How Defender for Cloud Apps helps protect your Salesforce environment

As a major CRM cloud provider, Salesforce incorporates large amounts of sensitive information about customers, pricing playbooks, and major deals inside your organization. Being a business-critical app, people inside your organization and others outside of it (such as partners and contractors) access and use Salesforce for various purposes. In many cases, a large proportion of your users accessing Salesforce have low awareness of security and might put your sensitive information at risk by unintentionally sharing it. In other instances, malicious actors might gain access to your most sensitive customer-related assets.

By connecting Salesforce to Defender for Cloud Apps, you get improved insights into your users' activities, threat detection by using machine learning-based anomaly detections and information protection detections (such as detecting external information sharing). It also enables automated remediation controls, and detects threats from enabled third-party apps in your organization.

Use this app connector to access SaaS Security Posture Management (SSPM) features, via security controls reflected in Microsoft Secure Score. Learn more.

Main threats

• Compromised accounts and insider threats
• Data leakage
• Elevated privileges
• Insufficient security awareness
• Malicious third-party apps and Google add-ons
• Ransomware
• Unmanaged bring your own device (BYOD)

How Defender for Cloud Apps helps protect your environment

• Detect cloud threats, compromised accounts, and malicious insiders
• Discover, classify, label, and protect regulated and sensitive data stored in the cloud
• Discover and manage OAuth apps that have access to your environment
• Enforce DLP and compliance policies for data stored in the cloud
• Limit exposure of shared data and enforce collaboration policies
• Use the audit trail of activities for forensic investigations

SaaS security posture management

Connect Salesforce to automatically get security recommendations for Salesforce in Microsoft Secure Score.

In Secure Score, select Recommended actions and filter by Product = Salesforce. For example, recommendations for Salesforce include:

• Require identity verification during multifactor authentication (MFA) registration
• Enforce login IP ranges on every request
• Maximum invalid login attempts
• Password complexity requirement

For more information, see:

• Security posture management for SaaS apps
• Microsoft Secure Score

Control Salesforce with built-in policies and policy templates

Use the following built-in policy templates to detect and get notifications about potential threats:

For more information about creating policies, see Create a policy.

Automate governance controls

In addition to monitoring for potential threats, you can apply and automate the following Salesforce governance actions to remediate detected threats:

For more information about remediating threats from apps, see Governing connected apps.

Protect Salesforce in real time

Review our best practices for securing and collaborating with external users and blocking and protecting the download of sensitive data to unmanaged or risky devices.

Connect Salesforce to Microsoft Defender for Cloud Apps

This section provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Salesforce account using the app connector API. This connection gives you visibility into and control over Salesforce use.

Use this app connector to access SaaS Security Posture Management (SSPM) features, via security controls reflected in Microsoft Secure Score. Learn more.

Prerequisites

• Install and authorize the Salesforce Connected App in the target Salesforce org before you start the connection process. Salesforce enforces usage restrictions on Connected Apps. For more information, see Prepare for Connected App Usage Restrictions Change.
• Assign the Approve Uninstalled Connected Apps permission to the Salesforce service account used to connect Microsoft Defender for Cloud Apps. Salesforce requires this permission to connect third-party apps via OAuth.
• Make sure that the Salesforce account is assigned to one of the following editions, which support REST API access:
  • Performance
  • Enterprise
  • Unlimited
  • Developer
  • Professional. REST API must be added to the Professional edition separately.

Configure Salesforce

1. In your Salesforce account, create a dedicated service admin account for Defender for Cloud Apps.

2. Create a new profile for the Defender for Cloud Apps service account. Use this profile to configure the App connector.

3. Make sure that the service account profile includes the following permissions:

   • API Enabled
   • View All Data
   • Manage Salesforce CRM Content
   • Manage Users
   • Query All Files
   • Modify Metadata Through Metadata API Functions
   • View Setup And Configuration

4. If Salesforce CRM Content is active in your organization:

   • Grant Salesforce CRM Content access to the Defender for Cloud Apps service admin account.
   • Turn off Lock sessions to the IP address from which they originated for the service account profile.
   • Turn on Content Deliveries and Public Links.

Configure Defender for Cloud Apps

1. In the Defender for Cloud Apps console, select Investigate and then Connected apps.

2. In the App connectors page, select +Connect an app followed by Salesforce.

   

3. In the next window, enter a name for the connection and select Next.

4. In Follow the link, select Connect Salesforce.

5. This action opens the Salesforce sign in page. Enter your credentials to allow Defender for Cloud Apps access to your team's Salesforce app.

   

6. Salesforce asks if you want to allow Defender for Cloud Apps access to your team information and activity log and to perform any activity as any team member. Select Allow to continue.

7. You receive a success or failure notice for the deployment. Defender for Cloud Apps is now authorized in Salesforce.com.

8. Back in the Defender for Cloud Apps console, you see the Salesforce was successfully connected message.

9. In the Microsoft Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected.

After you connect Salesforce, Defender for Cloud Apps collects login events and Setup Audit Trail entries from the seven days before connection, and Event Monitoring data from the previous 30 days or one day, depending on your Salesforce Event Monitoring license.

Defender for Cloud Apps calls the Salesforce APIs directly. Because Salesforce limits the number of API calls per period, Defender for Cloud Apps reads the API counters returned in each Salesforce response and always keeps 10% of the available calls in reserve.

When you enable Salesforce real-time event monitoring (Preview), detection latency for identity and OAuth attacks drops from hours to minutes. Detections also include more context, such as the connected app name and ID, app permissions, user agent, IP address, and session information.

Defender for Cloud Apps processes Salesforce events on the following schedule:

• Sign-in events every 15 minutes
• Setup audit trails every 15 minutes
• Event logs every 1 hour. For more information about Salesforce events, see Using event monitoring.

Enable Salesforce real-time event monitoring (Preview)

To get the most detection coverage and the richest investigation context from the Salesforce connector, a Salesforce administrator must enable Storing data for a set of events in Salesforce Event Manager. Defender for Cloud Apps then ingests those events from Salesforce Real-Time Event Monitoring within minutes and uses them to improve detection coverage for OAuth abuse, session hijacking, credential stuffing, and anomalous API activity.

The Salesforce OAuth apps inventory also includes Connected Apps and External Client Apps (ECAs), along with each app's granted permissions and last used date. Highly privileged and Unused app insights for Salesforce help you identify OAuth apps that need review. For more information, see Application inventory and View your app details with app governance.

Enable these events for the best detection coverage. Enabling these events gives you better latency and more robust detections.

Enable the events in Salesforce Event Manager

1. Sign in to Salesforce as an administrator.

2. Go to https://YOURDOMAIN.lightning.force.com/lightning/setup/EventManager/home.

3. Search for each of the following events and enable Storing data:

   • API Anomaly Event
   • API Event
   • Credential Stuffing Event
   • Guest User Anomaly Event
   • Identity Provider Event
   • Identity Verification Event
   • Permission Set Event
   • Report Anomaly Event
   • Report Event
   • Session Hijacking Event

Next steps

• If you have any problems connecting the app, see Troubleshooting App Connectors.

• Control cloud apps with policies

• Application inventory