Salesforce Security: Event Monitoring in Salesforce CRM Analytics 📊 📈
Securing Data with Salesforce Shield
Salesforce Shield is a set of security tools that helps to protect data at rest, monitor usage, and prevent malicious activity — is fully supported.
Shield includes 3 key premium services:
1. Platform Encryption
2. Event Monitoring
3. Field Audit Trail
Event Monitoring
It gives access to detailed performance, security, and usage data on all your Salesforce apps in order to monitor critical business data, understand user adoption across your apps, and troubleshoot and optimize custom application performance.
Event Monitoring in Shield help in answering the below questions.
Adoption
- How can I find out what my users are doing on Salesforce?
- How do they use mobile devices to access Salesforce apps?
- What pages and sites are used most?
Performance
- How can I ensure that we are getting the best use out of the platform?
- What actions are automated?
- How long do my custom applications take to load?
Security
- How do I know our users are compliant with our security policies?
- What devices and platforms are being used?
- When do our users log in and where do our users log in from?
- Who is viewing sensitive data?
Event log files
- Access to Event Monitoring grants access to event log files. Depending on organisation type and any further subscriptions, it will provide access to more log types and longer retention of log files. These files can be accessed via the API and be processed via other means.
- As part of Event Monitoring, we also get the Event Monitoring Analytics app. Use this app to upload and access only the data provided to us as part of your subscription.
- Once this app has been created in our CRM Analytics environment, amongst other things, it creates a dataflow that will import the event log datasets, augment them with Salesforce user information, and then register these in the CRM Analytics environment as new datasets.
- It is during the configuration of this app when we can choose the retention period for the created datasets — for example, 30 days, which is the maximum, for login data.
How does it work?
- Event Monitoring includes over 40 different event types, describing each of your users’ activities in Salesforce, plus Einstein Event Monitoring Analytics, which offers 16 pre-built dashboards to quickly begin working with event log files and identify anomalous user behavior.
- API-based access to event log files allows to analyze and visualize events in the tool of your choice, and powerful AppExchange apps can help to extend functionality and unlock new insights.
- Event Monitoring data can be easily imported into data visualization and application monitoring tools like Einstein Analytics, Splunk, FairWarning, or New Relic.
How to Get Started
- Capture read-only event log files:
- 40+ event types captured — View Current List (on Next Slide)
- 30 days of events retained
- Log files exposed via API
2. Visualize the data to identify critical insights:
- Use included license for Einstein Event Monitoring Analytics, with 16 included dashboards
- Build your own Data Loss Prevention or Adoption & Performance dashboards with Einstein Analytics
- Import into any Business Intelligence tool
- Use pre-built AppExchange apps for added functionality.
- Export to CSV file
3. Take action:
- Identify gaps in security policies and use access controls and Transaction Security for stronger enforcement
- Modify governance policies
- Drive initiatives to increase adoption
- Automate outcomes with workflow
- Improve app performance
Supported Event Types
The EventType field supports the following events.
“Insight on User Activities” using The most important Event Types
- Wave Download Event Type
Wave Download events represent downloads made from lens explorations and dashboard widgets in the CRM Analytics user interface. A Wave Download event type is captured when a user downloads images ( .png ), Microsoft® Excel® data ( .xls ), or comma-separated values ( .csv ) files.
- Login Event Type
Login events contain details about your org’s user login history.
- API Event
It monitors bulk, SOAP, REST, and metadata API access
- Report Export Event Type
Report Export events contain details about reports that a user exported.
- Login As Event Type
Login As events contain details about what a Salesforce admin did while logged in as another user.
- List View
It represents a list view. A list view specifies a set of records for an object, based on specific criteria.
- Report Event Type
Report events contain information about what happened when a user ran a report. This event type includes all activity that’s in the Report Export event type. For example, it has user activity for reports exported as both Formatted Report and Details Only output.
- Insecure External Assets Event Type
Insecure External Assets events contain information about external assets. External assets include images or videos accessed by users over an insecure HTTP protocol. The event lists all your Salesforce pages that contain assets hosted insecurely on third-party sites that users loaded with a Chrome, Firefox, Microsoft Edge, or Safari browser. The INSECURE_URI field contains the URI being used to load the asset insecurely.
- Lightning Error Event Type
Lightning Error events represent errors that occurred during user interactions with Lightning Experience and the Salesforce mobile app.
- Lightning Interaction Event Type
Lightning Interaction events track user actions in Lightning Experience and the Salesforce mobile app, such as the user clicking, tapping, or scrolling on a page.
- Lightning Page View Event Type
Lightning Page View events represent information about the page on which the event occurred in Lightning Experience and the Salesforce mobile app. A Lightning Page View event tracks the page a user visited, how long the user spent on the page, and the load time for the page.
- Logout Event Type
Logout events contain details of user logouts.
- URI Event Type
URI events contain details about user interaction with the web browser UI.
4 Ways To Transform Event Monitoring Application
Tip#1: Setting Up Alerts
Tip#2: Summary Dashboard
Tip#3: Benchmarks
Tip#4: Normalizing the Data
Tip#1: Setting Up Alerts
- Event Monitoring app has built-in functionality that will notify you when something is wrong or when maintenance is required. Alerts will notify the user when a data threshold has been reached. Users will want to take advantage of this feature so that they know when there is a hiccup in their system — for example, if a page is taking longer to load or total user clicks to reach an API endpoint is higher than average.
- To set up a notification, hover over the number widget → select “Set Notification” → fill in the information to set the conditions.
Tip#2 Summary Dashboard
The purpose of creating and utilizing a Summary Dashboard is to consolidate critical KPI’s to provide a bird’s eye view of what is occurring across your event logs. This high-level approach will allow to efficiently monitor our events and drill down and dissect the problem when needed.
Tip#3 Benchmarks
The out-of-the-box dashboards reflect arithmetic functions, such as min, max, and avg. What is extremely beneficial in the implementation with customers is having a benchmark that uses conditional highlighting to show when KPI’s are in the green or red.
An example of this is taking the average number of clicks and comparing it to the overall action that occurred within the last 2 weeks, drillable by user. With this added feature you will get the extra power and insight needed to quickly identify any underlying issues.
Tip#4 Normalizing the Data
Currently, some event log data are not normalized. You will see ID’s instead of actual strings. One way around this is to map each prefix to both standard and custom object. Secondly, depending on your needs, it may be possible to bring in external datasets from your target dataset to map to actual account names.
“Business Value” using Event Monitoring Analytics App Prebuilt Dashboards
- Analytics Adoption
Corresponds to the Wave Change, Wave Interaction, and Wave Performance event types. This dashboard shows CRM Analytics usage and performance information.
- Apex Executions
Corresponds to the Apex Execution event type. This dashboard lets you track trends in Apex code executions and performance.
- API
Corresponds to the API Event event type. This dashboard gives you information about both your users’ API usage and API performance in your org. You can see how often each object is being used, how fast each object is being processed, and what methods are being invoked on that object.
- Dashboards
Corresponds to the Dashboard event type. This dashboard helps you track dashboard adoption and performance.
- Files
Corresponds to the Content Transfer event type. When users in your org perform content transfers (downloads, uploads, or previews), they show up on this dashboard. You can also track file adoption.
- Lightning Adoption
Corresponds to the Lightning Interaction and Lightning Page View event types. Use this dashboard to see how users interact with Lightning Experience on the desktop and mobile devices.
- Lightning Performance
Corresponds to the Lightning Error, Lightning Interaction, Lightning Page View, and Lightning Performance event types. Use this dashboard to optimize performance and user interactions with Lightning Experience and the Salesforce mobile app.
- Login-As
Corresponds to the Login As event type. This dashboard lets you see which admins are using the login-as feature and on which user accounts.
- My Trust
The My Trust dashboard gives you an overall idea of what kind of events are taking place in your org over time. It also shows the average speed of these transactions. The dashboard corresponds to the following event types: Apex Execution, API, Content Transfer, Dashboard, Lightning Page View, Login As, Login, Report, Report Export, REST API, and Visualforce, all correlated by User IDs. For the My Trust dashboard to work, add all datasets to your app in the Configuration Wizard. This could impact your row utilization, depending on the number of events in your org.
- Page Views (URIs)
Corresponds to the URI event type. This dashboard lets you see which pages users are accessing in the Salesforce desktop app.
- Report Downloads
Corresponds to the Report Export event type. This dashboard lets you see which users are downloading your reports and where they’re downloading them from.
- Reports
Corresponds to the Report event type. This dashboard shows you trends in reporting as well as which users are running specific reports. You can also find out which reports are having performance issues.
- RestAPI
Corresponds to REST API event type. This dashboard shows you trends in REST API usage and which endpoints are seeing the most traffic. You can also view information about the IP ranges issuing the requests and which methods are being called.
- Setup Audit Trail
Corresponds to the Setup Audit Trail page in Setup. Use this dashboard to see the changes your users are making in the Setup area.
- User Logins
Corresponds to the Login event type. This dashboard shows login trends by user and information about where and how users are accessing your org.
- Visualforce Requests
Corresponds to the Visualforce Request event type. Here you can see trends in Visualforce adoption and page performance.
Reasons to use Event Monitoring
1. Monitor user activity and boost adoption
Examine Salesforce use with metrics like page views and click paths to help improve adoption.
2. Prevent and mitigate threats
Define Transaction Security policies using the declarative condition builder or code to prevent and mitigate threats.
3. Drive application performance
Analyze performance issues with production apps so you can fix them quickly and improve user experience.
**********************************************************************
Happy Learning! ✍️
Please follow me at Twitter : https://www.twitter.com/sunilbhardwaj1
LinkedIn : https://www.linkedin.com/in/sunilbhardwaj10
Trailblazer ID: https://trailblazer.me/id/sunilbhardwaj
References
- For further details about event monitoring, see this Trailhead module; https://trailhead.salesforce.com/en/content/learn/modules/event_monitoring/event_monitoring_intro
- For further details about the Event Monitoring Analytics App, please see this document; https://help.salesforce.com/articleView?id=bi_app_admin_wave.htm&type=5