Splunk Delivers Real-Time Salesforce Visibility with New Streaming API Integration

You might already be using Splunk to manage your Salesforce environment with the help of the Splunk App for Salesforce and the Splunk Add-on for Salesforce that allows a Splunk administrator to collect different types of data from Salesforce using REST APIs. This solution is great and the events give you an idea of how users interact with Salesforce. These events can range from Apex executions to page views. You can access the events in the form of an event log file through the Lightning Platform REST and SOAP APIs. But these events are only made available on a daily basis or hourly basis and stored for 30 days. And what if you want these events and more at your disposal in real-time?

Great news … Splunk and Salesforce have your back.

Salesforce has created a new Streaming API that is available at no extra cost as part of Salesforce’s powerful Event Monitoring capability. Real-time events are critical to immediately identify and respond to internal and external threats to sensitive data or performance bottlenecks. For organizations with hundreds of thousands of Salesforce users, real-time data is also much easier to consume rather than waiting hours for a batch of logs to be uploaded.

But wait ... there's more! Salesforce has rearchitected events available via the Streaming API to include much richer contextual data in the event along with a variety of new events. These include machine learning-generated events that are created when Salesforce detects a session hijacking attack, credential stuffing, or anomalous user activity plus Mobile Security activity and Permission Set activity (currently in pilot).

Splunk is happy to announce we’ve expanded our integrations with Salesforce to help our users collect logs and events in real-time using the Splunk Add-on for SFDC Streaming API.

With this add-on, Splunk will leverage Salesforce's Streaming API and Real-Time Event Monitoring Objects to ingest all the above-mentioned streaming events into Splunk in real-time. Streaming API enables the streaming of events using push technology and provides a subscription mechanism for receiving events in near real-time. The subscription mechanism supports multiple types of events, including PushTopic events, generic events, platform events, and Change Data Capture events. This provides greater, real-time insights into:

• Who viewed what data and when
• Where data was accessed
• When a user changes a record using the UI
• Who is logging in and from where
• Who in your org is performing actions related to Platform Encryption administration
• Which admins logged in as another user and the actions the admin took as that user
• How long it takes a Lightning page to load
• Threats detected in your org, such as anomalies in how users view or export reports, session hijacking attacks, or credential stuffing attacks
• Real-time alerts for matches on Enhanced Transaction Security Policies

Below is an example of Login events that were generated in real-time due to failed login attempts with invalid passwords. The event generates more information than events via the traditional REST endpoint with fields such as Username, location, web client details among others.

Here is another example of how you can create an alert using real-time Report events when a user exports large amounts of reports within a short period.

The add-on is simple and easy to use. To get access to all the above-mentioned good stuff, simply download and install the add-on on your Splunk environment. Then create a connection to your salesforce environment with OAuth credentials and set up data inputs for any of the streaming real-time objects. The add-on is available for use on both Splunk Enterprise and Splunk Cloud. The add-on can also be run on the same Splunk instance as the existing Salesforce app and add-on. More information on setup and troubleshooting tips are available here.

Looking to do even more with Splunk and Salesforce? Good news — this is just the tip of the iceberg of what our teams are working on together. Stay tuned for more.

And if you plan to join us at .conf21 don’t miss the opportunity to hear Salesforce share lessons learned from their internal implementation of Splunk at scale - PLA1679A - Salesforce + Splunk: A Journey of Scaling & Adoption.