Importance of Event Monitoring in Securing Data

Importance of Event Log analysis:

One of the many tools Salesforce offers to keep our data secure is 'Event Monitoring'. Event monitoring enables us to see precise information on specific user activities within your company. Such user actions referred to as 'events' can be monitored and used to spot unusual behavior and protect business data. Organizations will be able to monitor information about specific events/occurrences or also follow event trends and hence take appropriate preventive actions.

How does Salesforce Event Monitoring work, technically?

The event monitoring product gathers information about your Salesforce org’s all operational events, which are used to analyze usage trends and user behaviour.

By running queries against fields on the EventLogFile object, you can interact with event monitoring data (like EventType and LogDate). The log file's CreatedDate indicates when it was created. Inquire about the LogFile field to see the underlying event information. The schema for this field is determined by the EventType.

Accessing this object requires View Event Log Files and API Enabled user permissions. Users with View All Data permission can view event log files.

Below is the link for documentation of Eventlogfile object:

https://developer.salesforce.com/docs/atlas.en-us.224.0.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm

Some examples of some event type that you can track, There are over 50 event types that can be consumed.

  • Logins
  • Logouts
  • URI (web clicks in Salesforce Classic)
  • Lightning (web clicks, performance, and errors in Lightning Experience and the Salesforce mobile app)
  • Visualforce page loads
  • Application programming interface (API) calls
  • Apex executions
  • Report exports

 

Use cases:

There are many use cases we can imagine to take advantage of event monitoring from. Here are a few of them:

Increasing adoption and Optimizing performance of the system:

For example, salesforce team has launched a particular functionality in production to help sales reps complete a business activity easily and also streamline its data correctly. If the sales reps do not use the functionality to its full potential, organizations can spot and look into this problem.

Tracking performance/activities of reps:

Tracking the activity at an individual user is possible. Organizations can track activity such as 'No of times user logged in', 'Total time spent by users on system in a given time frame', etc. This helps business leaders to monitor, keep track of their sales reps activity and their performance.

Monitoring Data Loss

Imagine a sales representative quits organization and joins a significant rival. Your organization discovers a trend your rival organization winning business from your company. You have reason to believe that your former employee has stolen your organizations data and has been using it for the benefit of your rival. Event Monitoring can help you investigate and detect past user and also helps in prevent the repetition of such activity in future.

High- Level Solution:

Increasing adoption and Optimizing performance of the system:

Here event monitoring comes into picture. The admin backend team, with the knowledge of all the components that have been delivered for the usage of sales reps, can identify eventtype from event log files and check how many users have used the components/functionality, and what is the system response time for different user for this functionality. Such learning cans be used in improving the functionality, better User experience, changes in UI and redevelopment, etc.

Based on time attributes available at logs, developers can identify what could be the causes effecting the usage, i.e., the network or a code level issue.

Tracking performance/activities of reps:

We can derive certain metrics out of log data based on multiple event types. For e.g., Find how many sessions an individual user had in given timeframe, Find the total number of activities and time taken for individual activity in a period, etc. The attributes for these are session_key, Timestampe_derived, DB_Total_Time etc.

Monitoring Data Loss:

Download the ReportExport log file. Open it in a spreadsheet, and analyze it. You can figure out how confidential information got stolen/leaked. For e.g., Lets assume the lead report’s ID is 00O30000008a3De. The URI field contains the ID of the report that was exported, and the USER_ID field contains the ID of the user who exported the report. This information helps you pinpoint the user that has misused the data.

Building

Building

Solution Details:

Here are the few metrics that will help us identify about the user performance/activities.

Total number of activities and total time spent by users:

Building

Number of activities by object, and actions completed:

Building

Number of activities as per day, hour, minutes:

Building

  • Total time spent by an user on the application. (User1-> 1000 sec)
  • Time spent in each activity. (User1-> call-> 20 sec| Account-> 10 sec)
  • Time stamp of individual activity. (Account-> insert->08-11-2022 17:13:20)
  • Total number of activities a user has performed in given time period. (User1 ->100)
  • How many reports were accessed/exported by user?
  • Highlighting larger size export.
  • How many dashboards were accessed by user?
  • What is the maximum search phrase by individual user?
  • What is the maximum time search result clicked by user?

To generate the above metrics we need data on hourly or daily basis for Event Monitoring. The data can be received by following ways:

  • Query an EventLogFile object using Developer Console.
  • View events in Salesforce Event Log File (ELF) Browser.
  • Event Monitoring Analytics App

There also are other ways to get data such as integrating Saleforce with external applications to stream this data.

You can find such options in below link:

https://trailhead.salesforce.com/content/learn/modules/event_monitoring/event_monitoring_download

In first phase to analyze the data of different event type log file and there attributes and generate the metrics out of it. We have exported the log files via ELF browser application.

https://www.salesforcehacker.com/2015/05/download-event-log-files-using-elf.html

Summary:

  • Salesforce Event Logs compile data on the operational events in your Salesforce org so that you may examine usage patterns and learn more about user activity. Event Monitoring is accessible via the Lightning Platform SOAP API and REST API via the EventLogFile object; utilizing Salesforce, you can also interact with Event Monitoring Logs using the REST API. By connecting log data with your back-end storage and data marts, you can thereby correlate data across heterogeneous systems and from numerous businesses.
  • With the help of Event Log type events, we can monitor Data loss by monitoring the report access and exports by the users.
  • We can track the activities of the users, i.e., which feature and module the users are accessing and accordingly find out which parts of your app need increased adoption efforts and identify areas that need redevelopment
  • These logs are also helpful in optimizing the application performance. By using the logs you can identify which page/components are taking how much time to respond (in different geographies).
  • We can monitor the adoption by tracking the use of a particular feature.