Security Event Auditing

Salesforce B2C Commerce provides various log files, including a security log. The security log contains log entries for Business Manager logins.

All Salesforce systems used to provision B2C Commerce Servicesβ€”including firewalls, routers, network switches, and operating systemsβ€”log information to your respective system log facility or a centralized log collection server to enable security reviews and analysis. Security logs give you security situational awareness. By downloading and collecting logs available on your instances, you can better investigate and share information in the event of a security-related issue, including fraud, abuse, or other suspicious behavior. Security log information can help you determine who, what, when, and how a cyber attack occurred.

Security log files are located at the following URL. https://<instance-name>/on/demandware.servlet/webdav/Sites/Securitylogs

Security log entries can look like the sample entry shown below.

[2015-10-28 02:23:19.139 GMT] [DW-SEC] (User: 'username' (Sites), IP: 100.100.10.100 [LOGIN] : logged in.)

The security log also includes the following information.

  • The session ID to the log entry for Business Manager logins.
  • Log entries for re-logins when Business Manager requires the password due to inactivity. These log entries log the old and the new session ID.

Security log files are automatically deleted after 90 days. Users and clients can't delete security logs, or turn off security logging. If you want to retain log files longer than 90 days, you must download the files and store them locally or in a dedicated storage.

Tracking Internal User Access

The Commerce Cloud Security model regarding actions taken by Salesforce employees on customer realms include transparent logging of all sensitive areas. When any read or write action is taken on a sensitive area, the Business Manager username of the Salesforce employee, the area, and the action is recorded in the security log available for customer use. The goal of the security control is to make the actions of Salesforce employees, via observation or through changes of realm-specific customer information, more apparent.

  • Sensitive areas are defined by Salesforce only at this time and include, but aren’t limited, to security settings, access to shopper or order data, as well as access to campaigns or coupons.
  • All access (regardless of read or write action) is logged.
  • All access to any custom module the merchant has installed in Business Manager is logged.
  • Access is recorded and stored in the Business Manager security log.
  • The Business Manager username of the Salesforce employee (email address) is logged.
  • All WebDAV accesses based on one of the functional permissions (for example, WebDAV_Transfer_Files’) are logged.
    • We don’t log access based on the WebDAV-paths (the granular permissions for the Impex folder).

The following list is an example of some, but not all, of the Sensitive areas that are logged:

  • site-urls_aliases
  • site-prefs_apple-pay
  • orders_paymethods
  • orders_paymentmethods
  • marketing_coupons
  • marketing_giftcert
  • marketing_campaigns
  • customer_groups (is effectively read-only by restricting API permissions)
  • customers_gdpr
  • customers_batchprocs
  • customer_service_center_module
  • content_pages
  • content_impex
  • sourcecode