Skip to main content
Question

Integration Salesforce with Google SecOps

  • May 22, 2025
  • 9 replies
  • 601 views
zwerd
Forum|alt.badge.img+1

We are trying to make new FEED on google SecOps in order to make an API call to get Salesforce logs. We set all fields on Google SecOps FEED that include the following:

API HOSTNAME: https://xxxxxxx.lightning.force.com/
TYPE:OAuth password grant
OAUTH TOKEN ENDPOINT: https://xxxxxxx.my.salesforce.com/services/oauth2/token
SalesforceConsumerKey(OATH CLIENT ID):3MVG9XXXXXXXXXXX
SalesforceConsumerSecret(OAUTH CLIENT SECRET):1286XXXXXXXXXXXXXXXXXXXX
SalesforceUser(USERNAME):someuser@somedomain.com
SalesforceConsumerSecret(PASSWORD):somePassw0r5

After activating the FEED we have got this following error:
Error: REMOTE_SERVER_REPORTED_BAD_REQUESTA connection to the source was established, but the source rejected the request.

Does anyone know this error and can help us with it?

I am sure that I am not the first one who's trying to get salesforce events log on the Google SecOps SIEM.

Regards

 

mmenegon

9 replies

chrisproudley
Staff
Forum|alt.badge.img+4

 Hi @zwerd, there are a few areas that might help.

First, did you enable Client Credential Flow Policies for External Client Apps? Details: https://help.salesforce.com/s/articleView?language=en_US&id=xcloud.policies_configure_client_credentials_flow_for_external_client_apps.htm&release=256.6.0&type=5

If you did, there are a few OAUTH quirks detailed in the Salesforce article 'OAuth 2.0 Username-Password Flow for Special Scenarios': https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_username_password_flow.htm&type=5

You could also try:

  1. Appending the security token at the end of the password
  2. Adding the ?grant_type_password to TokenEndPoint
grant_type=password&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&
client_secret=1955279925675241571&
username=testuser@salesforce.com&
password=mypassword

 Please let me know how you get on, good luck!

ErikaB
zwerd
Forum|alt.badge.img+1
  • zwerd
  • Author
  • New Member
  • May 25, 2025

 Hi @zwerd, there are a few areas that might help.

First, did you enable Client Credential Flow Policies for External Client Apps? Details: https://help.salesforce.com/s/articleView?language=en_US&id=xcloud.policies_configure_client_credentials_flow_for_external_client_apps.htm&release=256.6.0&type=5

If you did, there are a few OAUTH quirks detailed in the Salesforce article 'OAuth 2.0 Username-Password Flow for Special Scenarios': https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_username_password_flow.htm&type=5

You could also try:

  1. Appending the security token at the end of the password
  2. Adding the ?grant_type_password to TokenEndPoint
grant_type=password&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&
client_secret=1955279925675241571&
username=testuser@salesforce.com&
password=mypassword

 Please let me know how you get on, good luck!


Hi Chris!

Thank you for your help. Unfortunatly, we are still struggling with getting Salesforce's events logs on the Google SecOps SIEM.

We've enable Client Credential Flow Policies for External Client Apps and we've tried to append "&" at the end of each field, but we still got a "Fail". 

These following fields are those we've insert to the FEED config page:

API HOSTNAME: https://xxxxxxx.lightning.force.com/
TYPE:OAuth password grant
OAUTH TOKEN ENDPOINT: https://xxxxxxx.my.salesforce.com/services/oauth2/token?grant_type=password&

SalesforceConsumerKey(OATH CLIENT ID):3MVG9XXXXXXXXXXX&
SalesforceConsumerSecret(OAUTH CLIENT SECRET):1286XXXXXXXXXXXXXXXXXXXX&
SalesforceUser(USERNAME):someuser@somedomain.com&
SalesforceConsumerSecret(PASSWORD):somePassw0r5

Do you know what else can we do?

we'll be greatful for that.

Thank you!

chrisproudley
chrisproudley
Staff
Forum|alt.badge.img+4

Hi Chris!

Thank you for your help. Unfortunatly, we are still struggling with getting Salesforce's events logs on the Google SecOps SIEM.

We've enable Client Credential Flow Policies for External Client Apps and we've tried to append "&" at the end of each field, but we still got a "Fail". 

These following fields are those we've insert to the FEED config page:

API HOSTNAME: https://xxxxxxx.lightning.force.com/
TYPE:OAuth password grant
OAUTH TOKEN ENDPOINT: https://xxxxxxx.my.salesforce.com/services/oauth2/token?grant_type=password&

SalesforceConsumerKey(OATH CLIENT ID):3MVG9XXXXXXXXXXX&
SalesforceConsumerSecret(OAUTH CLIENT SECRET):1286XXXXXXXXXXXXXXXXXXXX&
SalesforceUser(USERNAME):someuser@somedomain.com&
SalesforceConsumerSecret(PASSWORD):somePassw0r5

Do you know what else can we do?

we'll be greatful for that.

Thank you!


Hi @zwerd, thanks for bearing with me. I am not sure the endpoint format you're using is valid. Here's an example of a valid format for JWT:

<https>://test.salesforce.com/services/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

So I think yours needs to look something like:

<https>://test.salesforce.com/services/oauth2/token?grant_type=password&client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=1955279925675241571&username=testuser@salesforce.com&password=mypassword

obviously swapping out the example client_id, client_secret, username and password fields for your actual values.

zwerd
Forum|alt.badge.img+1
  • zwerd
  • Author
  • New Member
  • June 18, 2025

Hi @zwerd, thanks for bearing with me. I am not sure the endpoint format you're using is valid. Here's an example of a valid format for JWT:

<https>://test.salesforce.com/services/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

So I think yours needs to look something like:

<https>://test.salesforce.com/services/oauth2/token?grant_type=password&client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=1955279925675241571&username=testuser@salesforce.com&password=mypassword

obviously swapping out the example client_id, client_secret, username and password fields for your actual values.




Hi @chrisproudley 
Thank you again for your support.
I’m a bit confused about your recommendation to put all the parameters (client_id, client_secret, username, password) directly into the URL of the token endpoint.
In Google SecOps, when creating a FEED, there are separate fields to enter each of these values individually. I'm trying to understand why all of them should be combined into the URL itself.
For refernce, here's a screenshot that show how the fields are configured in Google SecOps.


We’ve tried both ways, entering parameters separately in the designated fields and concatenating everything in the URL — but unfortunately, the connection still fails.
Could you please clarify if Google SecOps requires a special configuration or workaround for this? Or if there is another recommended approach to make the OAuth password grant flow work correctly with this system?
Thanks again for your help!
Best regards,

 

Ben_T
T
Forum|alt.badge.img
  • tim_1
  • New Member
  • June 24, 2025

I've tried this method - it's inconslusive... all i get from the log is this with my Event Monitoring: 

"ApexTrigger","20250430010459.921","TID:13580298100000f31a","00D90000000ueYa","0059q00000000n0","","0","","WP4Yg7WZi/PSbdDk","yYRkF9lj2WDJ0U39","","","","01q9q0000008ONK","rsplus.VtTaskToSMS","Task","AfterInsert","1","2025-04-30T01:04:59.921Z","0059w0a2300IbnWAAS","xxx.xxx.xxx.xxx",""

 The data is useless - as it doesn't tie in the Users' name or activity.
I'm trying to see if i can do it with this method - https://cloud.google.com/chronicle/docs/ingestion/default-parsers/salesforce however, i'm having issues with my Salesforce team as I don't know what objects to map too to get the data here listed...

Ben_T
J0x
Forum|alt.badge.img
  • J0x
  • New Member
  • August 19, 2025

Hey ​@tim_1 ​@zwerd did you get the AWS App flow method working? as per https://cloud.google.com/chronicle/docs/ingestion/default-parsers/salesforce?hl=en

I’ve got a working feed with the method you’re using above but agree the data seem useless. 

Ben_T
J0x
Forum|alt.badge.img
  • J0x
  • New Member
  • September 2, 2025

I’m using Appflow now, but the configuration looks like we need to setup many appflows in order to get the data into SecOps - It’s going to be quite a bit of effort to assess each flow to determine what data we need and don’t need. 

Anyone else completed this to give a rough indication for typical security use cases?

Ben_T
Drew
Forum|alt.badge.img
  • Drew
  • New Member
  • September 20, 2025

Hi Team, 

Currently facing this same issue. ​@zwerd , were you able to configure the feed for SalesForce?

Ben_T
Drew
Forum|alt.badge.img
  • Drew
  • New Member
  • September 26, 2025

Bumping this threat still. I was able to get full access enabled for this integration, but having trouble getting the feed stood up. 

Ben_T
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.