Security Center Integration 

Surface Cloud Protection for Salesforce data directly in your Salesforce Security Center dashboards.

What gets surfaced 

If you use Salesforce Security Center to monitor your organization’s security signals, you can now include data from Cloud Protection for Salesforce as part of that view. File scan results, URL scan activity, quarantine actions, and identity breach alerts can be registered as custom metrics in Security Center, so the threat activity Cloud Protection for Salesforce captures appear alongside the rest of your security data. 

You can register custom metrics for the following data types: 

  • Alerts: setting changes, detections, job statuses, exceptions, and grouped breach events 
  • File scan logs: individual file scan results and verdicts 
  • URL scan logs:  individual URL scan results and verdicts Breach logs: individual user identity breach records 

Once registered, each metric appears in your Security Center dashboards and supports time-series trending. 

How to set it up 

Assign Security Center permissions 

In the Salesforce Setup, create a new permission set with the Manage Security Center system permission enabled. Assign it to the relevant admin users, then open Security Center from the App Launcher. 

Register custom metrics

Go to Setup > Security Center > Settings > Custom Metrics > New Custom Metric and create one metric per data type. For each metric, you will configure: 

  • The Salesforce object to pull data from: WithSecure File scan logs, url scan logs, breaches and alerts
  • Select which fields to display. See the section Recommended display fields per metric below for more configuration details
  • The Tenant ID field and Record Production Date field (used to identify your org and drive time-series trending) 

Save and activate each metric.

Recommended display fields per metric

Alerts — AFSC__FS_Alert__c (5 fields)

LabelAPI nameNotes
RecordProductionDateAFSC__RecordProductionDate = CreatedDateThe RecordProductionDate will be auto filled with the created date.
SeverityAFSC__Severity__cInformation / Important / Critical
ReasonAFSC__Reason__cFree-text alert description
SourceAFSC__Source__cScanner that generated the alert
UserAFSC__User__cLinked user or “N users affected”
TenantIdAFSC__TenantId__c15 digit Org Id
File Scan Logs — AFSC__FSFileScanLog__c (9 fields)

LabelAPI nameNotes
Date/TimeAFSC__RecordProductionDate AFSC__Date_Time_Scanned__cScan timestamp; default sort
VerdictAFSC__Verdict__cSafe / Unsafe / Disallowed / Unknown / Error
ActionAFSC__Action__cBlocked / Removed / Passed / Notified
ReasonAFSC__Reason__cFree-text description
Full File NameAFSC__Full_File_Name__cLinks to content document or record
DirectionAFSC__Direction__cUpload / Download / Scan Job
LocationAFSC__Source__cFiles / Attachments / Notes / etc.
UserAFSC__User__cLinked user
IP AddressAFSC__Ip_address__cCaptured at scan time
TenantIdAFSC__TenantId__c15 digit Org Id
RecordProductionDateAFSC__RecordProductionDate = CreatedDateThe RecordProductionDate will be auto filled with the created date and could be different than the scan date time.
URL Scan Logs — AFSC__FS_URL_Scan_Log__c (9 fields)

LabelAPI nameNotes
Date/TimeAFSC__Date_Time_Scanned__cScan timestamp
VerdictAFSC__Verdict__cSafe / Unsafe / Disallowed / Unknown
ActionAFSC__Action__cBlocked / Removed / Passed / Notified
ReasonAFSC__Reason__cFree-text description
URLAFSC__URL__cThe scanned URL
DirectionAFSC__Direction__cOpen / Post / Internal or External Conversation
LocationAFSC__Location__cCases / Chatter / Email / Lead / Task / Field Value
UserAFSC__User__cLinked user
IP AddressAFSC__IP_Address__cCaptured at scan time
TenantIdAFSC__TenantId__c15 digit Org Id
RecordProductionDateAFSC__RecordProductionDate = CreatedDateThe RecordProductionDate will be auto filled with the created date and could be different than the scan date time.
Breach Logs — AFSC__FS_Breach__c (14 fields)

LabelAPI nameTypeNotes
RecordProductionDateAFSC__RecordProductionDate = CreatedDateDateTimeThe RecordProductionDate will be auto filled with the created date.
Publish DateAFSC__PublishDate__cDateTimeWhen the breach was originally published by the breach source.
RiskAFSC__Risk__cPicklistLow / Medium / High / Critical
SeverityAFSC__Severity__cNumberNumeric severity score for the breach.
ReasonAFSC__Reason__cPicklistBreached information / Breached plaintext password.
Plaintext PasswordAFSC__IsPlainTextPassword__cPicklist (Yes / No)Whether the leaked password was exposed in plaintext.
Password TypeAFSC__PasswordType__cText (255)Type/format of the leaked password (e.g. hashed, plaintext).
EmailAFSC__Email__cText (255)Email address tied to the breached account.
UsernameAFSC__UserName__cText (255)Username associated with the breached credentials.
ProfileAFSC__UserProfile__cText (255)Salesforce profile of the breached user.
RoleAFSC__UserRole__cText (255)Salesforce role of the breached user.
UserAFSC__User__cLookup (User)Linked Salesforce user record for the breached account.
Target URLAFSC__TargetUrl__cText (255)Source site/service where the breached data was found.
TenantIdAFSC__TenantId__cText (15)15 digit Org Id

Verify your dashboards

Once registered, open your Security Center dashboards and confirm each metric appears and shows data. If a metric appears empty, click Update Data. Security Center has its own refresh cadence, and the first load may take a few minutes. 

Backfilling historical data 

By default, records created after the upgrade will populate the required fields for Security Center. If you want historical records to appear in trending charts, you can backfill up to 6 months of data using Salesforce Data Loader. This step is optional. Skip it if you only need data going forward. 

Do I need to configure anything in Cloud Protection for Salesforce before setting up Security Center?

No additional configuration in Cloud Protection for Salesforce is required. The fields Security Center needs are included automatically from release 3.3 onwards. You only need to complete the setup steps in Salesforce Setup.

Can I choose which data types to surface in Security Center?

Yes. You register each data type as a separate custom metric, so you have full control over which ones appear in your Security Center dashboards.

Will my existing scan and alert data appear in Security Center automatically?

Only records created after upgrading to release 3.3 will populate in Security Center by default. If you want historical data to appear in trending charts, you can backfill up to 6 months of records using Salesforce Data Loader.