elastic · kush-elastic · Apr 28, 2023 · Jan 5, 2023 · Jan 5, 2023 · Jan 11, 2023
@@ -13,13 +13,13 @@ As an example, users can use the data from this integration to understand the ac
 
 ## Data streams
 
-The Salesforce integration collects log events using the REST API of Salesforce.
+The Salesforce integration collects log events using the REST API and Streaming API of Salesforce.
 
 **Logs** help users to keep a record of events happening in Salesforce.
-Log data streams collected by the Salesforce integration include [Login](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm), [Logout](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_logout.htm), [Apex](https://developer.salesforce.com/docs/atlas.en-us.238.0.object_reference.meta/object_reference/sforce_api_objects_apexclass.htm) and [SetupAuditTrail](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_setupaudittrail.htm).
+Log data streams collected by the Salesforce integration include [Login REST](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm), [Login Stream](https://developer.salesforce.com/docs/atlas.en-us.236.0.platform_events.meta/platform_events/sforce_api_objects_logineventstream.htm), [Logout REST](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_logout.htm), [Apex](https://developer.salesforce.com/docs/atlas.en-us.238.0.object_reference.meta/object_reference/sforce_api_objects_apexclass.htm) and [SetupAuditTrail](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_setupaudittrail.htm).
 
 Data streams:
-- `login_rest`: Tracks login activity of users who log in to Salesforce.
+- `login_rest` and `login_stream`: Tracks login activity of users who log in to Salesforce.
 - `logout_rest`: Tracks logout activity of users who logout from Salesforce.
 - `apex`: Represents information about various Apex events like Callout, Execution, REST API, SOAP API, Trigger, etc.
 - `setupaudittrail`: Represents changes users made in the user's organization's Setup area for at least the last 180 days.
@@ -69,7 +69,20 @@ In the user's Salesforce instance, ensure that `API Enabled permission` is selec
 2. Click on the profile link associated with the `User Account` used for data collection.
 3. Search for `API Enabled` permission on the same page. In case it’s not present, search it under `System Permissions` and check if `API Enabled` privilege is selected. If not, enable it for data collection.
 
-## Set Up
+For collecting data using `Streaming API`:
+
+In the user's Salesforce instance, ensure that `View Real-Time Event Monitoring Data` is selected for the user profile. Follow the below steps to enable the same:
+
+1. Go to `Setup` > `Quick Find` > `Users`, and Click on `Users`.
+2. Click on the profile link associated with the `User Account` used for data collection.
+3. Search for `View Real-Time Event Monitoring Data` permission on the same page. In case it’s not present, search it under `System Permissions` and check if `View Real-Time Event Monitoring Data` privilege is selected. If not, enable it for data collection.
+
+Also ensure that `Event Streaming` is enabled for `Login Event` and `Logout Event`. Follow the below steps to enable the same: 
+
+1. Go to `Setup` > `Quick Find` > `Event Manager`, and Click on `Event Manager`.
+2. For `Login Event` and `Logout Event` click on the down arrow button on the left corner and select `Enable Streaming`.
+
+## Setup
 
 For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide.
 
@@ -179,6 +192,14 @@ This is the `login_rest` data stream. It represents events containing details ab
 
 {{fields "login_rest"}}
 
+### Login Stream
+
+This is the `login_stream` data stream. It represents events containing details about the user's organization's login history.
+
+{{event "login_stream"}}
+
+{{fields "login_stream"}}
+
 ### Logout Rest
 
 This is the `logout_rest` data stream. It represents events containing details about the user's organization's logout history.

@@ -5,7 +5,7 @@ rules:
       - status_code: 200
         headers:
           content-type: ['application/json']
-        body: '{"access_token":"access_token","instance_url":"https://temporary-intance-url","id":"https://login.salesforce.com/id/temp_id/temp_token","token_type":"Bearer","issued_at":"1633689089545","signature":"signature"}'
+        body: '{"access_token":"access_token","instance_url":"http://{{ hostname }}:{{ env "PORT" }}","id":"https://login.salesforce.com/id/temp_id/temp_token","token_type":"Bearer","issued_at":"1633689089545","signature":"signature"}'
   - path: /services/data/v54.0/query
     methods: ["GET"]
     query_params:
@@ -69,3 +69,43 @@ rules:
         body: |-
           "EVENT_TYPE","TIMESTAMP","REQUEST_ID","ORGANIZATION_ID","USER_ID","RUN_TIME","CPU_TIME","URI","SESSION_KEY","LOGIN_KEY","TYPE","METHOD","SUCCESS","TIME","REQUEST_SIZE","RESPONSE_SIZE","URL","TIMESTAMP_DERIVED","USER_ID_DERIVED","CLIENT_IP","URI_ID_DERIVED"
           "ApexCallout","20221122044615.591","4exLFFQZ1234xFl1cJNwOV","00D5j000000001V","0055j0000000001","1305","10","CALLOUT-LOG","WvtsJ1235oW24EbH","Obv9123BzbaxqCo1","OData","GET","1","1293","10","256","https://temp.sh/odata/Accounts","2022-11-22T04:46:15.591Z","0055j012345utlPAAQ","81.2.69.142","0055j000000utlPAQZB"
+  - path: /cometd/38.0
+    methods: ["POST"]
+    request_body: '{"channel": "/meta/handshake", "supportedConnectionTypes": ["long-polling"], "version": "1.0"}'
+    responses:
+      - status_code: 200
+        body: |
+          [{"ext":{"replay":true,"payload.format":true},"minimumVersion":"1.0","clientId":"temp_client_id","supportedConnectionTypes":["long-polling"],"channel":"/meta/handshake","version":"1.0","successful":true}]
+  - path: /cometd/38.0
+    methods: ["POST"]
+    request_body: '{"channel": "/meta/connect", "connectionType": "long-polling", "clientId": "temp_client_id"} '
+    responses:
+      - status_code: 200
+        body: |
+          [{"data": {"payload": { "EventDate": "2022-12-28T11:47:22Z", "AuthServiceId": "06af6d92deqFAwqDaS", "CountryIso": "IN", "Platform": "Unknown", "EvaluationTime": 0.0, "CipherSuite": "ECDHE-RSA-AES256-GCM-SHA384", "PostalCode": "395007", "ClientVersion": "N/A", "LoginGeoId": "04F5j00000FadrI", "LoginUrl": "login.salesforce.com", "LoginHistoryId": "0Ya5j00000GLxCdCAL", "CreatedById": "0055j000000q9s7AAA", "SessionKey": "vMASKIU6AxEr+Op5", "ApiType": "N/A", "AuthMethodReference": "RFC 8176", "LoginType": "Remote Access 2.0", "PolicyOutcome": "Notified", "Status": "Success", "AdditionalInfo": "{}", "ApiVersion": "N/A", "EventIdentifier": "06af6d92-1167-467d-a826-ee8583f7134d", "RelatedEventIdentifier": "bd76f3e7-9ee5-4400-9e7f-54de57ecd79c", "LoginLatitude": 21.1888, "City": "Surat", "Subdivision": "Gujarat", "SourceIp": "81.2.69.142", "Username": "user@elastic.co", "UserId": "0055j000000utlPAAQ", "CreatedDate": "2022-12-28T11:47:30Z", "Country": "India", "LoginLongitude": 72.8293, "TlsProtocol": "TLS 1.2", "LoginKey": "o3vhFaSRBb0OzpCl", "Application": "elastic integration", "UserType": "Standard", "PolicyId": "0NIB000000000KOOAY", "HttpMethod": "POST", "SessionLevel": "STANDARD", "Browser": "Unknown" }, "event": {"replayId":1234}}, "channel": "/event/LoginEventStream"}]
+  - path: /cometd/38.0
+    methods: ["POST"]
+    responses:
+      - status_code: 200
+        body: |
+          [{"clientId": "temp_client_id", "channel": "/meta/subscribe", "subscription": "/event/LoginEventStream", "successful":true}]
+  - path: /cometd/38.0
+    methods: ["POST"]
+    request_body: '{"channel": "/meta/handshake", "supportedConnectionTypes": ["long-polling"], "version": "1.0"}'
+    responses:
+      - status_code: 200
+        body: |
+          [{"ext":{"replay":true,"payload.format":true},"minimumVersion":"1.0","clientId":"temp_client_id_1","supportedConnectionTypes":["long-polling"],"channel":"/meta/handshake","version":"1.0","successful":true}]
+  - path: /cometd/38.0
+    methods: ["POST"]
+    responses:
+      - status_code: 200
+        body: |
+          [{"clientId": "temp_client_id_1", "channel": "/meta/subscribe", "subscription": "/event/LogoutEventStream", "successful":true}]
+  - path: /cometd/38.0
+    methods: ["POST"]
+    request_body: '{"channel": "/meta/connect", "connectionType": "long-polling", "clientId": "temp_client_id_1"} '
+    responses:
+      - status_code: 200
+        body: |
+          [{ "data": { "schema": "KvR3_Gn5cwCA8TYgASeP_A", "payload": { "EventDate": "2022-12-29T11:38:54Z", "EventIdentifier": "06ce4a9d-8d6b-4a71-aad8-04d28c9a43df", "SourceIp": "81.2.69.142", "CreatedById": "0055j000000q9s7AAA", "Username": "user@elastic.co", "UserId": "0055j000000utlPAAQ", "RelatedEventIdentifier": null, "SessionKey": "6/HAElgoPCwskqBU", "CreatedDate": "2022-12-29T11:38:54Z", "LoginKey": "CuRVtbMjat6xxbTH", "SessionLevel": "STANDARD" }, "event": { "replayId": 14168970 } }, "channel": "/event/LogoutEventStream" }]
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: 0.6.0
+  changes:
+    - description: Salesforce integration package with "login_stream" data stream.
+      link: https://github.com/elastic/integrations/pull/4941
+      type: enhancement
 - version: 0.5.0
   changes:
     - description: Migrate visualizations to lens.

@@ -0,0 +1,5 @@
+dynamic_fields:
+  event.ingested: ".*"
+fields:
+  tags:
+    - preserve_original_event
@@ -0,0 +1 @@
+{ "EventDate": "2022-12-28T11:47:22Z", "AuthServiceId": "06af6d92deqFAwqDaS", "CountryIso": "IN", "Platform": "Unknown", "EvaluationTime": 0.0, "CipherSuite": "ECDHE-RSA-AES256-GCM-SHA384", "PostalCode": "395007", "ClientVersion": "N/A", "LoginGeoId": "04F5j00000FadrI", "LoginUrl": "login.salesforce.com", "LoginHistoryId": "0Ya5j00000GLxCdCAL", "CreatedById": "0055j000000q9s7AAA", "SessionKey": "vMASKIU6AxEr+Op5", "ApiType": "N/A", "AuthMethodReference": "RFC 8176", "LoginType": "Remote Access 2.0", "PolicyOutcome": "Notified", "Status": "Success", "AdditionalInfo": "{}", "ApiVersion": "N/A", "EventIdentifier": "06af6d92-1167-467d-a826-ee8583f7134d", "RelatedEventIdentifier": "bd76f3e7-9ee5-4400-9e7f-54de57ecd79c", "LoginLatitude": 21.1888, "City": "Surat", "Subdivision": "Gujarat", "SourceIp": "81.2.69.142", "Username": "user@elastic.co", "UserId": "0055j000000utlPAAQ", "CreatedDate": "2022-12-28T11:47:30Z", "Country": "India", "LoginLongitude": 72.8293, "TlsProtocol": "TLS 1.2", "LoginKey": "o3vhFaSRBb0OzpCl", "Application": "elastic integration", "UserType": "Standard", "PolicyId": "0NIB000000000KOOAY", "HttpMethod": "POST", "SessionLevel": "STANDARD", "Browser": "Unknown" }
@@ -0,0 +1,100 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2022-12-28T11:47:22.000Z",
+            "ecs": {
+                "version": "8.5.0"
+            },
+            "event": {
+                "action": "login-attempt",
+                "category": [
+                    "authentication"
+                ],
+                "created": "2022-12-28T11:47:30.000Z",
+                "dataset": "salesforce.login_stream",
+                "id": "06af6d92-1167-467d-a826-ee8583f7134d",
+                "kind": "event",
+                "module": "salesforce",
+                "original": "{ \"EventDate\": \"2022-12-28T11:47:22Z\", \"AuthServiceId\": \"06af6d92deqFAwqDaS\", \"CountryIso\": \"IN\", \"Platform\": \"Unknown\", \"EvaluationTime\": 0.0, \"CipherSuite\": \"ECDHE-RSA-AES256-GCM-SHA384\", \"PostalCode\": \"395007\", \"ClientVersion\": \"N/A\", \"LoginGeoId\": \"04F5j00000FadrI\", \"LoginUrl\": \"login.salesforce.com\", \"LoginHistoryId\": \"0Ya5j00000GLxCdCAL\", \"CreatedById\": \"0055j000000q9s7AAA\", \"SessionKey\": \"vMASKIU6AxEr+Op5\", \"ApiType\": \"N/A\", \"AuthMethodReference\": \"RFC 8176\", \"LoginType\": \"Remote Access 2.0\", \"PolicyOutcome\": \"Notified\", \"Status\": \"Success\", \"AdditionalInfo\": \"{}\", \"ApiVersion\": \"N/A\", \"EventIdentifier\": \"06af6d92-1167-467d-a826-ee8583f7134d\", \"RelatedEventIdentifier\": \"bd76f3e7-9ee5-4400-9e7f-54de57ecd79c\", \"LoginLatitude\": 21.1888, \"City\": \"Surat\", \"Subdivision\": \"Gujarat\", \"SourceIp\": \"81.2.69.142\", \"Username\": \"user@elastic.co\", \"UserId\": \"0055j000000utlPAAQ\", \"CreatedDate\": \"2022-12-28T11:47:30Z\", \"Country\": \"India\", \"LoginLongitude\": 72.8293, \"TlsProtocol\": \"TLS 1.2\", \"LoginKey\": \"o3vhFaSRBb0OzpCl\", \"Application\": \"elastic integration\", \"UserType\": \"Standard\", \"PolicyId\": \"0NIB000000000KOOAY\", \"HttpMethod\": \"POST\", \"SessionLevel\": \"STANDARD\", \"Browser\": \"Unknown\" }",
+                "outcome": "success",
+                "type": [
+                    "info"
+                ],
+                "url": "login.salesforce.com"
+            },
+            "http": {
+                "request": {
+                    "body": {
+                        "content": "{}"
+                    },
+                    "method": "POST"
+                }
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.142"
+                ]
+            },
+            "salesforce": {
+                "login": {
+                    "access_mode": "Stream",
+                    "api": {
+                        "type": "N/A",
+                        "version": "N/A"
+                    },
+                    "application": "elastic integration",
+                    "auth": {
+                        "method_reference": "RFC 8176",
+                        "service_id": "06af6d92deqFAwqDaS"
+                    },
+                    "client_version": "N/A",
+                    "evaluation_time": 0.0,
+                    "geo_id": "04F5j00000FadrI",
+                    "history_id": "0Ya5j00000GLxCdCAL",
+                    "key": "o3vhFaSRBb0OzpCl",
+                    "policy_id": "0NIB000000000KOOAY",
+                    "policy_outcome": "Notified",
+                    "related_event_identifier": "bd76f3e7-9ee5-4400-9e7f-54de57ecd79c",
+                    "session": {
+                        "key": "vMASKIU6AxEr+Op5",
+                        "level": "STANDARD"
+                    },
+                    "type": "Remote Access 2.0"
+                }
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Surat",
+                    "country_iso_code": "IN",
+                    "country_name": "India",
+                    "location": {
+                        "lat": 21.1888,
+                        "lon": 72.8293
+                    },
+                    "postal_code": "395007",
+                    "region_name": "Gujarat"
+                },
+                "ip": "81.2.69.142"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "tls": {
+                "cipher": "ECDHE-RSA-AES256-GCM-SHA384",
+                "version": "1.2",
+                "version_protocol": "TLS"
+            },
+            "user": {
+                "email": "user@elastic.co",
+                "id": "0055j000000utlPAAQ",
+                "roles": "Standard"
+            },
+            "user_agent": {
+                "name": "Unknown",
+                "os": {
+                    "platform": "Unknown"
+                }
+            }
+        }
+    ]
+}
@@ -0,0 +1,11 @@
+service: salesforce
+vars:
+  client_id: temp_client_id
+  client_secret: forty_characters_long_secret_key
+  username: temp_user
+  password: temp_password
+  token_url: http://{{Hostname}}:{{Port}}/services/oauth2/token
+input: cometd
+data_stream:
+  vars:
+    preserve_original_event: true
@@ -0,0 +1,27 @@
+type: cometd
+channel_name: /event/LoginEventStream
+auth.oauth2:
+  enabled: true
+  client.id: {{client_id}}
+  client.secret: {{client_secret}}
+  token_url: {{token_url}}
+  user: {{username}}
+  password: {{password}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_fields:
+    target: salesforce
+    fields:
+      instance_url: {{instance_url}}
+{{#if processors}}
+{{processors}}
+{{/if}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{ "EventDate": "2022-12-28T11:47:22Z", "AuthServiceId": "06af6d92deqFAwqDaS", "CountryIso": "IN", "Platform": "Unknown", "EvaluationTime": 0.0, "CipherSuite": "ECDHE-RSA-AES256-GCM-SHA384", "PostalCode": "395007", "ClientVersion": "N/A", "LoginGeoId": "04F5j00000FadrI", "LoginUrl": "login.salesforce.com", "LoginHistoryId": "0Ya5j00000GLxCdCAL", "CreatedById": "0055j000000q9s7AAA", "SessionKey": "vMASKIU6AxEr+Op5", "ApiType": "N/A", "AuthMethodReference": "RFC 8176", "LoginType": "Remote Access 2.0", "PolicyOutcome": "Notified", "Status": "Success", "AdditionalInfo": "{}", "ApiVersion": "N/A", "EventIdentifier": "06af6d92-1167-467d-a826-ee8583f7134d", "RelatedEventIdentifier": "bd76f3e7-9ee5-4400-9e7f-54de57ecd79c", "LoginLatitude": 21.1888, "City": "Surat", "Subdivision": "Gujarat", "SourceIp": "81.2.69.142", "Username": "user@elastic.co", "UserId": "0055j000000utlPAAQ", "CreatedDate": "2022-12-28T11:47:30Z", "Country": "India", "LoginLongitude": 72.8293, "TlsProtocol": "TLS 1.2", "LoginKey": "o3vhFaSRBb0OzpCl", "Application": "elastic integration", "UserType": "Standard", "PolicyId": "0NIB000000000KOOAY", "HttpMethod": "POST", "SessionLevel": "STANDARD", "Browser": "Unknown" }