Salesforce

Salesforce is a customer relationship management solution that gives a single, shared view of every customer.

Use Cases the Adapter Solves

The Salesforce adapter can be used for:

• User management - Review users’ statuses, permissions, and activity. identify gaps in offboarding users and in user access levels.
• Security management - Find misconfigurations that pose security and compliance risks.
• Cost optimization - Identify cost optimization opportunities.

Asset Types Fetched

• Devices, Users, All Application Extensions, Roles, Groups, Licenses, Activities, SaaS Applications, Accounts/Tenants, Application Resources, Application Settings, All Application Extensions, All Application Extension Instances, Admin Managed Extensions, Application Addons, User Initiated Extensions, Admin Managed Extension Instances, Application Addon Instances, Application Keys, User Initiated Extension Instances

Resources Required by Asset Type

The following connection parameters, advanced settings, permissions, and configurations are required to fetch each asset type.

Search by Asset Type to find the resources required for your specific needs.

💡

Note - General Required Permissions

The following permissions are required for specific connection parameters:

• The value supplied in Consumer Key must be associated with credentials that have permissions to fetch assets (see Authorization setup).

• The value supplied in User Name must have permissions to fetch assets (see [Manage API Access](http://Manage API Access)).

📘

Note - Advanced Settings

While some asset types don’t required specific advanced settings to fetch them, some of them have optional advanced settings for fetching specific data within these assets. See Advanced Settings for more information.

Additional Permissions

Permissions in Salesforce should be configured by the user in your organization with the System Administrator role in Salesforce.

To fetch all assets, the following permissions and actions are required:

• Salesforce user permissions (for more information, see Creating a User Profile):

  • Every permission from the General User section starting with the word "View" except for “View Encrypted Data”
  • Lightning Experience User
  • API Enabled
  • Manage IP addresses
  • Manage Login Access Policies
  • Manage Password Policies
  • Manage Profiles and Permissions Sets
  • Manage Roles
  • Manage Sandboxes
  • Manage Sharing
  • View All Profiles
  • View All Users
  • Apex REST Services
  • Manage Users
  • Manage Connected Apps
  • Modify Metadata Through Metadata API Functions
  • Customize Application
  • Is Single Sign-On Enabled

Enable Delegated Authentication in your Salesforce environment.

Fetching Application Settings and Licenses

To enable the fetch of Application Settings and Licenses assets, on your Salesforce console:

1. From the left hand menu, under ADMINISTRATION, expand the Users tab and select Permissions Sets.
2. Uncheck Access Salesforce.com only through a Salesforce.com API.

📘

Note

While to access Application Settings data you need to grant roles and/or permissions that include write capabilities, the adapter only actually reads from the application.

APIs

Axonius uses the Salesforce API.

Authentication Methods

To connect to the Salesforce adapter, choose between two authentication flows (both are relevant to all asset types):

• Client Credentials Flow
• Username-Password Flow

The required parameters are different for each flow.

Client Credentials Flow

Required Parameters

• Domain (required) - The full URL of the Salesforce server.
• Consumer Key (required) - A consumer key associated with a user account that has the Required Permissions to fetch assets.
• Consumer Secret (required) - A consumer secret associated with a consumer key.

To generate the Consumer Key and Consumer Secret parameters, follow these steps:

Creating a Connected Application

1. In Salesforce, in the Platform Tools menu, navigate to Apps > App Manager.

2. Click New Connected App.

3. Fill in the Connected App Name, API Name and Contact Email fields as you like.

4. Select the Enable OAuth Settings checkbox.

5. Under Selected OAuth Scopes section, select Full access (full) scope and click to add it.

6. If you are authenticating with Client Credentials flow:

   1. Select the Enable Client Credentials Flow checkbox.
   2. Click Save.

7. Add the user to the application:

   1. Navigate to Apps > App Manager.
   2. In the connected application’s drop-down, select Manage.
   3. Click Edit Policies.
   4. In the Client Credentials Flow section, select the user you want with the permissions to get the relevant data.
   5. Click Save.

   📘

   Note

   Selecting a user allows Salesforce to return access tokens on behalf of this user. The user must have the necessary API permission.

8. Click Save.

9. Navigate to Apps > App Manager.

10. Locate the app you just created. In its drop-down menu, select View.

11. In the app, click Manage Consumer Details.

12. For both the Consumer Key and Consumer Secret fields, click Copy to paste them into the corresponding fields in Axonius.

Username-Password Flow

Required Parameters

• User Name and Password - The credentials for a user account that has the Required Permissions to fetch assets.
• User Secret - The Salesforce security token associated with a user account to fetch assets. See Generating the User Secret.

To generate the User Name and Password parameters, follow these steps:

Creating a User Account

1. In Salesforce, navigate to Users > Users.

2. Click New User.

3. Fill in information for the new user, in the email field enter an email that you have access to.

4. Click Save.

5. Copy the user's username.

6. Set Password:

   1. Open the email you receive from Salesforce.
   2. Click Verify Account.
   3. Enter a password for the user.
   4. Copy the password. It's best practice for the password to contain 32 characters.
   5. Enter a security question and answer.
   6. Click Change Password.
      

7. Connect the new user to the user profile you created earlier:

   1. In Salesforce, from the Administration menu, navigate to Users > Users.
   2. Select the user you just created.
   3. From the User License drop-down list, select Salesforce.
   4. From the profile drop-down list, select the profile you created earlier.
   5. Click Save.

8. To verify that the user you created has the correct permissions, make sure it has access to the following URLs. There is no need to modify any of the configurations on these pages.

   • https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home
   • https://{account}.lightning.force.com/lightning/setup/SecuritySession/home
   • https://{account}.lightning.force.com/lightning/setup/SecurityPolicies/home
   • https://{account}.lightning.force.com/lightning/setup/LoginAccessPolicies/home
   • https://{account}.lightning.force.com/lightning/setup/IdentityVerification/home
   • https://{account}.lightning.force.com/lightning/setup/FileTypeSetting/home
   • https://{account}.lightning.force.com/lightning/setup/OrgDomain/home

Creating a User Profile

Configure a user profile so the user you create will have the right permissions and password policies.

1. In Salesforce, navigate to Users > Profiles.

2. Locate the System Administrator profile and in that row, click Clone.

3. Enter a profile name (for example, Axonius).

4. Click Save.

5. Set permissions for the profile: a.

   1. From the profile page, click Edit.

   2. Configure the permissions so that the following permissions are selected:

      • Every permission from the General User section starting with the word "View" except for View Encrypted Data.
        
      • Lightning Experience User
      • API Enabled
      • Manage IP addresses
      • Manage Login Access Policies
      • Manage Password Policies
      • Manage Profiles and Permissions Sets
      • Manage Roles
      • Manage Sharing
      • View All Profiles
      • View All Users
      • Apex REST Services
      • Manage Users
      • Manage Connected Apps
      • Modify Metadata Through Metadata API Functions
      • Customize Application
      • Is Single Sign-On Enabled c. In the Connected App Access section, select the application you created earlier.

6. Set the password policy:

   1. Locate the Password Policies section.
   2. From the User Passwords Expire in drop-down list, select Never Expires.
   3. Select Don't immediately expire links in forgot password emails.
   4. Click Save.

   📘

   Note

   Before performing the following steps, contact Axonius support for the list of trusted IP ranges to include. If you do not have such list,generate a user secret.

7. Configure access to trusted IPs:

   1. From the left hand menu, navigate to Security > Network Access.
   2. Click New.
      
   3. Add the Axonius IP ranges and click Save.

8. Navigate to Users > Users. Select the user you created above.

9. From the Profile drop-down list, select the profile you just created.

10. (Only for fetching Application Settings and Licenses) Follow these instructions to generate a 2FA Secret Key. Back in Axonius, paste the secret key into the 2FA Secret Key field.

Generating the User Secret (Optional)

This process is only relevant if you selected to authenticate the adapter with the ‘Username-Password flow’ and you did not add trusted IP ranges. For more information, see Reset Your Security Token.

1. Log into Salesforce with an admin account with an email address that you have access to.
2. Open the Profile menu and select Settings.
3. Select My Personal Information> Reset My Security Token.
4. Click Reset Security Token.
5. Access the account's email and copy the new token from the Salesforce email.
6. In Axonius, paste the token into the User Secret field.

Additional Parameters - General

• Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
• HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in Host Name or IP Address.
• HTTPS Proxy User Name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
• HTTPS Proxy Password (optional) - The password to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.

Additional Parameters - Fetching Application Settings and Licenses

• 2FA Secret Key - The secret generated in Salesforce for setting up 2-factor authentication for the Salesforce user created for collecting Axonius SaaS Applications data. For more information on how to generate this secret key, see Setting Up Two Factor-Authentication.
• SSO Username and Password - If your organization accesses Salesforce with an SSO provider (such as Google, Microsoft 365, Okta, etc.) enter your credentials for the SSO platform in the SSO Username and SSO Password fields.
• Use Unified Login Domain - Select this option to use the http://login.salesforce.com URL for logging in instead of sub-domain.salesforce.com (if the main domain is a sandbox, the URL will be test.salesforce.com). This allows you to directly login with Salesforce credentials instead of using an external SSO.

Setting Up Two-Factor Authentication

1. On the Connect Salesforce Authenticator screen, select Choose Another Verification Method.
2. Select Use verification codes from an authenticator app.
3. Click Continue.
4. Click I can’t Scan the QR Code.
5. The next screen displays a one-time secret key. Copy this key to a safe place (your password vault is recommended if you use one) for later use.

To complete the process with Axonius 2FA Authenticator:

1. On the adapter Add Connection screen, click the Generate Secret Key icon. The Set 2FA Secret Key screen opens.
2. Enter the secret key you copied in step 5 above into the 2FA Secret Key field and click Next.
3. The system displays a 6-digit code for you to copy.
4. Back in Axonius, paste the 6-digit code in the 2FA Secret Key field to get a verification code.
5. Back in Salesforce, paste the verification code and click Connect.

To complete the process with an external Authenticator app (such as Google Authenticator):

1. Back in Axonius, paste the one-time secret key you copied from Salesforce in the 2FA Secret Key field.
2. In your authenticator app, paste the same key and copy the one-time verification code.
3. Back in Salesforce, paste the verification code and click Connect.

Optional: Creating a Least-Privileged Role (To Fetch Axonius Cyber Assets)

You can configure a least-privileged role to integrate with this adapter for Salesforce users with the ‘Salesforce Integration’ license type and the ‘Minimum Access - API Only Integrations’ profile. The process for setting up the integration, is the same as detailed in the sections above for the standard setup.

💡

Warning

Adapter connections configured with a least-privileged role do not fetch any data for Application Settings/Licenses and fetch limited data for other assets.

Testing Your Credentials

You can use Curl commands to check your credentials to make sure they work for fetching Salesforce data with this adapter.

To check the credentials

1. Open a terminal window.
2. Enter the following command and replace the variables in angled brackets with the client credentials you generated in the adapter setup process:
   consumer_key='<consumer_key>'
consumer_secret='<consumer_secret>'
domain='https://.salesforce.com'
curl -X POST -u "$consumer_key":"$consumer_secret" "$domain/services/oauth2/token?grant_type=client_credentials"
   The command’s output indicates if the credentials are valid.
   
3. Enter the following command and replace the variables in the angled brackets with the Salesforce username and password you are associating with this adapter:
   username='<username>'
password='<password>'
user_secret='<user_secret>'
consumer_key='<consumer_key>'
consumer_secret='<consumer_secret>'
domain='https://.salesforce.com'
curl -X POST "$domain/services/oauth2/token" -d "grant_type=password&username=$username&password=$password$user_secret&client_id=$consumer_key&client_secret=$consumer_secret"
   The command’s output indicates if the username and password are valid.
   

Troubleshooting

Here’s how you can troubleshoot some of the common error messages that are output by the curl commands in the previous section.

• Client credentials flow not enabled - Make sure that the Enable Client Credentials Flow check box is checked for the application you are using for this adapter.
• No client credentials user enabled - Make sure that there is a value selected for ‘Run As’ in the app’s Client Credentials Flow section.
• Client identifier invalid - Indicates that the consumer key or consumer secret is not right. Check to make sure the consumer key and consumer secret values were copied correctly.
• Authentication failure - Check to make sure that the correct username and password were entered.

Advanced Settings

📘

Note

Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.

Devices Fetch Settings

• Fetch nodes - Select this option to enrich the Account devices field with data from the Opportunity and Contract tables. Axonius always tries to bring devices from the Axonius_Environment__c custom table. This setting is only supported for the Axonius_Environment__c table.

Users Fetch Settings

• Fetch chatter user data - Select this option to fetch additional information about the chatter user platform.
• Fetch only active users - Select this option to skip all inactive users and only fetch active users.
• Only fetch Employee users - Select this option to fetch only "standard" Salesforce users.
• Fetch Tabs - Select this option to fetch Salesforce tabs from the account.

Users Parse Settings

• Get "is_admin" by Profile Name - Select this option to fetch the admin role from the user profile name.

Groups Fetch Settings

• Fetch user groups - Select this option to fetch user group details.

Roles Fetch Settings

• Fetch user roles and permissions - Select this option to fetch user roles and permissions configured for the Salesforce accounts in your organization.

Activities Fetch Settings

• Fetch Audit Events - Toggle on to fetch audit events and show them on Axonius as Activities assets. When you select this option, the settings below are available:

  • Fetch Audit Events from the past X Days - Select the number of days back from which to fetch Audit events.
  • Event types - Select the type of events to fetch (login, logout, API, Lightning URI, URI). Unselected event types will not be fetched at all.

Tickets Fetch Settings

• Fetch Tickets (default: off) - Toggle on to fetch Cases from Salesforce as Tickets in Axonius. When you select this option, the settings below are available:

  • Fetch Tickets from the past X Days (default: 3) - Select the number of days back from which to fetch tickets. Maximum 90 days back. Select 0 to fetch all tickets.

  • Custom Fields to Fetch (optional) - List of strings. Add custom fields here. The fields must exist on the Case object in your Salesforce. Example: CustomField__c .

  • Additional WHERE clauses (optional) - List of strings. Add additional WHERE clauses to filter the fetched tickets. Each clause is AND-ed to the others. You can nest clauses using parentheses.Examples:

    • IsClosed ≠ true
    • (Status = ‘New” OR Status = ‘Pending’)

📘

Note:

To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings

Related Enforcement Actions

Salesforce - Activate User

Salesforce - Create Case

Salesforce - Create User

Salesforce - Suspend User

Salesforce - Update User

Salesforce - Reset User Password

Salesforce - Create Role or Profile

Salesforce - Assign Role or Profile to User

Salesforce - Update Role or Profile

Salesforce - Delete Role or Profile