From 895caef784c6f7105888232437f1b1e742c3554d Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 30 Jan 2025 17:07:20 -0600 Subject: [PATCH 01/10] Add Salesforce FedRAMP page --- .../casb-integrations/salesforce-fedramp.mdx | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx new file mode 100644 index 000000000000000..473c5cb48497a8a --- /dev/null +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx @@ -0,0 +1,80 @@ +--- +pcx_content_type: reference +title: Salesforce (FedRAMP) +rss: file +head: + - tag: title + content: Salesforce (FedRAMP) - CASB +--- + +import { Render } from "~/components"; + + + +## Integration prerequisites + +- A FedRAMP-compliant Salesforce environment (most editions are compatible) +- Permissions to a Salesforce organization with either: + - System Administrator permission + - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data + +## Integration permissions + +For the Salesforce (FedRAMP) integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App: + +- `Manage user data via APIs (api)` +- `Manage user data via Web browsers (web)` +- `Perform requests at any time (refresh_token, offline_access)` +- `Access unique user identifiers (openid)` + +These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the [Salesforce OAuth Tokens and Scopes documentation](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm). + +## Security findings + + + +### File sharing + +Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion. + +| Finding type | FindingTypeID | Severity | +| --------------------------------------------------------------------------------------------- | -------------------------------------- | -------- | +| Salesforce (FedRAMP): Content Document publicly accessible without a password | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical | +| Salesforce (FedRAMP): Content Document publicly accessible with weak password | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High | +| Salesforce (FedRAMP): Content Document publicly accessible and password protected | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium | +| Salesforce (FedRAMP): Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium | +| Salesforce (FedRAMP): Content Document larger than 2 GB | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium | + +### Account misconfigurations + +Discover account and admin-level settings that have been configured in an insecure way. + +| Finding type | FindingTypeID | Severity | +| ------------------------------------------------------------------- | -------------------------------------- | -------- | +| Salesforce (FedRAMP): Domain without HTTPS | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High | +| Salesforce (FedRAMP): Default Account record access allows edit | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium | +| Salesforce (FedRAMP): Default Case record access allows edit | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium | +| Salesforce (FedRAMP): Default Contact record access allows edit | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium | +| Salesforce (FedRAMP): Default Lead record access allows edit | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium | +| Salesforce (FedRAMP): Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium | +| Salesforce (FedRAMP): Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low | + +### User access + +Flag user access issues, including account misuse and users not following best practices. + +| Finding type | FindingTypeID | Severity | +| --------------------------------------------------------------------- | -------------------------------------- | -------- | +| Salesforce (FedRAMP): User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium | +| Salesforce (FedRAMP): Inactive user | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low | +| Salesforce (FedRAMP): User has never logged in | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low | +| Salesforce (FedRAMP): User has not logged in for 90+ days | `8395c824-bc44-4c12-b300-40f2477384d4` | Low | From f93d8ee544bf7c6cb5b0ad6da0de2bed804c056f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 30 Jan 2025 17:07:55 -0600 Subject: [PATCH 02/10] Add link to directory --- .../cloudflare-one/applications/casb/casb-integrations/index.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx index ff9899813f56fe8..2d3e2ac9f00eabb 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx @@ -25,5 +25,6 @@ You can integrate the following SaaS applications and cloud environments with Cl - [SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/) - [Outlook](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/outlook/) - [Salesforce](/cloudflare-one/applications/casb/casb-integrations/salesforce/) +- [Salesforce (FedRAMP)](/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp/) - [ServiceNow](/cloudflare-one/applications/casb/casb-integrations/servicenow/) - [Slack](/cloudflare-one/applications/casb/casb-integrations/slack/) From 8eac7de6ad179bae9089ce234b0e452419a43688 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 6 Feb 2025 14:59:37 -0600 Subject: [PATCH 03/10] Remove Markdown tags from partials --- .../cloudflare-one/casb/integration-description.mdx | 7 ------- src/content/partials/cloudflare-one/casb/shared-links.mdx | 4 ---- 2 files changed, 11 deletions(-) diff --git a/src/content/partials/cloudflare-one/casb/integration-description.mdx b/src/content/partials/cloudflare-one/casb/integration-description.mdx index 3baece0a120525c..4d482dde0baed21 100644 --- a/src/content/partials/cloudflare-one/casb/integration-description.mdx +++ b/src/content/partials/cloudflare-one/casb/integration-description.mdx @@ -1,12 +1,5 @@ --- inputParameters: integrationName;;integrationAccountType - --- -import { Markdown } from "~/components" - -
- The {props.one} integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated {props.two} that could leave you and your organization vulnerable. - -
diff --git a/src/content/partials/cloudflare-one/casb/shared-links.mdx b/src/content/partials/cloudflare-one/casb/shared-links.mdx index 86029dfd2d14c88..84518930e4e2c37 100644 --- a/src/content/partials/cloudflare-one/casb/shared-links.mdx +++ b/src/content/partials/cloudflare-one/casb/shared-links.mdx @@ -2,8 +2,4 @@ {} --- -
- To access some file findings, you may need to review shared links. For more information, refer to [View shared files](/cloudflare-one/applications/casb/manage-findings/#view-shared-files). - -
From d625ee0767898852aad42f1428133bb3750f75c2 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 6 Feb 2025 15:48:28 -0600 Subject: [PATCH 04/10] Add integration partial --- .../casb/casb-integrations/salesforce.mdx | 71 ++--------------- .../casb/salesforce-integration.mdx | 76 +++++++++++++++++++ 2 files changed, 82 insertions(+), 65 deletions(-) create mode 100644 src/content/partials/cloudflare-one/casb/salesforce-integration.mdx diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx index e19ce2adaff003d..959f9773569ee9b 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx @@ -10,69 +10,10 @@ head: import { Render } from "~/components"; - -## Integration prerequisites - -- A Salesforce environment (most editions are compatible) -- Permissions to a Salesforce organization with either: - - - System Administrator permission - - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data - -## Integration permissions - -For the Salesforce integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App: - -- `Manage user data via APIs (api)` -- `Manage user data via Web browsers (web)` -- `Perform requests at any time (refresh_token, offline_access)` -- `Access unique user identifiers (openid)` - -These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the [Salesforce OAuth Tokens and Scopes documentation](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm). - -## Security findings - - - -### File sharing - -Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion. - -| Finding type | FindingTypeID | Severity | -| ----------------------------------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce: Content Document publicly accessible without a password | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical | -| Salesforce: Content Document publicly accessible with weak password | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High | -| Salesforce: Content Document publicly accessible and password protected | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium | -| Salesforce: Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium | -| Salesforce: Content Document larger than 2 GB | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium | - -### Account misconfigurations - -Discover account and admin-level settings that have been configured in an insecure way. - -| Finding type | FindingTypeID | Severity | -| --------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce: Domain without HTTPS | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High | -| Salesforce: Default Account record access allows edit | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium | -| Salesforce: Default Case record access allows edit | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium | -| Salesforce: Default Contact record access allows edit | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium | -| Salesforce: Default Lead record access allows edit | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium | -| Salesforce: Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium | -| Salesforce: Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low | - -### User access - -Flag user access issues, including account misuse and users not following best practices. - -| Finding type | FindingTypeID | Severity | -| ----------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce: User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium | -| Salesforce: Inactive user | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low | -| Salesforce: User has never logged in | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low | -| Salesforce: User has not logged in for 90+ days | `8395c824-bc44-4c12-b300-40f2477384d4` | Low | diff --git a/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx b/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx new file mode 100644 index 000000000000000..a86db87f5533616 --- /dev/null +++ b/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx @@ -0,0 +1,76 @@ +--- +params: + - integrationName + - environmentName + - slugifiedName +--- + +import { Render } from "~/components"; + + + +## Integration prerequisites + +- A Salesforce environment (most editions are compatible) +- Permissions to a Salesforce organization with either: + + - System Administrator permission + - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data + +## Integration permissions + +For the Salesforce integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App: + +- `Manage user data via APIs (api)` +- `Manage user data via Web browsers (web)` +- `Perform requests at any time (refresh_token, offline_access)` +- `Access unique user identifiers (openid)` + +These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the [Salesforce OAuth Tokens and Scopes documentation](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm). + +## Security findings + + + +### File sharing + +Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion. + +| Finding type | FindingTypeID | Severity | +| ----------------------------------------------------------------------------------- | -------------------------------------- | -------- | +| Salesforce: Content Document publicly accessible without a password | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical | +| Salesforce: Content Document publicly accessible with weak password | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High | +| Salesforce: Content Document publicly accessible and password protected | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium | +| Salesforce: Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium | +| Salesforce: Content Document larger than 2 GB | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium | + +### Account misconfigurations + +Discover account and admin-level settings that have been configured in an insecure way. + +| Finding type | FindingTypeID | Severity | +| --------------------------------------------------------- | -------------------------------------- | -------- | +| Salesforce: Domain without HTTPS | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High | +| Salesforce: Default Account record access allows edit | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium | +| Salesforce: Default Case record access allows edit | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium | +| Salesforce: Default Contact record access allows edit | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium | +| Salesforce: Default Lead record access allows edit | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium | +| Salesforce: Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium | +| Salesforce: Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low | + +### User access + +Flag user access issues, including account misuse and users not following best practices. + +| Finding type | FindingTypeID | Severity | +| ----------------------------------------------------------- | -------------------------------------- | -------- | +| Salesforce: User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium | +| Salesforce: Inactive user | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low | +| Salesforce: User has never logged in | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low | +| Salesforce: User has not logged in for 90+ days | `8395c824-bc44-4c12-b300-40f2477384d4` | Low | From bf30b5139a517924a4e718011b41d3b16c3ec825 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 6 Feb 2025 15:52:28 -0600 Subject: [PATCH 05/10] Add props to integration partial --- .../casb/casb-integrations/salesforce.mdx | 2 +- .../casb/salesforce-integration.mdx | 51 +++++++++---------- 2 files changed, 26 insertions(+), 27 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx index 959f9773569ee9b..8be7b9dcde8a508 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx @@ -13,7 +13,7 @@ import { Render } from "~/components"; file="casb/salesforce-integration" params={{ integrationName: "Salesforce this is a test", - environmentName: "Salesforce environment", + environmentName: "Salesforce environment also a test", slugifiedName: "salesforce", }} /> diff --git a/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx b/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx index a86db87f5533616..eec76ac41cb89fc 100644 --- a/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx +++ b/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx @@ -14,15 +14,14 @@ import { Render } from "~/components"; ## Integration prerequisites -- A Salesforce environment (most editions are compatible) +- A {props.environmentName} (most editions are compatible) - Permissions to a Salesforce organization with either: - - System Administrator permission - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data ## Integration permissions -For the Salesforce integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App: +For the {props.integrationName} integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App: - `Manage user data via APIs (api)` - `Manage user data via Web browsers (web)` @@ -35,42 +34,42 @@ These permissions follow the principle of least privilege to ensure that only th ### File sharing Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion. -| Finding type | FindingTypeID | Severity | -| ----------------------------------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce: Content Document publicly accessible without a password | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical | -| Salesforce: Content Document publicly accessible with weak password | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High | -| Salesforce: Content Document publicly accessible and password protected | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium | -| Salesforce: Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium | -| Salesforce: Content Document larger than 2 GB | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium | +| Finding type | FindingTypeID | Severity | +| ------------------------------------------------------------------------------------------------ | -------------------------------------- | -------- | +| {props.integrationName}: Content Document publicly accessible without a password | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical | +| {props.integrationName}: Content Document publicly accessible with weak password | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High | +| {props.integrationName}: Content Document publicly accessible and password protected | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium | +| {props.integrationName}: Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium | +| {props.integrationName}: Content Document larger than 2 GB | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium | ### Account misconfigurations Discover account and admin-level settings that have been configured in an insecure way. -| Finding type | FindingTypeID | Severity | -| --------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce: Domain without HTTPS | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High | -| Salesforce: Default Account record access allows edit | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium | -| Salesforce: Default Case record access allows edit | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium | -| Salesforce: Default Contact record access allows edit | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium | -| Salesforce: Default Lead record access allows edit | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium | -| Salesforce: Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium | -| Salesforce: Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low | +| Finding type | FindingTypeID | Severity | +| ---------------------------------------------------------------------- | -------------------------------------- | -------- | +| {props.integrationName}: Domain without HTTPS | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High | +| {props.integrationName}: Default Account record access allows edit | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium | +| {props.integrationName}: Default Case record access allows edit | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium | +| {props.integrationName}: Default Contact record access allows edit | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium | +| {props.integrationName}: Default Lead record access allows edit | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium | +| {props.integrationName}: Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium | +| {props.integrationName}: Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low | ### User access Flag user access issues, including account misuse and users not following best practices. -| Finding type | FindingTypeID | Severity | -| ----------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce: User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium | -| Salesforce: Inactive user | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low | -| Salesforce: User has never logged in | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low | -| Salesforce: User has not logged in for 90+ days | `8395c824-bc44-4c12-b300-40f2477384d4` | Low | +| Finding type | FindingTypeID | Severity | +| ------------------------------------------------------------------------ | -------------------------------------- | -------- | +| {props.integrationName}: User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium | +| {props.integrationName}: Inactive user | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low | +| {props.integrationName}: User has never logged in | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low | +| {props.integrationName}: User has not logged in for 90+ days | `8395c824-bc44-4c12-b300-40f2477384d4` | Low | From 4981c45ad16606e4b45dcf72f1a0d6e217504180 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 6 Feb 2025 15:53:55 -0600 Subject: [PATCH 06/10] Add FedRAMP params --- .../casb-integrations/salesforce-fedramp.mdx | 69 ++----------------- .../casb/casb-integrations/salesforce.mdx | 4 +- 2 files changed, 6 insertions(+), 67 deletions(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx index 473c5cb48497a8a..532ef40b995a3e5 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx @@ -10,71 +10,10 @@ head: import { Render } from "~/components"; - -## Integration prerequisites - -- A FedRAMP-compliant Salesforce environment (most editions are compatible) -- Permissions to a Salesforce organization with either: - - System Administrator permission - - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data - -## Integration permissions - -For the Salesforce (FedRAMP) integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App: - -- `Manage user data via APIs (api)` -- `Manage user data via Web browsers (web)` -- `Perform requests at any time (refresh_token, offline_access)` -- `Access unique user identifiers (openid)` - -These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the [Salesforce OAuth Tokens and Scopes documentation](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm). - -## Security findings - - - -### File sharing - -Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion. - -| Finding type | FindingTypeID | Severity | -| --------------------------------------------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce (FedRAMP): Content Document publicly accessible without a password | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical | -| Salesforce (FedRAMP): Content Document publicly accessible with weak password | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High | -| Salesforce (FedRAMP): Content Document publicly accessible and password protected | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium | -| Salesforce (FedRAMP): Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium | -| Salesforce (FedRAMP): Content Document larger than 2 GB | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium | - -### Account misconfigurations - -Discover account and admin-level settings that have been configured in an insecure way. - -| Finding type | FindingTypeID | Severity | -| ------------------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce (FedRAMP): Domain without HTTPS | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High | -| Salesforce (FedRAMP): Default Account record access allows edit | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium | -| Salesforce (FedRAMP): Default Case record access allows edit | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium | -| Salesforce (FedRAMP): Default Contact record access allows edit | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium | -| Salesforce (FedRAMP): Default Lead record access allows edit | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium | -| Salesforce (FedRAMP): Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium | -| Salesforce (FedRAMP): Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low | - -### User access - -Flag user access issues, including account misuse and users not following best practices. - -| Finding type | FindingTypeID | Severity | -| --------------------------------------------------------------------- | -------------------------------------- | -------- | -| Salesforce (FedRAMP): User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium | -| Salesforce (FedRAMP): Inactive user | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low | -| Salesforce (FedRAMP): User has never logged in | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low | -| Salesforce (FedRAMP): User has not logged in for 90+ days | `8395c824-bc44-4c12-b300-40f2477384d4` | Low | diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx index 8be7b9dcde8a508..109871b0dfeca76 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx @@ -12,8 +12,8 @@ import { Render } from "~/components"; From fb3f7c16c1d943cdc6910084a71cd32f7e5d9a8c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 6 Feb 2025 16:34:37 -0600 Subject: [PATCH 07/10] Add limited access note --- .../casb/casb-integrations/salesforce-fedramp.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx index 532ef40b995a3e5..56420ff4857271c 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx @@ -9,6 +9,10 @@ head: import { Render } from "~/components"; +:::note[Limited access] +For access to the Salesforce (FedRAMP) CASB integration, contact your account team. +::: + Date: Thu, 6 Feb 2025 16:35:13 -0600 Subject: [PATCH 08/10] Remove special-class divs --- .../cloudflare-one/policies/gateway/lists.mdx | 25 +++++++++---------- .../cloudflare-one/gateway/response.mdx | 14 ++++------- .../cloudflare-one/gateway/url-slash.mdx | 5 ---- .../threat-intelligence-automation.mdx | 5 ---- 4 files changed, 17 insertions(+), 32 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/lists.mdx b/src/content/docs/cloudflare-one/policies/gateway/lists.mdx index 34d41ad73213e6b..1a4b90bdb4b9015 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/lists.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/lists.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: Lists sidebar: order: 13 - --- -import { Render } from "~/components" +import { Render } from "~/components"; With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating [Gateway policies](/cloudflare-one/policies/gateway/) or [Access policies](/cloudflare-one/policies/access/). This allows you to quickly create rules that match and take actions against several items at once. @@ -16,12 +15,12 @@ Before creating a list, make note of the [limitations](#limitations). Lists can contain a single type of data each. Supported data types include: -* URLs -* Hostnames -* Serial numbers -* User email addresses -* IP addresses -* Device ID numbers +- URLs +- Hostnames +- Serial numbers +- User email addresses +- IP addresses +- Device ID numbers @@ -31,10 +30,10 @@ Lists can contain a single type of data each. Supported data types include: 2. Select **Edit**. This will allow you to: - * Edit list name and description by selecting on the three-dots menu to the right of your list's name. - * Delete the list by selecting the three-dots menu to the right of your list's name. - * Delete individual entries. - * Manually add entries to your list. + - Edit list name and description by selecting on the three-dots menu to the right of your list's name. + - Delete the list by selecting the three-dots menu to the right of your list's name. + - Delete individual entries. + - Manually add entries to your list. 3. Once you have edited your list, select **Save**. @@ -46,7 +45,7 @@ Your lists can include up to 1,000 entries for Standard plans and 5,000 for Ente ### Duplicate entries -Lists cannot have duplicate entries. Because hostnames are converted to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in an error. +Lists cannot have duplicate entries. Because hostnames are converted to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in a duplicate error. ### URL slashes diff --git a/src/content/partials/cloudflare-one/gateway/response.mdx b/src/content/partials/cloudflare-one/gateway/response.mdx index 7998476aec31d0b..ff669acf232f640 100644 --- a/src/content/partials/cloudflare-one/gateway/response.mdx +++ b/src/content/partials/cloudflare-one/gateway/response.mdx @@ -1,12 +1,8 @@ --- -inputParameters: type1;;example2;;example3 - +params: + - type1 + - example2 + - example3 --- -import { Markdown } from "~/components" - -
- -If a condition in an expression joins a {props.one} attribute (such as *{props.two}*) and a response attribute (such as *{props.three}*), then the condition will be evaluated when the response is received. - -
+If a condition in an expression joins a {props.one} attribute (such as _{props.two}_) and a response attribute (such as _{props.three}_), then the condition will be evaluated when the response is received. diff --git a/src/content/partials/cloudflare-one/gateway/url-slash.mdx b/src/content/partials/cloudflare-one/gateway/url-slash.mdx index 5d2e46ba858d0cf..9f65ce1b3136e1f 100644 --- a/src/content/partials/cloudflare-one/gateway/url-slash.mdx +++ b/src/content/partials/cloudflare-one/gateway/url-slash.mdx @@ -1,10 +1,5 @@ --- {} - --- -
- Gateway ignores trailing forward slashes (`/`) in URLs. For example, `https://example.com` and `https://example.com/` will count as the same URL and may return a duplicate error. - -
diff --git a/src/content/partials/learning-paths/zero-trust/threat-intelligence-automation.mdx b/src/content/partials/learning-paths/zero-trust/threat-intelligence-automation.mdx index 40335c4743c1568..287de75b4849dd4 100644 --- a/src/content/partials/learning-paths/zero-trust/threat-intelligence-automation.mdx +++ b/src/content/partials/learning-paths/zero-trust/threat-intelligence-automation.mdx @@ -1,10 +1,5 @@ --- {} - --- -
- You can implement this policy by either creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). Ideally, your CERTs can update the blocklist with an [API automation](/security-center/intel-apis/) to provide real-time threat protection. - -
From b6a9801e5dd433aa12f9a1b041ee78f0e402448d Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 6 Feb 2025 16:39:35 -0600 Subject: [PATCH 09/10] Reword access note --- .../applications/casb/casb-integrations/salesforce-fedramp.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx index 56420ff4857271c..a6163953bff9c64 100644 --- a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx +++ b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx @@ -10,7 +10,7 @@ head: import { Render } from "~/components"; :::note[Limited access] -For access to the Salesforce (FedRAMP) CASB integration, contact your account team. +The Salesforce (FedRAMP) CASB integration is available in limited access. To request access, contact your account team. ::: Date: Thu, 6 Feb 2025 16:44:04 -0600 Subject: [PATCH 10/10] Update inputParameters to params --- .../partials/cloudflare-one/casb/integration-description.mdx | 4 +++- .../partials/cloudflare-one/casb/integration-perms.mdx | 4 +++- .../partials/cloudflare-one/casb/security-findings.mdx | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/content/partials/cloudflare-one/casb/integration-description.mdx b/src/content/partials/cloudflare-one/casb/integration-description.mdx index 4d482dde0baed21..0adfc2687136d9e 100644 --- a/src/content/partials/cloudflare-one/casb/integration-description.mdx +++ b/src/content/partials/cloudflare-one/casb/integration-description.mdx @@ -1,5 +1,7 @@ --- -inputParameters: integrationName;;integrationAccountType +params: + - integrationName + - integrationAccountType --- The {props.one} integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated {props.two} that could leave you and your organization vulnerable. diff --git a/src/content/partials/cloudflare-one/casb/integration-perms.mdx b/src/content/partials/cloudflare-one/casb/integration-perms.mdx index 2756def58209eb4..e3925c333cf1b55 100644 --- a/src/content/partials/cloudflare-one/casb/integration-perms.mdx +++ b/src/content/partials/cloudflare-one/casb/integration-perms.mdx @@ -1,5 +1,7 @@ --- -inputParameters: parentIntegration;;parentSlug +params: + - parentIntegration + - parentSlug --- Refer to {props.one} integration permissions for information on which API permissions to enable. diff --git a/src/content/partials/cloudflare-one/casb/security-findings.mdx b/src/content/partials/cloudflare-one/casb/security-findings.mdx index b643796bd963942..9c6ce5c60cf1bf1 100644 --- a/src/content/partials/cloudflare-one/casb/security-findings.mdx +++ b/src/content/partials/cloudflare-one/casb/security-findings.mdx @@ -1,5 +1,7 @@ --- -inputParameters: integrationName;;slugRelativePath +params: + - integrationName + - slugRelativePath --- The {props.one} integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by [severity level](/cloudflare-one/applications/casb/manage-findings/#severity-levels).