Analytics and security visibility in Salesforce

When you can’t see inside Salesforce, every second costs more. During an incident, lack of visibility inside Salesforce can paralyze response. Without clear telemetry, investigations stall — leaving security teams no choice but to freeze the entire environment to prevent further damage.

That means halted workflows, disconnected users, and downtime that ripples across sales, service, and customer operations.

Salesforce holds some of the most valuable data in the enterprise. Traditional security tools don’t monitor what happens inside Salesforce. Files are uploaded, shared, and downloaded, and links are posted and clicked — often by external users. Without native visibility, threats like malware deliveries and phishing link clicks can go unnoticed, investigations stall, and compliance evidence is incomplete.

WithSecure Cloud Protection for Salesforce offers that visibility. Every upload, download, and detection is logged in real time, giving you the context – who, what, when – you need to respond fast without halting the business.

WithSecure Cloud Protection for Salesforce provides constant real-time visibility without time lags, with complete audit trails of what happened, who was involved, and where. When you have real-time visibility to your Salesforce:

• You can investigate incidents immediately while mitigating further damage
• You can conduct faster and cheaper investigations with full forensic trails (e.g. who, what, when)

Dynamic analytics and reporting in WithSecure Cloud Protection for Salesforce gives a holistic security overview of Salesforce content and an opportunity to follow your security strategy in action.

Rich reporting, advanced security analytics, and full audit trails help your security team to respond to threats in Salesforce and to investigate attacks.

Out-of-the-box dashboards like the Protection Status dashboard provide a situational overview at a glance. You can leverage Salesforce’s powerful native reports and dashboards to create your own.

Logs capture every detail needed for investigations and audits, including:

File SHA-256 checksum

Verdicts from each detection engine

File type, size, and extension

URL categories and classifications

Action (upload, download, post, click)

Direction (inbound/outbound)

User IDs, profiles, and roles

Timestamps and IP addresses

Object details (where the file or link was stored)

Yes. All log fields are available in Salesforce Reports. Security teams can build reports filtered by verdict, file type, user, detection engine, or URL category. Custom notifications and user messages can also be configured.

With WithSecure™ Cloud Protection for Salesforce, you can automate reports of security incidents and receive timely email alerts to administrators and your security department. This ensures prompt response and mitigation of potential threats.

Alerts in WithSecure Cloud Protection for Salesforce are triggered when:

Harmful or disallowed content is detected

A scan result changes from safe to unsafe

A file or URL is blocked during upload or click

A disallowed file type is uploaded

Configuration or license status changes

Alerts can be sent to Salesforce admins, routed to IT security teams, or pushed into SIEM/SOAR systems.

Event data is stored natively in Salesforce for up to 24 months. This supports long-running investigations and regulatory audits. Logs can also be exported or pushed to, for example, SIEM systems for extended storage.

Yes. Complete audit trails, long-term retention, and exportable reports support ISO 27001, ISAE 3000 Type 2, SOC 2 Type 2, HIPAA, and other regulatory frameworks.

All data is anonymized and encrypted in transit and at rest. Logs never expose private Salesforce content. Processing can be regionalized (EU, US, Singapore, Australia, Japan) to meet data residency requirements.

The protection status panel provides a comprehensive, straightforward snapshot of your Salesforce security status, including file and URL scanning configurations, connectivity status, automatic update status, and the version in use. Thus, you can quickly spot and fix any security hiccups.

The panel is neatly divided into four sections:

• File Protection section shows the status of scanning and blocking harmful and disallowed content. Accessing File Protection settings is as easy as a click.
• URL Protection section serves as your window into the status of harmful and disallowed URL scanning features.
• Automatic Update section displays the status of automatic updates, along with the app version you’re currently using. You can see if automatic updates are enabled or disabled, and whether a manual installation of a newer version is needed.
• Connectivity section provides a snapshot of the status of the connected app and its link to the WithSecure Security Cloud. This includes the status of seamless data exchange between your environment and WithSecure’s security services. You can see if the WithSecure Security Cloud is operational, not operational, or if its status is unknown. Similarly, you can see if the connected app is operational, not set up, malfunctioning, or if its status is unknown.

From the Alerts tab, you can access a comprehensive feed of all security-related events that have triggered alerts. This includes threat detections, scan overusage, and security configuration changes. If you suspect that you might have missed an alert, you can easily check the latest status here.

You can find detailed forensics information from the File Events and URL Events feeds about specific threat detections and scanning results. Full audit trails give you the complete picture. This includes details such as what happened, where, when, and by whom – for example, if a user clicked a phishing link or a malware was uploaded by an attacker.