Hi Quipemo! Happy to try and help.
Are you protecting SalesForce via API (Securlet) or via Gateway (Gatelet)?
Let's get you going with a Securlet sample, creating a policy for blocking Malware uploads. Policy details:
Cloud Service: Salesforce
For Any Users, External Exposure type, Any domain, user, or sharing
File properties: Again, choose any
Threat Protection: Malware (VBA Macros also recommended)
Notify: Go for the User - they may not know they're infected.
Preserve Content: Move with Tombstone
Response Message Template: You'll need to fill in some templates, so having one for Securelets + Malware is ideal.
Log Policy Match/Severity Level - your choice, but I'd recommend High.
Or let's look at something behavioral/Role-based for Gatelet, like restricting permissions to export reports.
(This is definitely something to chat about with your Cloud planning group before enabling - see CCoE whitepaper link at the end.)
Cloud Service: Salesforce
For Users & Groups - Here's where you call out a group (like engineering?) that you don't want exporting customer lists. You can do it by individual names/logins, too.
Keep selecting Any until you get to Activities. Then:
Object Accessed: Report
Access Type: Export
Define Response: Notify (name of the admin you want to inform)
Block Activity.
Log policy match: Again, go with High Severity.
See how easy?
Best regards!
Cloud Center of Excellence Whitepaper link: