This article explains how to configure the Salesforce connector for the SaaS Security API policy for your account and create rules that use this connector in the Threat Protection and Data Protection Policy.
The SaaS Security API policy requires a separate Cato license. Please contact your Cato representative or official reseller for more information.
The Salesforce SaaS Security API connector monitors exported reports and scans for sensitive data that you define in the DLP Content Profiles. The connector uses the Salesforce events log API to periodically check for exported reports. When a report is exported, the connector downloads the report and scans to see if it contains sensitive data. When the connector identifies sensitive data in the report, it generates an event with the details. Once the connector completes the scan, the content of the report is deleted from the Cato server, regardless of the outcome of the scan (no impact to the data in the Salesforce account).
Create the connector for the production or sandbox Salesforce account for your organization. Then define rules in the Threat Protection and Data Protection policies that include the Salesforce connector and define the users that are scanned and monitored. You can create a single connector for each Salesforce account.
-
Active subscription to Salesforce Shield or Salesforce Event Monitoring component
-
Read-only user permissions for the following settings:
-
Event Monitoring Analytics Apps (Permission Set License)
-
View Event Log Files
-
API Enabled
-
View Real-Time Event Monitoring Data
-
View Reports in Public Folders
-
Manage All Private Reports and Dashboards
-
-
Verify that these Salesforce licenses are valid: Analytics Platform and Event Monitoring Analytics Apps (Setup > Settings > Company Information > Company Settings > Permission Set Licenses)
-
Verify that storage is enabled for Report Event (Events > Event Manager)
To enable Cato's SaaS Security API to scan exported Salesforce reports, the connector gives Cato the following permissions and actions with the Salesforce account:
-
Access the identity URL service
-
Access Analytics REST API resources
-
Manage user data via APIs
-
Perform requests at any time
This section explains how to create the API connector for Salesforce to scan exported reports for sensitive data and threats. Once you create the connector, update the Refresh Token Policy to ensure the SaaS Security API has continued access to Salesforce data.
Use the Cato Management Application to create the Salesforce connector, and then sign in to the production or sandbox Salesforce account.
The Salesforce connector lets the Cato SaaS API engine scan reports for the content that you define in the Data Protection policy.
To create the connector for Salesforce:
-
From the navigation pane, select Assets > Integrations and select the Installed SaaS Applications tab.
-
Click New. The New Connector window opens.
-
Create a new Salesforce SaaS Application.
-
Enter the Connector Name.
-
In Permissions, select Read.
Note: Read/Write permissions aren't used to monitor exported Salesforce reports.
-
In Salesforce Environment, select if this connector is monitoring the Production or Sandbox environment.
-
Click Save.
The Salesforce login screen opens in a new browser tab.
-
Enter the Salesforce admin Username and Password for the specific environment.
-
Give permissions for your Cato account to access the Salesforce app.
-
Allow the permissions for Cato to access the Salesforce app.
-
The screen shows that you have successfully applied the permissions for the tenant.
-
-
You can close the browser tab and return to the Cato Management Application. It can take Salesforce several seconds to process the request, so if you receive an error, refresh the browser.
While Salesforce is processing the request, the Status for the connector is Pending user consent (see below Understanding the Connector Status).
The Salesforce SaaS application is added to the Installed SaaS Applications page.
The Salesforce Refresh Token defines the length of time the SaaS Security API connector has permission to scan Salesforce data. For maximum security, we recommend you configure the Refresh Token Policy to be Refresh token is valid until revoked. This ensures the SaaS Security API connector has continued access to Salesforce Data.
For more information on how to configure the Refresh Token Policy, see the Salesforce documentation.
Note
Note: The recommended configuration for the Refresh token is Refresh token is valid until revoked.
If you configure an expiry time for the Refresh Token, you need to proactively provide re-consent for the SaaS Security API connector to access Salesforce data before the token expires. Providing re-consent ensures the SaaS Security API connector maintains access to Salesforce data. If the token expires without providing re-consent, the SaaS Security API connector does not have access to Salesforce data.
The Status column on the Installed SaaS Applications page shows the status of the connection between the Salesforce account and your Cato account. These are the explanations of the statuses:
-
Connected - Your account is connected to the account and working correctly
-
Connection error - Connectivity or permissions issue with the Salesforce connector. Please open a ticket with Support.
-
Pending user consent - The Salesforce connector is created in the Connect Settings page, however you haven't successfully authenticated to Salesforce.
This section explains how to use the Data Protection policy to monitor exported Salesforce reports.
Use the Data Protection page to add the SaaS application rules in your Data Protection policy.
To create a new Data Protection rule for the Salesforce app:
-
From the navigation pane, select Security > SaaS Security API and select or expand Data Protection.
-
Click New. The New Rule panel opens.
-
In Application Connector, select the Salesforce app.
-
In the General section, enter the settings for the rule.
-
In Users, define the Salesforce users that you are monitoring:
-
Any - Monitor reports exported by all Salesforce users
-
Salesforce User - Select the specific users from the Salesforce account that their exported reports are monitored
-
-
In Content Profile, select the DLP Content Profile for this rule.
For more about DLP Content Profiles, see Creating DLP Content Profiles.
-
In Actions, select Monitor.
-
(Optional) Configure tracking options to generate Events and Send Notifications.
For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.
-
Click Save. The rule is added to the Data Protection policy.
The SaaS Security API engine inspects the data sequentially, and checks to see if it matches a rule. If the data does not match a rule, then it is not inspected. Rules that are at the top of the rulebase have a higher priority and they are applied before the rules lower down in the rulebase. Each type of application or connector is only applied to the data once.
Best Practice - To maximize the efficiency of your rulebase, we recommend that for each connector type, rules for specific users have a higher priority than rules that apply to Any users.
For example, if the data matches a connector in rule #2, the data is inspected by the SaaS Security API engine. The engine does not continue to apply rules #3 and below for the same connector. However, the data could match a lower priority rule with a different connector.
You can create Threat Protection rules for the connector to scan files and attachment for malware and viruses using the Anti-Malware and Next Gen Anti-Malware engines that are enabled for your account. The SaaS Security API engine scans the connector traffic and applies the action and tracking options that you configure for the rule:
-
Monitor the traffic (block will be supported soon)
-
Generate events
-
Send email notifications
When you create a SaaS Security API Threat Protection rule, the Anti-Malware engines that are enabled for your account (Security > Anti-Malware) perform malware scans on the files that are sent for that connector application.
The following screenshot shows a Threat Protection rule for the OneDrive connector that scans files sent by Internal users or Guests:
Sometimes there is file blocked by Cato's SaaS Security API engines that you know is safe, and you need to allow it in the network. The Events page lets you use the file hash to create exceptions that bypass the Threat Protection scans. After you open an event for the specific file that was blocked, click the file hash to open the Exception Configuration panel and add the file as an exception for the account. You can choose the time duration for the file exception, or configure the exception to last forever.
File Exceptions for Anti-Malware and SaaS Security API
File exceptions apply across the Anti-Malware and SaaS Security API Threat Protection policies. When you create exceptions from Anti-Malware and NG Anti-Malware events, these exceptions also apply to the SaaS Security API Threat Protection policy. Similarly, when you create file exceptions from SaaS Security API Anti-Malware events, the exceptions also apply to the Anti-Malware policy. The full file exception list is shown on both the Anti-Malware page and the SaaS Security API Threat Protection page.
To create an exception for a file:
-
From the navigation menu, select Monitoring > Events.
-
Filter for the event using the Sub-Type of SaaS Security API Anti Malware.
-
From the Time column, expand the event.
-
In the event, click the File Hash link.
The Exception Configuration panel opens.
-
From the Duration drop-down menu, select how long the file is excluded from the Anti-Malware and NG Anti-Malware engines.
To create a permanent exception, select Forever.
-
Click Apply.
The exception is created and added to the File Exceptions section in the Threat Protection tab, and in the Anti-Malware page.
Remove an exception for the Threat Protection policy when it is no longer necessary.
The Monitoring > Events screen shows all the SaaS Security API events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.
SaaS Security API events can be identified by the following fields:
-
Event Type - Security
-
Sub-Type - SaaS Security API Data Protection and SaaS Security API Anti Malware
You can learn more about using the Events screen here. You can use the SaaS Security API Data Protection preset to filter the events.
Field Name |
Description |
---|---|
Connector Name |
Name for the connector that is defined for the rule |
Connector Type |
SaaS app that is defined for this connector |
DLP Profile |
DLP Content Profile that generated this event |
File Name |
Name of the file for the exported report |
Full Path URL |
Link for the exported report |
Matched Data Types |
Data Types in the Content Profile that matched the rule |
Rule |
Name of the rule in the Data Protection policy |
Owner |
Salesforce user that exported the report |
Severity |
Severity defined for the rule |
0 comments
Please sign in to leave a comment.