b5010\":{\"order\":0,\"width\":\"large\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Instance URL\",\"fieldName\":\"salesforce.instance_url\",\"id\":\"e849ee36-e98b-4e7c-bb77-4e65eb6b5010\",\"enhancements\":{}}}}" + }, + "description": "Logout EventLogFile Data", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8a47b6d2-1dbb-4988-a641-8f88c4afa23e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8a47b6d2-1dbb-4988-a641-8f88c4afa23e": { + "columnOrder": [ + "3813595f-613d-448b-a776-c8c2a0030e79", + "3813595f-613d-448b-a776-c8c2a0030e79X0", + "3813595f-613d-448b-a776-c8c2a0030e79X1", + "3813595f-613d-448b-a776-c8c2a0030e79X2" + ], + "columns": { + "3813595f-613d-448b-a776-c8c2a0030e79": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "User initiated logout", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + }, + "formula": "count(kql='salesforce.logout.user_initiated_logout : \"1\" ')/count()", + "isFormulaBroken": false + }, + "references": [ + "3813595f-613d-448b-a776-c8c2a0030e79X2" + ], + "scale": "ratio" + }, + "3813595f-613d-448b-a776-c8c2a0030e79X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "salesforce.logout.user_initiated_logout : \"1\" " + }, + "isBucketed": false, + "label": "Part of User initiated logout", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3813595f-613d-448b-a776-c8c2a0030e79X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of User initiated logout", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3813595f-613d-448b-a776-c8c2a0030e79X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of User initiated logout", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "3813595f-613d-448b-a776-c8c2a0030e79X0", + "3813595f-613d-448b-a776-c8c2a0030e79X1" + ], + "location": { + "max": 67, + "min": 0 + }, + "name": "divide", + "text": "count(kql='salesforce.logout.user_initiated_logout : \"1\" ')/count()", + "type": "function" + } + }, + "references": [ + "3813595f-613d-448b-a776-c8c2a0030e79X0", + "3813595f-613d-448b-a776-c8c2a0030e79X1" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset : salesforce.logout*" + }, + "visualization": { + "accessor": "3813595f-613d-448b-a776-c8c2a0030e79", + "colorMode": "None", + "layerId": "8a47b6d2-1dbb-4988-a641-8f88c4afa23e", + "layerType": "data", + "size": "l", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "ed7da063-bcce-4f03-a2f8-5f5e61679c94", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "ed7da063-bcce-4f03-a2f8-5f5e61679c94", + "title": "Percentage of user initiated logout [Logs Salesforce]", + "type": "lens", + "version": "8.4.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "emptyAsNull": false + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "excludeIsRegex": true, + "field": "salesforce.logout.session.level", + "includeIsRegex": true, + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset : salesforce.logout*" + } + } + }, + "description": "", + "params": { + "addTooltip": true, + "distinctColors": false, + "emptySizeRatio": 0.3, + "isDonut": false, + "labels": { + "last_level": false, + "percentDecimals": 2, + "position": "default", + "show": true, + "truncate": 100, + "values": true, + "valuesFormat": "value" + }, + "legendDisplay": "hide", + "legendPosition": "right", + "legendSize": "auto", + "maxLegendLines": 1, + "nestedLegend": false, + "palette": { + "name": "default", + "type": "palette" + }, + "truncateLegend": true, + "type": "pie" + }, + "type": "pie", + "uiState": { + "vis": { + "legendOpen": false + } + } + } + }, + "gridData": { + "h": 10, + "i": "c0f53cb0-650d-49ae-8b35-82dcf9dab321", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "c0f53cb0-650d-49ae-8b35-82dcf9dab321", + "title": "Session levels used while logging out [Logs Salesforce]", + "type": "visualization", + "version": "8.4.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c9c3c8ad-43ed-4058-ad02-3ad64efc5e8f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c9c3c8ad-43ed-4058-ad02-3ad64efc5e8f": { + "columnOrder": [ + "1046a81f-b268-4875-99c0-4130514d6828", + "92cb6b38-00c1-4c8b-b59f-0dbf9a1f760e" + ], + "columns": { + "1046a81f-b268-4875-99c0-4130514d6828": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "92cb6b38-00c1-4c8b-b59f-0dbf9a1f760e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset: salesforce.logout*" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "92cb6b38-00c1-4c8b-b59f-0dbf9a1f760e" + ], + "layerId": "c9c3c8ad-43ed-4058-ad02-3ad64efc5e8f", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "1046a81f-b268-4875-99c0-4130514d6828", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "92cb6b38-00c1-4c8b-b59f-0dbf9a1f760e" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "e0bbbc54-6b58-4290-bf0c-2197bacc9d57", + "w": 48, + "x": 0, + "y": 10 + }, + "panelIndex": "e0bbbc54-6b58-4290-bf0c-2197bacc9d57", + "title": "Logout over time [Logs Salesforce]", + "type": "lens", + "version": "8.4.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-53b4bc18-a6f2-4d8b-bf4b-24f553673f92", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "53b4bc18-a6f2-4d8b-bf4b-24f553673f92": { + "columnOrder": [ + "cccd83a1-7155-4483-a770-f84c41825e42", + "19b9fe7e-d3f1-40b7-a9b8-762233a8ba30" + ], + "columns": { + "19b9fe7e-d3f1-40b7-a9b8-762233a8ba30": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "cccd83a1-7155-4483-a770-f84c41825e42": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of salesforce.logout.session.type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "19b9fe7e-d3f1-40b7-a9b8-762233a8ba30", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "salesforce.logout.session.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset: salesforce.logout*" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "cccd83a1-7155-4483-a770-f84c41825e42" + ], + "layerId": "53b4bc18-a6f2-4d8b-bf4b-24f553673f92", + "layerType": "data", + "legendDisplay": "default", + "metric": "19b9fe7e-d3f1-40b7-a9b8-762233a8ba30", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b01bd690-ed72-4ca8-9b6f-9c81d338ccee", + "w": 24, + "x": 0, + "y": 23 + }, + "panelIndex": "b01bd690-ed72-4ca8-9b6f-9c81d338ccee", + "title": "Distribution of session types [Logs Salesforce]", + "type": "lens", + "version": "8.4.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b6f7f9e3-33f9-40c4-8b8b-4196caa3e8db", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b6f7f9e3-33f9-40c4-8b8b-4196caa3e8db": { + "columnOrder": [ + "d114db82-acd6-425c-b1fb-de8156d1cfc7", + "770749c7-20ab-47fd-b783-0b8d41bcf2f1" + ], + "columns": { + "770749c7-20ab-47fd-b783-0b8d41bcf2f1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Request count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d114db82-acd6-425c-b1fb-de8156d1cfc7": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP Addresses", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "770749c7-20ab-47fd-b783-0b8d41bcf2f1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset: salesforce.logout*" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "770749c7-20ab-47fd-b783-0b8d41bcf2f1" + ], + "layerId": "b6f7f9e3-33f9-40c4-8b8b-4196caa3e8db", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "d114db82-acd6-425c-b1fb-de8156d1cfc7" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "aa5b3dcc-cf05-47d1-9e8f-7619950d6de1", + "w": 24, + "x": 24, + "y": 23 + }, + "panelIndex": "aa5b3dcc-cf05-47d1-9e8f-7619950d6de1", + "title": "Top 10 IP addresses by Logout request count [Logs Salesforce]", + "type": "lens", + "version": "8.4.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"locale\":\"autoselect\",\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"3de98652-8d42-4415-91ca-d64b26bb6972\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"EMS_VECTOR_TILE\",\"color\":\"\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"source.geo.location\",\"scalingType\":\"MVT\",\"id\":\"6d0ed8a8-d5de-4d2e-9e05-0fd4b7dc2384\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"filterByMapBounds\":true,\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"546e11d2-db52-457b-8733-e1ee75c51fd8\",\"label\":\"Logout Activity\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelZoomRange\":{\"options\":{\"useLayerZoomRange\":true,\"minZoom\":0,\"maxZoom\":24}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"includeInFitToBounds\":true,\"type\":\"MVT_VECTOR\",\"joins\":[]}]", + "mapStateJSON": "{\"zoom\":0,\"center\":{\"lon\":-42.96266,\"lat\":2.46018},\"timeFilters\":{\"from\":\"now-7d/d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":900000},\"query\":{\"query\":\"event.dataset: salesforce.logout* \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 89.99075, + "maxLon": 540, + "minLat": -85.05113, + "minLon": -540 + }, + "mapCenter": { + "lat": 40.44695, + "lon": -42.96266, + "zoom": 0 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 15, + "i": "f6c9b613-b31a-4ba9-ad94-188afa349528", + "w": 48, + "x": 0, + "y": 38 + }, + "panelIndex": "f6c9b613-b31a-4ba9-ad94-188afa349528", + "title": "Logout activity by region [Logs Salesforce]", + "type": "map", + "version": "8.4.1" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-7d/d", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Salesforce] Logout Dashboard", + "version": 1 + }, + "coreMigrationVersion": "8.4.1", + "id": "salesforce-6c750440-5749-11ec-8f0b-05e8b06e1b10-pkg", + "migrationVersion": { + "dashboard": "8.4.0" + }, + "references": [ + { + "id": "logs-*", + "name": "ed7da063-bcce-4f03-a2f8-5f5e61679c94:indexpattern-datasource-layer-8a47b6d2-1dbb-4988-a641-8f88c4afa23e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c0f53cb0-650d-49ae-8b35-82dcf9dab321:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e0bbbc54-6b58-4290-bf0c-2197bacc9d57:indexpattern-datasource-layer-c9c3c8ad-43ed-4058-ad02-3ad64efc5e8f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b01bd690-ed72-4ca8-9b6f-9c81d338ccee:indexpattern-datasource-layer-53b4bc18-a6f2-4d8b-bf4b-24f553673f92", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aa5b3dcc-cf05-47d1-9e8f-7619950d6de1:indexpattern-datasource-layer-b6f7f9e3-33f9-40c4-8b8b-4196caa3e8db", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f6c9b613-b31a-4ba9-ad94-188afa349528:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e849ee36-e98b-4e7c-bb77-4e65eb6b5010:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/salesforce/manifest.yml b/packages/salesforce/manifest.yml index 0e1552012d4..93eeabc20f9 100644 --- a/packages/salesforce/manifest.yml +++ b/packages/salesforce/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: salesforce title: Salesforce -version: 0.1.0 +version: 0.2.0 license: basic description: Collect logs from Salesforce with Elastic Agent. type: integration @@ -14,6 +14,10 @@ screenshots: title: Salesforce Login Dashboard size: 1366x1912 type: image/png + - src: /img/salesforce-logout.png + title: Salesforce Logout Dashboard + size: 1366x1912 + type: image/png icons: - src: /img/salesforce.svg title: Salesforce