9 min readJun 19, 2024

Salesforce Security: Event Monitoring in Salesforce CRM Analytics 📊 📈

Securing Data with Salesforce Shield

Salesforce Shield is a set of security tools that helps to protect data at rest, monitor usage, and prevent malicious activity — is fully supported.

Shield includes 3 key premium services:

1. Platform Encryption

2. Event Monitoring

3. Field Audit Trail

Event Monitoring

It gives access to detailed performance, security, and usage data on all your Salesforce apps in order to monitor critical business data, understand user adoption across your apps, and troubleshoot and optimize custom application performance.

Event Monitoring in Shield help in answering the below questions.

Adoption

How can I find out what my users are doing on Salesforce?
How do they use mobile devices to access Salesforce apps?
What pages and sites are used most?

Performance

How can I ensure that we are getting the best use out of the platform?
What actions are automated?
How long do my custom applications take to load?

Security

How do I know our users are compliant with our security policies?
What devices and platforms are being used?
When do our users log in and where do our users log in from?
Who is viewing sensitive data?

Event log files

Access to Event Monitoring grants access to event log files. Depending on organisation type and any further subscriptions, it will provide access to more log types and longer retention of log files. These files can be accessed via the API and be processed via other means.
As part of Event Monitoring, we also get the Event Monitoring Analytics app. Use this app to upload and access only the data provided to us as part of your subscription.
Once this app has been created in our CRM Analytics environment, amongst other things, it creates a dataflow that will import the event log datasets, augment them with Salesforce user information, and then register these in the CRM Analytics environment as new datasets.
It is during the configuration of this app when we can choose the retention period for the created datasets — for example, 30 days, which is the maximum, for login data.

How does it work?

Event Monitoring includes over 40 different event types, describing each of your users’ activities in Salesforce, plus Einstein Event Monitoring Analytics, which offers 16 pre-built dashboards to quickly begin working with event log files and identify anomalous user behavior.
API-based access to event log files allows to analyze and visualize events in the tool of your choice, and powerful AppExchange apps can help to extend functionality and unlock new insights.
Event Monitoring data can be easily imported into data visualization and application monitoring tools like Einstein Analytics, Splunk, FairWarning, or New Relic.

How to Get Started

Capture read-only event log files:

40+ event types captured — View Current List (on Next Slide)
30 days of events retained
Log files exposed via API

2. Visualize the data to identify critical insights:

Use included license for Einstein Event Monitoring Analytics, with 16 included dashboards
Build your own Data Loss Prevention or Adoption & Performance dashboards with Einstein Analytics
Import into any Business Intelligence tool
Use pre-built AppExchange apps for added functionality.
Export to CSV file

3. Take action:

Identify gaps in security policies and use access controls and Transaction Security for stronger enforcement
Modify governance policies
Drive initiatives to increase adoption
Automate outcomes with workflow
Improve app performance

Supported Event Types

The EventType field supports the following events.

https://developer.salesforce.com/docs/atlas.en-us.208.0.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm#event-types

“Insight on User Activities” using The most important Event Types

Wave Download Event Type

Wave Download events represent downloads made from lens explorations and dashboard widgets in the CRM Analytics user interface. A Wave Download event type is captured when a user downloads images ( .png ), Microsoft® Excel® data ( .xls ), or comma-separated values ( .csv ) files.

Login Event Type

API Event

It monitors bulk, SOAP, REST, and metadata API access

Report Export Event Type

Report Export events contain details about reports that a user exported.

Login As Event Type

List View

It represents a list view. A list view specifies a set of records for an object, based on specific criteria.

Report Event Type

Report events contain information about what happened when a user ran a report. This event type includes all activity that’s in the Report Export event type. For example, it has user activity for reports exported as both Formatted Report and Details Only output.

Insecure External Assets Event Type

Insecure External Assets events contain information about external assets. External assets include images or videos accessed by users over an insecure HTTP protocol. The event lists all your Salesforce pages that contain assets hosted insecurely on third-party sites that users loaded with a Chrome, Firefox, Microsoft Edge, or Safari browser. The INSECURE_URI field contains the URI being used to load the asset insecurely.

Lightning Error Event Type

Lightning Error events represent errors that occurred during user interactions with Lightning Experience and the Salesforce mobile app.

Lightning Interaction Event Type

Lightning Interaction events track user actions in Lightning Experience and the Salesforce mobile app, such as the user clicking, tapping, or scrolling on a page.

Lightning Page View Event Type

Lightning Page View events represent information about the page on which the event occurred in Lightning Experience and the Salesforce mobile app. A Lightning Page View event tracks the page a user visited, how long the user spent on the page, and the load time for the page.

Logout Event Type

Logout events contain details of user logouts.

URI Event Type

URI events contain details about user interaction with the web browser UI.

4 Ways To Transform Event Monitoring Application

Tip#1: Setting Up Alerts

Tip#2: Summary Dashboard

Tip#3: Benchmarks

Tip#4: Normalizing the Data

Tip#1: Setting Up Alerts

Event Monitoring app has built-in functionality that will notify you when something is wrong or when maintenance is required. Alerts will notify the user when a data threshold has been reached. Users will want to take advantage of this feature so that they know when there is a hiccup in their system — for example, if a page is taking longer to load or total user clicks to reach an API endpoint is higher than average.
To set up a notification, hover over the number widget → select “Set Notification” → fill in the information to set the conditions.

Tip#2 Summary Dashboard

The purpose of creating and utilizing a Summary Dashboard is to consolidate critical KPI’s to provide a bird’s eye view of what is occurring across your event logs. This high-level approach will allow to efficiently monitor our events and drill down and dissect the problem when needed.

Tip#3 Benchmarks

The out-of-the-box dashboards reflect arithmetic functions, such as min, max, and avg. What is extremely beneficial in the implementation with customers is having a benchmark that uses conditional highlighting to show when KPI’s are in the green or red.

An example of this is taking the average number of clicks and comparing it to the overall action that occurred within the last 2 weeks, drillable by user. With this added feature you will get the extra power and insight needed to quickly identify any underlying issues.

Tip#4 Normalizing the Data

Currently, some event log data are not normalized. You will see ID’s instead of actual strings. One way around this is to map each prefix to both standard and custom object. Secondly, depending on your needs, it may be possible to bring in external datasets from your target dataset to map to actual account names.

“Business Value” using Event Monitoring Analytics App Prebuilt Dashboards

Analytics Adoption

Corresponds to the Wave Change, Wave Interaction, and Wave Performance event types. This dashboard shows CRM Analytics usage and performance information.

Apex Executions

Corresponds to the Apex Execution event type. This dashboard lets you track trends in Apex code executions and performance.

API

Corresponds to the API Event event type. This dashboard gives you information about both your users’ API usage and API performance in your org. You can see how often each object is being used, how fast each object is being processed, and what methods are being invoked on that object.

Dashboards

Corresponds to the Dashboard event type. This dashboard helps you track dashboard adoption and performance.

Files

Corresponds to the Content Transfer event type. When users in your org perform content transfers (downloads, uploads, or previews), they show up on this dashboard. You can also track file adoption.

Lightning Adoption

Corresponds to the Lightning Interaction and Lightning Page View event types. Use this dashboard to see how users interact with Lightning Experience on the desktop and mobile devices.

Lightning Performance

Corresponds to the Lightning Error, Lightning Interaction, Lightning Page View, and Lightning Performance event types. Use this dashboard to optimize performance and user interactions with Lightning Experience and the Salesforce mobile app.

Login-As

Corresponds to the Login As event type. This dashboard lets you see which admins are using the login-as feature and on which user accounts.

My Trust

The My Trust dashboard gives you an overall idea of what kind of events are taking place in your org over time. It also shows the average speed of these transactions. The dashboard corresponds to the following event types: Apex Execution, API, Content Transfer, Dashboard, Lightning Page View, Login As, Login, Report, Report Export, REST API, and Visualforce, all correlated by User IDs. For the My Trust dashboard to work, add all datasets to your app in the Configuration Wizard. This could impact your row utilization, depending on the number of events in your org.

Page Views (URIs)

Corresponds to the URI event type. This dashboard lets you see which pages users are accessing in the Salesforce desktop app.

Report Downloads

Corresponds to the Report Export event type. This dashboard lets you see which users are downloading your reports and where they’re downloading them from.

Reports

Corresponds to the Report event type. This dashboard shows you trends in reporting as well as which users are running specific reports. You can also find out which reports are having performance issues.

RestAPI

Corresponds to REST API event type. This dashboard shows you trends in REST API usage and which endpoints are seeing the most traffic. You can also view information about the IP ranges issuing the requests and which methods are being called.