elastic · kush-elastic · Dec 19, 2022 · Sep 27, 2022 · Sep 27, 2022 · Sep 27, 2022
@@ -16,10 +16,11 @@ As an example, you can use the data from this integration to understand the acti
 The Salesforce integration collects log events using the REST API of Salesforce.
 
 **Logs** help you keep a record of events happening in Salesforce.
-Log data streams collected by the Salesforce integration include [Login](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm).
+Log data streams collected by the Salesforce integration include [Login](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm), and [Logout](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_logout.htm).
 
 Data streams:
 - `login_rest`: Tracks login activity of users who log in to Salesforce.
+- `logout_rest`: Tracks logout activity of users who logout from Salesforce.
 
 ## Compatibility
 
@@ -31,7 +32,7 @@ In order to find out the Salesforce version of your Instance, see below:
 
 2. An alternative way to find out the version of Salesforce is by hitting the following URL:
 	- Format: (Salesforce Instance URL)/services/data
-	- Example: https://elastic1234-dev-ed.my.salesforce.com/services/data
+	- Example: `https://na9.salesforce.com/services/data`
 
 Example response:
 ```xml
@@ -78,11 +79,11 @@ You need the following information from your Salesforce instance to configure th
 
 The instance your Salesforce Organization uses is indicated in the URL of your browser's address bar in Salesforce Classic. The value before 'salesforce.com' is your Salesforce Instance.
 
-Example URL: https://na9.salesforce.com/home/home.jsp
+Example URL: `https://na9.salesforce.com/home/home.jsp`
 
 In the above example, the value before 'salesforce.com' is your Salesforce Instance. In this example, the Salesforce Organization is located on NA9. 
 
-The Salesforce Instance URL is: https://na9.salesforce.com
+The Salesforce Instance URL is: `https://na9.salesforce.com`
 
 In Salesforce Lightning, it is available under the user name in the “View Profile” tab.
 
@@ -167,3 +168,11 @@ This is the `login_rest` data stream. It represents events containing details ab
 {{event "login_rest"}}
 
 {{fields "login_rest"}}
+
+### Logout Rest
+
+This is the `logout_rest` data stream. It represents events containing details about your organization's user logout history.
+
+{{event "logout_rest"}}
+
+{{fields "logout_rest"}}
@@ -68,4 +68,4 @@ rules:
           content-type: ["text/csv"]
         body: |-
           "EVENT_TYPE","TIMESTAMP","REQUEST_ID","ORGANIZATION_ID","USER_ID","RUN_TIME","CPU_TIME","URI","SESSION_KEY","LOGIN_KEY","TYPE","METHOD","SUCCESS","TIME","REQUEST_SIZE","RESPONSE_SIZE","URL","TIMESTAMP_DERIVED","USER_ID_DERIVED","CLIENT_IP","URI_ID_DERIVED"
-          "ApexCallout","20221122044615.591","ABCDE","00D5j000000VABC","0055j000000ABCD","1305","10","CALLOUT-LOG","ABCDEF","ABCDEFGH","OData","GET","1","1293","10","256","https://temp.sh/odata/Accounts","2022-11-22T04:46:15.591Z","0055j012345utlPAAQ","127.0.0.1","0055j000000utlPABCD"
+          "ApexCallout","20221122044615.591","4exLFFQZ1234xFl1cJNwOV","00D5j000000001V","0055j0000000001","1305","10","CALLOUT-LOG","WvtsJ1235oW24EbH","Obv9123BzbaxqCo1","OData","GET","1","1293","10","256","https://temp.sh/odata/Accounts","2022-11-22T04:46:15.591Z","0055j012345utlPAAQ","81.2.69.142","0055j000000utlPAQZB"
@@ -1,5 +1,10 @@
 # newer versions go on top
 
+- version: 0.2.0
+  changes:
+    - description: Salesforce integration package with "logout_rest" data stream.
+      link: https://github.com/elastic/integrations/pull/4323
+      type: enhancement
 - version: 0.1.0
   changes:
     - description: Salesforce integration package with "login_rest" data stream.

@@ -3,7 +3,7 @@
         {
             "@timestamp": "2022-09-13T05:22:43.429Z",
             "ecs": {
-                "version": "8.4.0"
+                "version": "8.5.0"
             },
             "event": {
                 "action": "login-attempt",
@@ -27,7 +27,7 @@
             },
             "salesforce": {
                 "login": {
-                    "access_mode": "rest",
+                    "access_mode": "REST",
                     "api": {
                         "type": "Feed",
                         "version": "9998.0"

@@ -20,12 +20,12 @@ processors:
     ignore_missing: true
 - set:
     field: salesforce.login.access_mode
-    value: "rest"
+    value: "REST"
     ignore_failure: true
     ignore_empty_value: true
 - set:
     field: ecs.version
-    value: "8.4.0"
+    value: "8.5.0"
     ignore_failure: true
     ignore_empty_value: true
 - date:

@@ -1,8 +1,8 @@
 {
     "@timestamp": "2022-11-22T04:46:15.591Z",
     "agent": {
-        "ephemeral_id": "ce504617-c797-4257-845c-f1d8f57cc9bd",
-        "id": "4a8a40ad-666c-45db-a9d1-3b027852bef0",
+        "ephemeral_id": "7091b66c-e647-42f9-9c3e-d0753552a291",
+        "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97",
         "name": "docker-fleet-agent",
         "type": "filebeat",
         "version": "8.4.1"
@@ -13,10 +13,10 @@
         "type": "logs"
     },
     "ecs": {
-        "version": "8.4.0"
+        "version": "8.5.0"
     },
     "elastic_agent": {
-        "id": "4a8a40ad-666c-45db-a9d1-3b027852bef0",
+        "id": "e8ad8355-f296-4e32-9096-2df7c9cc7e97",
         "snapshot": false,
         "version": "8.4.1"
     },
@@ -26,9 +26,9 @@
         "category": [
             "authentication"
         ],
-        "created": "2022-11-29T07:28:46.257Z",
+        "created": "2022-12-15T10:29:06.958Z",
         "dataset": "salesforce.login_rest",
-        "ingested": "2022-11-29T07:28:50Z",
+        "ingested": "2022-12-15T10:29:10Z",
         "kind": "event",
         "module": "salesforce",
         "original": "{\"API_TYPE\":\"f\",\"API_VERSION\":\"9998.0\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36\",\"CIPHER_SUITE\":\"ECDHE-RSA-AES256-GCM-SHA384\",\"CLIENT_IP\":\"81.2.69.142\",\"CPU_TIME\":\"30\",\"DB_TOTAL_TIME\":\"52435102\",\"EVENT_TYPE\":\"Login\",\"LOGIN_KEY\":\"QfNecrLXSII6fsBq\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"ORGANIZATION_ID\":\"00D5j000000VI3n\",\"REQUEST_ID\":\"4ehU_U-nbQyAPFl1cJILm-\",\"REQUEST_STATUS\":\"Success\",\"RUN_TIME\":\"83\",\"SESSION_KEY\":\"\",\"SOURCE_IP\":\"81.2.69.142\",\"TIMESTAMP\":\"20221122044615.591\",\"TIMESTAMP_DERIVED\":\"2022-11-22T04:46:15.591Z\",\"TLS_PROTOCOL\":\"TLSv1.2\",\"URI\":\"/index.jsp\",\"URI_ID_DERIVED\":\"s4heK3WbH-lcJIL3-n\",\"USER_ID\":\"0055j000000utlP\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"USER_NAME\":\"user@elastic.co\",\"USER_TYPE\":\"Standard\"}",
@@ -49,7 +49,7 @@
     "salesforce": {
         "instance_url": "http://elastic-package-service_salesforce_1:8010",
         "login": {
-            "access_mode": "rest",
+            "access_mode": "REST",
             "api": {
                 "type": "Feed",
                 "version": "9998.0"

@@ -0,0 +1,5 @@
+dynamic_fields:
+  event.ingested: ".*"
+fields:
+  tags:
+    - preserve_original_event
@@ -0,0 +1 @@
+{"EVENT_TYPE":"Logout","TIMESTAMP":"20211019050707.13","REQUEST_ID":"4exLFFQZNa5xxFl1cJNwOV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","USER_TYPE":"X","SESSION_TYPE":"C","SESSION_LEVEL":"1","BROWSER_TYPE":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","PLATFORM_TYPE":"1015","RESOLUTION_TYPE":"9999","APP_TYPE":"1000","CLIENT_VERSION":"9998","API_TYPE":"fo","API_VERSION":"54.0","USER_INITIATED_LOGOUT":"1","SESSION_KEY":"/b1/C123g6WXplkT","LOGIN_KEY":"OK123uSUIZVr9YzF","TIMESTAMP_DERIVED":"2021-10-19T05:07:07.128Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"175.16.199.0"}
@@ -0,0 +1,74 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-10-19T05:07:07.128Z",
+            "ecs": {
+                "version": "8.5.0"
+            },
+            "event": {
+                "action": "logout",
+                "category": [
+                    "authentication"
+                ],
+                "code": "4exLFFQZNa5xxFl1cJNwOV",
+                "dataset": "salesforce.logout_rest",
+                "kind": "event",
+                "module": "salesforce",
+                "original": "{\"EVENT_TYPE\":\"Logout\",\"TIMESTAMP\":\"20211019050707.13\",\"REQUEST_ID\":\"4exLFFQZNa5xxFl1cJNwOV\",\"ORGANIZATION_ID\":\"00D5j000000VI3n\",\"USER_ID\":\"0055j000000utlP\",\"USER_TYPE\":\"X\",\"SESSION_TYPE\":\"C\",\"SESSION_LEVEL\":\"1\",\"BROWSER_TYPE\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\",\"PLATFORM_TYPE\":\"1015\",\"RESOLUTION_TYPE\":\"9999\",\"APP_TYPE\":\"1000\",\"CLIENT_VERSION\":\"9998\",\"API_TYPE\":\"fo\",\"API_VERSION\":\"54.0\",\"USER_INITIATED_LOGOUT\":\"1\",\"SESSION_KEY\":\"/b1/C123g6WXplkT\",\"LOGIN_KEY\":\"OK123uSUIZVr9YzF\",\"TIMESTAMP_DERIVED\":\"2021-10-19T05:07:07.128Z\",\"USER_ID_DERIVED\":\"0055j000000utlPAAQ\",\"CLIENT_IP\":\"175.16.199.0\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "175.16.199.0"
+                ]
+            },
+            "salesforce": {
+                "logout": {
+                    "access_mode": "REST",
+                    "api": {
+                        "type": "fo",
+                        "version": "54.0"
+                    },
+                    "app_type": "Application",
+                    "browser_type": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36",
+                    "client_version": "9998",
+                    "event_type": "Logout",
+                    "login_key": "OK123uSUIZVr9YzF",
+                    "organization_id": "00D5j000000VI3n",
+                    "platform_type": "Windows 10",
+                    "resolution_type": "9999",
+                    "session": {
+                        "level": "Standard Session",
+                        "type": "Content"
+                    },
+                    "user_id": "0055j000000utlP",
+                    "user_initiated_logout": "1"
+                }
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Changchun",
+                    "continent_name": "Asia",
+                    "country_iso_code": "CN",
+                    "country_name": "China",
+                    "location": {
+                        "lat": 43.88,
+                        "lon": 125.3228
+                    },
+                    "region_iso_code": "CN-22",
+                    "region_name": "Jilin Sheng"
+                },
+                "ip": "175.16.199.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "0055j000000utlPAAQ",
+                "roles": "Salesforce Administrator"
+            }
+        }
+    ]
+}
@@ -0,0 +1,12 @@
+input: httpjson
+service: salesforce
+vars:
+  instance_url: http://{{Hostname}}:{{Port}}
+  client_id: temp_client_id
+  client_secret: forty_characters_long_secret_key
+  username: temp_user
+  password: temp_password
+  token_url: http://{{Hostname}}:{{Port}}/services/oauth2/token
+data_stream:
+  vars:
+    preserve_original_event: true
@@ -0,0 +1,44 @@
+config_version: 2
+interval: {{period}}
+request.method: GET
+auth.oauth2:
+  enabled: true
+  client.id: {{client_id}}
+  client.secret: {{client_secret}}
+  token_url: {{token_url}}
+  user: {{username}}
+  password: {{password}}
+request.url: {{instance_url}}/services/data/v54.0/query?q=logout+rest
+request.transforms:
+  - set:
+      target: url.params.q
+      value: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' AND LogDate > [[.cursor.last_published_logout]] ORDER BY CreatedDate ASC NULLS FIRST"
+      default: "SELECT Id,CreatedDate,LogDate,LogFile FROM EventLogFile WHERE Interval = 'Hourly' AND EventType = 'Logout' ORDER BY LogDate ASC NULLS FIRST"
+response.split:
+  target: body.records
+chain:
+  - step:
+      request.url: {{instance_url}}/services/data/v54.0/sobjects/EventLogFile/$.records[:].Id/LogFile
+      request.method: GET
+      replace: $.records[:].Id
+cursor:
+  last_published_logout:
+    value: '[[.last_event.LogDate]]'
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_fields:
+    target: salesforce
+    fields:
+      instance_url: {{instance_url}}
+{{#if processors}}
+{{processors}}
+{{/if}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"EVENT_TYPE":"Logout","TIMESTAMP":"20211019050707.13","REQUEST_ID":"4exLFFQZNa5xxFl1cJNwOV","ORGANIZATION_ID":"00D5j000000VI3n","USER_ID":"0055j000000utlP","USER_TYPE":"X","SESSION_TYPE":"C","SESSION_LEVEL":"1","BROWSER_TYPE":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","PLATFORM_TYPE":"1015","RESOLUTION_TYPE":"9999","APP_TYPE":"1000","CLIENT_VERSION":"9998","API_TYPE":"fo","API_VERSION":"54.0","USER_INITIATED_LOGOUT":"1","SESSION_KEY":"/b1/C123g6WXplkT","LOGIN_KEY":"OK123uSUIZVr9YzF","TIMESTAMP_DERIVED":"2021-10-19T05:07:07.128Z","USER_ID_DERIVED":"0055j000000utlPAAQ","CLIENT_IP":"175.16.199.0"}