Salesforce AuditTrail
Collect audit trail logs from Salesforce to monitor setup changes and administrative actions.
The Salesforce Audit Trail source works by polling your Salesforce Audit Trail logs every 15 minutes. Salesforce stores Audit Trail logs for 180 days, RunReveal will backfill your Salesforce Audit Trail logs with everything that is available.
Ingest Methods
RunReveal offers the following ways to ingest Salesforce AuditTrail logs:
API Polling
Salesforce AuditTrail supports API polling to collect audit logs from your Salesforce account using OAuth 2.0 client credentials.
Step 1: Create the External Client App
- In Salesforce, go to Setup (click the gear icon)
- In the Quick Find box, search for “External Client App Manager”
- Click “New External Client App” in the top right
- Fill in the basic information:
- Connected App Name: Your integration name (e.g. “RunReveal”)
- API Name: Auto-fills based on the name
- Contact Email: Your email
Step 2: Configure OAuth Settings
- Check “Enable OAuth Settings”
- Set Callback URL to:
https://login.salesforce.com/services/oauth2/callback - Under Selected OAuth Scopes, add the following scopes:
Perform requests at any time (refresh_token, offline_access)Manage user data via APIs (api)
- Check “Enable Client Credentials Flow”
- Click “Create”
Step 3: Enable Client Credentials Flow
- Edit the app you just created
- Check “Enable Client Credentials Flow”
- In the “Run As” field, search for and select the execution user
The Run As user must have “View All Data” and “API Enabled” permissions.
Step 4: Save and Retrieve Credentials
- Click “Save”
- Click “Continue” on the confirmation page
- You’ll see the Consumer Key displayed immediately
- Click “Manage Consumer Details” to view the Consumer Secret
- Salesforce will send a verification code to your email — enter it to proceed
Step 5: Connect in RunReveal
- Go to Sources in RunReveal
- Click the Salesforce AuditTrail source tile
- Give it a name and fill in the required fields:
- Salesforce Instance Host: Your Salesforce instance URL (e.g.
company.my.salesforce.com) - Client ID: The Consumer Key from Step 4
- Client Secret: The Consumer Secret from Step 4
- Salesforce Instance Host: Your Salesforce instance URL (e.g.
- Click Connect Source
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: salesforce_audittrail_logs (44 columns)
salesforce_audittrail_logs (44 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
| Column | Type |
|---|---|
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
Id | String |
ACTION | String |
CreatedById | String |
CreatedByIssuer | String |
CreatedDate | String |
DelegateUser | String |
Display | String |
Section | String |
Related Documentation
For more information on configuring and using the Salesforce AuditTrail source:
- External Client Apps in Salesforce - Step-by-step guide to creating the Connected App and retrieving your Client ID and Client Secret
- SetupAuditTrail Object Reference - Salesforce developer documentation for the SetupAuditTrail object that RunReveal queries