Collect Salesforce logs
Supported in:
Overview
This parser handles Salesforce logs in LEEF, CSV, and JSON formats. It extracts fields, performs format-specific processing (handling LEEF key-value pairs, CSV columns, and JSON structures), maps them to the UDM, and enriches the data with metadata and derived fields. The parser also handles various Salesforce event types, applying specific logic for logins, logouts, and other actions, categorizing events, and setting appropriate UDM event types.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance.
- Privileged access to AWS IAM, S3 and AppFlow.
Configure Amazon S3 bucket
- Create an Amazon S3 bucketfollowing this user guide: Creating a bucket
- Save the bucket Nameand Regionfor future reference.
- Create a Userfollowing this user guide: Creating an IAM user .
- Select the created User.
- Select Security credentialstab.
- Click Create Access Keyin the Access Keyssection.
- Select Third-party serviceas the Use case.
- Click Next.
- Optional: Add a description tag.
- Click Create access key.
- Click Download .csv file. (Save Access Keyand Secret Access Keyfor future reference).
- Click Done.
- Select the Permissionstab.
- Click Add permissionsin the Permissions policiessection.
- Select Add permissions.
- Select Attach policies directly.
- Search for the AmazonS3FullAccesspolicy.
- Select the policy.
- Click Next.
- Click Add permissions.
Configure Amazon AppFlow
- Create an Amazon AppFlow flow:
- Flow name: Add a flow name and click Next.
- Data source: Choose Salesforceas the data source.
- Create a new connection.
- A Salesforce sign-in windowappears. Sign in with your Salesforce credentials.
- Select the object name (choose the data you want to transfer from Salesforce to the S3 bucket).
- Select Amazon S3as the data destination.
- Select Scheduleas the flow trigger.
- In Choose Source Fields, you can either Map all fields directlyor you can specify which fields to map.
- Validate the configuration:
- In Amazon AppFlow, select the flow you created, and click Run flowto fetch data from Salesforce.
- The logs should now be in your S3 bucket.
Set up feeds
To configure a feed, follow these steps:
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed namefield, enter a name for the feed; for example, Salesforce Logs.
- Select Amazon S3 V2as the Source type.
- Select Salesforceas the Log type.
- Click Next.
-
Specify values for the following input parameters:
-
S3 URI: the bucket URI.
s3:/BUCKET_NAMEReplace the following:-
BUCKET_NAME: the name of the bucket.
-
-
Source deletion options: select deletion option according to your preference.
-
-
Click Next.
-
Review your new feed configuration in the Finalizescreen, and then click Submit.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
Account.Name
|
target.resource.name
|
The value of Account.Name
from the raw log. |
AccountId
|
target.resource.id
|
The value of AccountId
from the raw log. |
Action
|
security_result.description
|
The value of Action
from the raw log. |
AdditionalInfo
|
- | Not mapped to the IDM object. |
ApiType
|
target.application
|
The value of ApiType
from the raw log. |
ApiVersion
|
- | Not mapped to the IDM object. |
Application
|
principal.application
|
The value of Application
from the raw log, or "Browser" for LoginAsEvent, or "Integration JWT Token" for LoginEvent, or "SfdcSiqActivityPlatform" for LoginHistory with objecttype LoginHistory, or "N/A" for ApiEvent, or "Browser" for LoginAsEventStream. |
attributes.url
|
target.url
|
The value of attributes.url
from the raw log, or specific URLs for various event types from the raw log. |
attributes.type
|
metadata.product_event_type
|
The value of attributes.type
from the raw log. |
AuthSessionId
|
network.session_id
|
The value of AuthSessionId
from the raw log. |
Browser
|
principal.resource.name
|
The value of Browser
from the raw log, or "Unknown" if Browser
is not available in raw log and Application
is "Insights", or "Java (Salesforce.com)" for LoginHistory with ApiType
as "SOAP Partner", or "Unknown" for LoginHistory with Application
as "SfdcSiqActivityPlatform", or from data.properties.Browser.str for LoginAsEventStream. |
Case.Subject
|
target.resource.name
|
The value of Case.Subject
from the raw log. |
CaseId
|
target.resource.id
|
The value of CaseId
from the raw log. |
cat
|
metadata.product_event_type
|
The value of cat
from the raw log. |
City
|
principal.location.city
|
The value of City
from the raw log, or from LoginGeo.City
for LoginHistory. |
Client
|
principal.labels
|
The value of Client
from the raw log, formatted as a label. |
CLIENT_IP
|
principal.ip
, principal.asset.ip
|
The value of CLIENT_IP
from the raw log. |
ClientVersion
|
- | Not mapped to the IDM object. |
CipherSuite
|
network.tls.cipher
|
The value of CipherSuite
from the raw log. |
ColumnHeaders
|
principal.labels
|
The value of ColumnHeaders
from the raw log, formatted as a label. |
ConnectedAppId
|
principal.labels
|
The value of ConnectedAppId
from the raw log, formatted as a label. |
Contact.Name
|
target.resource.name
|
The value of Contact.Name
from the raw log. |
ContactId
|
target.resource.id
|
The value of ContactId
from the raw log. |
Country
|
principal.location.country_or_region
|
The value of Country
from the raw log, or LoginGeo.Country
for LoginHistory. |
CreatedByContext
|
principal.user.userid
|
The value of CreatedByContext
from the raw log. |
CreatedById
|
principal.resource.attribute.labels
|
The value of CreatedById
from the raw log, formatted as a label. |
CreatedDate
|
metadata.collected_timestamp
|
The value of CreatedDate
from the raw log, or the current timestamp if not available. |
CPU_TIME
|
target.resource.attribute.labels
|
The value of CPU_TIME
from the raw log, formatted as a label. |
data
|
- | Contains various fields that are extracted and mapped individually. |
DATASET_IDS
|
target.resource.name
|
The value of DATASET_IDS
from the raw log. |
DelegatedOrganizationId
|
target.administrative_domain
|
The value of DelegatedOrganizationId
from the raw log. |
DelegatedUsername
|
observer.user.userid
|
The value of DelegatedUsername
from the raw log. |
Description
|
metadata.description
|
The value of Description
from the raw log. |
DevicePlatform
|
principal.resource.type
|
The value of DevicePlatform
from the raw log, parsed to extract the resource type. |
Display
|
metadata.description
|
The value of Display
from the raw log. |
DOWNLOAD_FORMAT
|
target.resource.attribute.labels
|
The value of DOWNLOAD_FORMAT
from the raw log, formatted as a label. |
Duration
|
target.resource.attribute.labels
|
The value of Duration
from the raw log, formatted as a label. |
ENTITY_NAME
|
target.resource.attribute.labels
|
The value of ENTITY_NAME
from the raw log, formatted as a label. |
ErrorCode
|
security_result.action
|
The value of ErrorCode
from the raw log, transformed to ALLOW or BLOCK. |
EventDate
|
timestamp
|
The value of EventDate
from the raw log, or data.properties.TIMESTAMP_DERIVED.str
if available, or data.properties.TIMESTAMP_DERIVED_FIRST.str
if available, or @timestamp
if available, or created_date
if available, or timestamp
if available, or LoginTime
for LoginHistory. |
EventIdentifier
|
metadata.product_log_id
|
The value of EventIdentifier
from the raw log. |
EventType
|
metadata.product_event_type
|
The value of EventType
from the raw log. |
Id
|
principal.user.userid
|
The value of Id
from the raw log, or metadata.product_log_id
for SetupAuditTrail and other events. |
IdentityUsed
|
principal.user.email_addresses
|
The value of IdentityUsed
from the raw log. |
Lead.Name
|
target.resource.name
|
The value of Lead.Name
from the raw log. |
LeadId
|
target.resource.id
|
The value of LeadId
from the raw log. |
LoginAsCategory
|
- | Not mapped to the IDM object. |
LoginGeo.Country
|
principal.location.country_or_region
|
The value of LoginGeo.Country
from the raw log. |
LoginHistoryId
|
- | Not mapped to the IDM object. |
LoginKey
|
principal.user.userid
, network.session_id
|
The value of LoginKey
from the raw log, or CreatedByContext
for SetupAuditTrail. |
LoginTime
|
timestamp
|
The value of LoginTime
from the raw log. |
LoginType
|
security_result.description
|
The value of LoginType
from the raw log, or "Other Apex API" for LoginHistory with ApiType
as "SOAP Partner", or "Remote Access 2.0" for LoginHistory with Application
as "SfdcSiqActivityPlatform". |
LoginUrl
|
target.url
, principal.url
|
The value of LoginUrl
from the raw log. |
LogFile
|
principal.resource.attribute.labels
|
The value of LogFile
from the raw log, formatted as a label. |
LogFileContentType
|
principal.resource.attribute.labels
|
The value of LogFileContentType
from the raw log, formatted as a label. |
LogFileLength
|
principal.resource.attribute.labels
|
The value of LogFileLength
from the raw log, formatted as a label. |
Message
|
- | Not mapped to the IDM object. |
METHOD
|
network.http.method
|
The value of METHOD
from the raw log. |
Name
|
target.application
|
The value of Name
from the raw log. |
NewValue
|
- | Used in conjunction with OldValue
to generate security_result.summary
. |
NUMBER_FIELDS
|
target.resource.attribute.labels
|
The value of NUMBER_FIELDS
from the raw log, formatted as a label. |
OldValue
|
- | Used in conjunction with NewValue
to generate security_result.summary
. |
Operation
|
security_result.description
, target.resource.attribute.labels
|
The value of Operation
from the raw log, or Display
for SetupAuditTrail. |
OperationStatus
|
security_result.action
|
The value of OperationStatus
from the raw log, transformed to ALLOW or BLOCK. |
ORGANIZATION_ID
|
target.administrative_domain
|
The value of ORGANIZATION_ID
from the raw log. |
OsName
|
principal.platform
|
The value of OsName
from the raw log. |
OsVersion
|
principal.platform_version
|
The value of OsVersion
from the raw log. |
Platform
|
principal.platform
|
The value of Platform
from the raw log, or from data.properties.OsName.str
for LightningUriEventStream, or from data.properties.OsName.str
for LoginEventStream. |
QueriedEntities
|
target.resource.name
, principal.labels
|
The value of QueriedEntities
from the raw log, or component_name
for UriEvent and ApiEvent. |
Query
|
target.process.command_line
, principal.labels
|
The value of Query
from the raw log. |
RecordId
|
target.resource.id
|
The value of RecordId
from the raw log. |
Records
|
principal.labels
|
The value of Records
from the raw log, formatted as a label. |
REQUEST_ID
|
metadata.product_log_id
, target.resource.product_object_id
|
The value of REQUEST_ID
from the raw log. |
REQUEST_SIZE
|
network.sent_bytes
|
The value of REQUEST_SIZE
from the raw log. |
REQUEST_STATUS
|
security_result.summary
|
The value of REQUEST_STATUS
from the raw log. |
RESPONSE_SIZE
|
network.received_bytes
|
The value of RESPONSE_SIZE
from the raw log. |
RowsProcessed
|
target.resource.attribute.labels
|
The value of RowsProcessed
from the raw log, formatted as a label. |
RUN_TIME
|
target.resource.attribute.labels
|
The value of RUN_TIME
from the raw log, formatted as a label. |
SamlEntityUrl
|
- | Not mapped to the IDM object. |
SdkAppType
|
- | Not mapped to the IDM object. |
SdkAppVersion
|
- | Not mapped to the IDM object. |
SdkVersion
|
- | Not mapped to the IDM object. |
Section
|
security_result.summary
|
The value of Section
from the raw log. |
SessionKey
|
network.session_id
|
The value of SessionKey
from the raw log. |
SessionLevel
|
target.resource.attribute.labels
|
The value of SessionLevel
from the raw log, formatted as a label. |
SourceIp
|
principal.ip
, principal.asset.ip
|
The value of SourceIp
from the raw log. |
src
|
principal.ip
, principal.asset.ip
|
The value of src
from the raw log. |
SsoType
|
target.resource.attribute.labels
|
The value of SsoType
from the raw log, formatted as a label. |
STATUS_CODE
|
network.http.response_code
|
The value of STATUS_CODE
from the raw log. |
Status
|
security_result.action
, security_result.action_details
|
The value of Status
from the raw log, transformed to ALLOW or BLOCK, or used as action details for LoginEventStream. |
Subject
|
target.resource.name
|
The value of Subject
from the raw log. |
TargetUrl
|
- | Not mapped to the IDM object. |
TIMESTAMP
|
metadata.collected_timestamp
|
The value of TIMESTAMP
from the raw log. |
TIMESTAMP_DERIVED
|
timestamp
|
The value of TIMESTAMP_DERIVED
from the raw log. |
TlsProtocol
|
network.tls.version_protocol
|
The value of TlsProtocol
from the raw log. |
URI
|
target.url
|
The value of URI
from the raw log. |
USER_AGENT
|
network.http.user_agent
|
The value of USER_AGENT
from the raw log. |
USER_ID
|
principal.user.userid
|
The value of USER_ID
from the raw log. |
USER_ID_DERIVED
|
principal.user.product_object_id
, target.resource.attribute.labels
|
The value of USER_ID_DERIVED
from the raw log. |
UserId
|
principal.user.userid
|
The value of UserId
from the raw log. |
USER_TYPE
|
target.resource.attribute.labels
|
The value of USER_TYPE
from the raw log, formatted as a label. |
Username
|
principal.user.userid
, principal.user.email_addresses
, target.user.email_addresses
|
The value of Username
from the raw log, or src_email
for various events, or IdentityUsed
for IdentityProviderEventStore, or data.properties.Email.str
for Search and SearchAlert, or data.properties.Username.str
for LoginAsEventStream and LoginEventStream. |
UserType
|
target.resource.attribute.labels
|
The value of UserType
from the raw log, formatted as a label. |
usrName
|
principal.user.userid
, principal.user.email_addresses
, target.user.email_addresses
|
The value of usrName
from the raw log. |
VerificationMethod
|
target.resource.attribute.labels
|
The value of VerificationMethod
from the raw log, formatted as a label. |
|
Parser Logic
|
metadata.event_type
|
Derived based on the event_id
and operation
fields, or set to "USER_LOGIN" for LoginEventStream, "USER_LOGOUT" for Logout and LogoutEvent, "USER_RESOURCE_UPDATE_CONTENT" for various events, "USER_RESOURCE_UPDATE_PERMISSIONS" for PlatformEncryption, "RESOURCE_READ" for QueuedExecution, ApexExecution, LightningInteraction, LightningPerformance, LightningPageView, URI, RestApi, API, AuraRequest, ApexCallout, OneCommerceUsage, Sites, MetadataApiOperation, OneCommerceUsage, VisualforceRequest, Dashboard, Search, ListViewEvent, "RESOURCE_CREATION" for UriEvent and TimeBasedWorkflow with Operation
as "Create" or "INSERT", "RESOURCE_WRITTEN" for UriEvent and LightningUriEvent with Operation
as "Update", "RESOURCE_DELETION" for UriEvent with Operation
as "Delete" or "ROLLBACK", "USER_UNCATEGORIZED" for SetupAuditTrail and AuditTrail, "USER_CHANGE_PASSWORD" for SetupAuditTrail with operation
as "namedCredentialEncryptedFieldChange", "GENERIC_EVENT" for ApiEventStream and LightningUriEventStream, or based on network and principal presence. |
|
Parser Logic
|
metadata.ingestion_labels
|
Labels indicating the source of the event, either "Event Log File" or "Real-Time Event Monitoring" or "SetupAuditTrail". |
|
Parser Logic
|
metadata.log_type
|
Always set to "SALESFORCE". |
|
Parser Logic
|
metadata.product_name
|
Always set to "SALESFORCE". |
|
Parser Logic
|
metadata.vendor_name
|
Always set to "SALESFORCE". |
|
Parser Logic
|
metadata.url_back_to_product
|
Constructed from various fields like LoginUrl
, attributes.url
, data.properties.PageUrl.str
, data.properties.LoginUrl.str
. |
|
Parser Logic
|
network.application_protocol
|
Set to "HTTPS" if the uri
field starts with "http". |
|
Parser Logic
|
network.http.referral_url
|
Extracted from the user_agent
field if it contains "Referer=". |
|
Parser Logic
|
network.http.response_code
|
Derived from request_status
for various events. |
|
Parser Logic
|
network.http.user_agent
|
The value of user_agent
from the raw log, or from data.properties.UserAgent.str
for ApiEventStream and LoginEventStream, or from Sites
events, or "User-Agent" from Sites
events. |
|
Parser Logic
|
network.session_id
|
The value of session_key
or SESSION_KEY
from the raw log, or constructed from other fields like LoginKey
or AuthSessionId
. |
|
Parser Logic
|
network.tls.version
|
The value of tls_protocol
from the raw log, or from data.properties.TlsProtocol.str
for LoginEventStream. |
|
Parser Logic
|
principal.application
|
The value of application
from the raw log, or "Salesforce for Outlook" for Login: Success events, or "Insights" for Login: Success events with no Application, or extracted from device_platform
for Lightning events. |
|
Parser Logic
|
principal.asset.hostname
|
The value of client_ip
if it is a hostname. |
|
Parser Logic
|
principal.asset.ip
|
The value of client_ip
or src_ip
or SourceIp
or CLIENT_IP
if it is an IP address. |
|
Parser Logic
|
principal.hostname
|
The value of client_ip
if it is a hostname. |
|
Parser Logic
|
principal.ip
|
The value of client_ip
or src_ip
or SourceIp
or CLIENT_IP
if it is an IP address. |
|
Parser Logic
|
principal.labels
|
Labels constructed from various fields like FederationIdentifier
, ApiType
, OrgId
, channel
. |
|
Parser Logic
|
principal.location.city
|
The value of geoip_src.city_name
or City
or LoginGeo.City
from the raw log. |
|
Parser Logic
|
principal.location.country_or_region
|
The value of geoip_src.country_name
or Country
or LoginGeo.Country
or client_geo
from the raw log. |
|
Parser Logic
|
principal.location.region_latitude
|
The value of data.properties.LoginLatitude.number
from the raw log. |
|
Parser Logic
|
principal.location.region_longitude
|
The value of data.properties.LoginLongitude.number
from the raw log. |
|
Parser Logic
|
principal.location.state
|
The value of geoip_src.region_name
from the raw log. |
|
Parser Logic
|
principal.platform
|
The value of Platform
or OsName
or os_name
from the raw log, or "WINDOWS" for LoginEventStream with Platform
containing "Windows". |
|
Parser Logic
|
principal.platform_version
|
The value of OsVersion
or os_version
from the raw log, or extracted from Platform
for LoginEventStream with Platform
containing "Windows". |
|
Parser Logic
|
principal.resource.attribute.labels
|
Labels constructed from various fields like CreatedById
, ApiVersion
, LogFile
, LogFileContentType
, LogFileLength
. |
|
Parser Logic
|
principal.resource.name
|
The value of Browser
or browser_name
from the raw log, or "Java (Salesforce.com)" for LoginHistory with ApiType
as "SOAP Partner". |
|
Parser Logic
|
principal.resource.type
|
Extracted from device_platform
for Lightning events, or "Browser" for LoginAsEvent and LoginAsEventStream. |
|
Parser Logic
|
principal.url
|
The value of LoginUrl
from the raw log. |
|
Parser Logic
|
principal.user.email_addresses
|
The value of usrName
or Username
or src_email
or IdentityUsed
or data.properties.Username.str
or data.properties.Email.str
from the raw log. |
|
Parser Logic
|
principal.user.product_object_id
|
The value of attrs.USER_ID_DERIVED
or data.properties.USER_ID_DERIVED.str
from the raw log. |
|
Parser Logic
|
principal.user.userid
|
The value of usrName
or Username
or user_id
or UserId
or USER_ID
or Id
or LoginKey
or CreatedByContext
or data.properties.Username.str
or data.properties.USER_ID.str
or data.properties.LoginKey.str
from the raw log. |
|
Parser Logic
|
security_result.action
|
Derived from Status
or OperationStatus
or ErrorCode
or action
or operation_status
from the raw log, transformed to ALLOW or BLOCK. |
|
Parser Logic
|
security_result.action_details
|
The value of Status
from the raw log for LoginEventStream. |
|
Parser Logic
|
security_result.description
|
The value of LoginType
or logintype
or Operation
or Action
or Display
from the raw log. |
|
Parser Logic
|
security_result.rule_name
|
The value of Policy
or rule_name
from the raw log. |
|
Parser Logic
|
security_result.summary
|
Constructed from NewValue
and OldValue
or REQUEST_STATUS
or Section
or forecastcategory
from the raw log. |
|
Parser Logic
|
target.administrative_domain
|
The value of ORGANIZATION_ID
or DelegatedOrganizationId
or organization_id
or data.properties.OrgName.str
from the raw log. |
|
Parser Logic
|
target.application
|
The value of Application
or app_name
or ApiType
or Name
or data.properties.Application.str
from the raw log. |
|
Parser Logic
|
target.asset.hostname
|
The value of target_hostname
extracted from the uri
field. |
|
Parser Logic
|
target.asset.ip
|
The value of data.properties.CLIENT_IP.str
from the raw log. |
|
Parser Logic
|
target.asset_id
|
Constructed from device_id
or REQUEST_ID
. |
|
Parser Logic
|
target.file.mime_type
|
The value of file_type
from the raw log. |
|
Parser Logic
|
target.file.size
|
The value of size_bytes
from the raw log. |
|
Parser Logic
|
target.hostname
|
The value of target_hostname
extracted from the uri
field. |
|
Parser Logic
|
target.process.command_line
|
The value of query_exec
or Query
or data.properties.Query.str
from the raw log. |
|
Parser Logic
|
target.process.pid
|
The value of job_id
from the raw log. |
|
Parser Logic
|
target.resource.attribute.labels
|
Labels constructed from various fields like CPU_TIME
, RUN_TIME
, USER_TYPE
, DB_TOTAL_TIME
, MEDIA_TYPE
, ROWS_PROCESSED
, NUMBER_FIELDS
, DB_BLOCKS
, DB_CPU_TIME
, ENTITY_NAME
, EXCEPTION_MESSAGE
, USER_ID_DERIVED
, DOWNLOAD_FORMAT
, USER_TYPE
, CPU_TIME
, RUN_TIME
, WAVE_SESSION_ID
, SessionLevel
, verification_method
, cpu_time
, run_time
, db_total_time
, db_cpu_time
, exec_time
, callout_time
, number_soql_queries
, duration
, user_type
, entry_point
, operation
, session_level
, rows_processed
, sso_type
, dashboard_type
, Operation
, SessionLevel
. |
|
Parser Logic
|
target.resource.id
|
The value of REQUEST_ID
or RecordId
or caseid
or leadid
or contactid
or opportunityid
or accountid
from the raw log. |
|
Parser Logic
|
target.resource.name
|
The value of QueriedEntities
or resource_name
or component_name
or DATASET_IDS
or field
or StageName
or Subject
from the raw log. |
|
Parser Logic
|
target.resource.product_object_id
|
The value of REQUEST_ID
from the raw log. |
|
Parser Logic
|
target.resource.resource_type
|
Set to "ACCESS_POLICY" for ApexCallout and PlatformEncryption, or "DATABASE" for ApexTrigger, or "FILE" for ContentTransfer, or "TABLE" for ApiEvent. |
|
Parser Logic
|
target.resource.type
|
Set to "BATCH" for QueuedExecution and ApexExecution, or "FILE" for ContentTransfer, or "DATABASE_TRIGGER" for ApexTrigger, or "Case", "Lead", "Contact", "Opportunity", "Account" based on the presence of corresponding ID fields. |
|
Parser Logic
|
target.url
|
The value of LoginUrl
or URI
or attributes.url
or login_url
or uri
from the raw log. |
|
Parser Logic
|
target.user.email_addresses
|
The value of Username
or attrs.usrName
or email_address
from the raw log. |
|
Parser Logic
|
target.user.user_display_name
|
The value of target_user_display_name
or user_name
or username
from the raw log. |
|
Parser Logic
|
target.user.userid
|
The value of target_user_name
or data.properties.UserId.str
or data.properties.CreatedById.str
from the raw log. |
|
Parser Logic
|
extensions.auth.auth_details
|
Set to "ACTIVE" if Status
is not "Success", otherwise set to "UNKNOWN_AUTHENTICATION_STATUS". |
|
Parser Logic
|
extensions.auth.mechanism
|
Set to "REMOTE" for Login: Success and Login events with logintype
containing "Remote", or "USERNAME_PASSWORD" for LoginEventStream, or "MECHANISM_OTHER" for events with login_url
present, or "AUTHTYPE_UNSPECIFIED" for Login: Success and Logout events. |
|
Parser Logic
|
extensions.auth.type
|
Set to "SSO" for Login, Logout, LogoutEvent, LoginAs, IdentityProviderEventStore, LoginHistory, LoginAsEvent with LoginType as "SAML Sfdc Initiated SSO", or "AUTHTYPE_UNSPECIFIED" for Login: Success, Logout, LoginAsEvent with LoginType as "Application". |
Need more help? Get answers from Community members and Google SecOps professionals.
