What gets surfaced
If you use Salesforce Security Center to monitor your organization’s security signals, you can now include data from Cloud Protection for Salesforce as part of that view. File scan results, URL scan activity, quarantine actions, and identity breach alerts can be registered as custom metrics in Security Center, so the threat activity Cloud Protection for Salesforce captures appear alongside the rest of your security data.
You can register custom metrics for the following data types:
- Alerts: setting changes, detections, job statuses, exceptions, and grouped breach events
- File scan logs: individual file scan results and verdicts
- URL scan logs: individual URL scan results and verdicts Breach logs: individual user identity breach records
Once registered, each metric appears in your Security Center dashboards and supports time-series trending.
How to set it up
Assign Security Center permissions
In the Salesforce Setup, create a new permission set with the Manage Security Center system permission enabled. Assign it to the relevant admin users, then open Security Center from the App Launcher.
Register custom metrics
Go to Setup > Security Center > Settings > Custom Metrics > New Custom Metric and create one metric per data type. For each metric, you will configure:
- The Salesforce object to pull data from: WithSecure File scan logs, url scan logs, breaches and alerts
- Select which fields to display. See the section Recommended display fields per metric below for more configuration details
- The Tenant ID field and Record Production Date field (used to identify your org and drive time-series trending)
Save and activate each metric.

Recommended display fields per metric
Alerts — AFSC__FS_Alert__c (5 fields)
| Label | API name | Notes |
|---|---|---|
| RecordProductionDate | AFSC__RecordProductionDate = CreatedDate | The RecordProductionDate will be auto filled with the created date. |
| Severity | AFSC__Severity__c | Information / Important / Critical |
| Reason | AFSC__Reason__c | Free-text alert description |
| Source | AFSC__Source__c | Scanner that generated the alert |
| User | AFSC__User__c | Linked user or “N users affected” |
| TenantId | AFSC__TenantId__c | 15 digit Org Id |
File Scan Logs — AFSC__FSFileScanLog__c (9 fields)
| Label | API name | Notes |
|---|---|---|
| Date/Time | AFSC__RecordProductionDate AFSC__Date_Time_Scanned__c | Scan timestamp; default sort |
| Verdict | AFSC__Verdict__c | Safe / Unsafe / Disallowed / Unknown / Error |
| Action | AFSC__Action__c | Blocked / Removed / Passed / Notified |
| Reason | AFSC__Reason__c | Free-text description |
| Full File Name | AFSC__Full_File_Name__c | Links to content document or record |
| Direction | AFSC__Direction__c | Upload / Download / Scan Job |
| Location | AFSC__Source__c | Files / Attachments / Notes / etc. |
| User | AFSC__User__c | Linked user |
| IP Address | AFSC__Ip_address__c | Captured at scan time |
| TenantId | AFSC__TenantId__c | 15 digit Org Id |
| RecordProductionDate | AFSC__RecordProductionDate = CreatedDate | The RecordProductionDate will be auto filled with the created date and could be different than the scan date time. |
URL Scan Logs — AFSC__FS_URL_Scan_Log__c (9 fields)
| Label | API name | Notes |
|---|---|---|
| Date/Time | AFSC__Date_Time_Scanned__c | Scan timestamp |
| Verdict | AFSC__Verdict__c | Safe / Unsafe / Disallowed / Unknown |
| Action | AFSC__Action__c | Blocked / Removed / Passed / Notified |
| Reason | AFSC__Reason__c | Free-text description |
| URL | AFSC__URL__c | The scanned URL |
| Direction | AFSC__Direction__c | Open / Post / Internal or External Conversation |
| Location | AFSC__Location__c | Cases / Chatter / Email / Lead / Task / Field Value |
| User | AFSC__User__c | Linked user |
| IP Address | AFSC__IP_Address__c | Captured at scan time |
| TenantId | AFSC__TenantId__c | 15 digit Org Id |
| RecordProductionDate | AFSC__RecordProductionDate = CreatedDate | The RecordProductionDate will be auto filled with the created date and could be different than the scan date time. |
Breach Logs — AFSC__FS_Breach__c (14 fields)
| Label | API name | Type | Notes |
|---|---|---|---|
| RecordProductionDate | AFSC__RecordProductionDate = CreatedDate | DateTime | The RecordProductionDate will be auto filled with the created date. |
| Publish Date | AFSC__PublishDate__c | DateTime | When the breach was originally published by the breach source. |
| Risk | AFSC__Risk__c | Picklist | Low / Medium / High / Critical |
| Severity | AFSC__Severity__c | Number | Numeric severity score for the breach. |
| Reason | AFSC__Reason__c | Picklist | Breached information / Breached plaintext password. |
| Plaintext Password | AFSC__IsPlainTextPassword__c | Picklist (Yes / No) | Whether the leaked password was exposed in plaintext. |
| Password Type | AFSC__PasswordType__c | Text (255) | Type/format of the leaked password (e.g. hashed, plaintext). |
| AFSC__Email__c | Text (255) | Email address tied to the breached account. | |
| Username | AFSC__UserName__c | Text (255) | Username associated with the breached credentials. |
| Profile | AFSC__UserProfile__c | Text (255) | Salesforce profile of the breached user. |
| Role | AFSC__UserRole__c | Text (255) | Salesforce role of the breached user. |
| User | AFSC__User__c | Lookup (User) | Linked Salesforce user record for the breached account. |
| Target URL | AFSC__TargetUrl__c | Text (255) | Source site/service where the breached data was found. |
| TenantId | AFSC__TenantId__c | Text (15) | 15 digit Org Id |
Verify your dashboards
Once registered, open your Security Center dashboards and confirm each metric appears and shows data. If a metric appears empty, click Update Data. Security Center has its own refresh cadence, and the first load may take a few minutes.

Backfilling historical data
By default, records created after the upgrade will populate the required fields for Security Center. If you want historical records to appear in trending charts, you can backfill up to 6 months of data using Salesforce Data Loader. This step is optional. Skip it if you only need data going forward.
Do I need to configure anything in Cloud Protection for Salesforce before setting up Security Center?
No additional configuration in Cloud Protection for Salesforce is required. The fields Security Center needs are included automatically from release 3.3 onwards. You only need to complete the setup steps in Salesforce Setup.
Can I choose which data types to surface in Security Center?
Yes. You register each data type as a separate custom metric, so you have full control over which ones appear in your Security Center dashboards.
Will my existing scan and alert data appear in Security Center automatically?
Only records created after upgrading to release 3.3 will populate in Security Center by default. If you want historical data to appear in trending charts, you can backfill up to 6 months of records using Salesforce Data Loader.