01 December 2016

Two New Keys To Unlock Your Salesforce Users Event Data

Two New Keys To Unlock Your Users Event Data
Have you been exploring the new Winter '16 release with Event Monitoring? If so, you might have seen the Event Monitoring event log lines that contain Login_Key and Session_Key columns. These are new fields that tie together all the different events in a Salesforce user’s or admin’s login session or activity session, respectively.

Introducing Login Key and Session Key

Purpose of the Login Key and Session Key fields are to help provide specific identifier for a user’s login session across various log lines to give customers a better 360 degree view of users behavior within the Salesforce application for a given security investigation, understanding and exploring specific user behavior or when researching a specific application or performance issue.

Let’s see them in action. Here's an example showing URI event logs - in other words, users’ click path in the Salesforce application across the various generated log lines. To easily see a more concise view of what each user is doing, you can now use LOGIN_KEY as an identifier across the different Events to tie them together as well separate different actions together with this powerful identifier. Please see from the picture below and example of the LOGIN_KEY field within URI event logs.

Login Key and Session Key Examples

So how can you best take use of this identifier? I’ve collected couple of examples here, please leave your thoughts and additional ideas to the comments below.

Your application can generate a ton of URI log lines. When researching for specific user’s log lines, you might easily run into issues of finding the needle in the haystack. You can use LOGIN_KEY as grouping mechanism to separate different user sessions and volume of activity.

Example 1: Splitting User Activity Forensics by Different User Sessions  

Looking at URI (i.e. page views) for example in this picture below, we’ve aggregated all URI Logs for user Jari Salomaa on September 23rd. We can see there’s 5 different LOGIN_KEY’s that separate the different sessions ranging from logins from Salesforce1 Mobile, Safari, Chrome browsers from which, there’s over 200 log entries for one specific Login session that we can click and expand and investigate more closely what specific pages those URI logs contain.

Screen Shot 2016-10-19 at 2.28.03 PM.png

Additionally for the security conscious customers, whether on Sales Cloud or Service Cloud or other Salesforce products, understanding data export activity is always important. Who is downloading customer data to their local computers and especially if that happens in very large volume.

As an example building real time alerts and policies is important when there are large volume data export activity taking place from different hours of the day outside the typical business hours. This is often the case with compromised credentials and different hacker groups placed in different countries like Russia, China and Eastern Europe targeting valuable data. If you don’t have business users logging in and exporting data in these regions you can use LOGIN_KEY and SESSION_KEY to better understand past behavior against different timezones your business operates.

Example 2: Monitoring the number of report exports with SESSION_KEY Salesforce Customers can obtain better visibility to their application’s report export behavior by grouping the ReportExport log line dataset grouped by the hour of the day

How to identify non business hours data export activity and build alerts

  1. Use Event Monitoring Wave App or any of your preferred data visualization tools or Event Log File Browser if you have small volume of logs) to download ReportExport Log Lines
  2. Group your ReportExport log lines by SESSION_KEY
  3. Sort the logs by hour of the day
  4. Identify non business hour ReportExport events based on your business hours
  5. Build APEX policy with Transaction Security to alert on a specific threshold e.g. for Account, Opportunity, Lead, Case, Contact etc entity download object by specific timeframe

Screen Shot 2016-12-01 at 3.15.59 PM.png

Example 3: Using LOGIN_KEY and SESSION_KEY as identifier across various support 25 log lines

  • Use it as ID to construct a complete view for forensic investigation to user activity, for example to understand what the user did, which pages the user visited given a specific login session and pull all of that information together in it's own table
  • Separate different user sessions within a specific login session within user's credentials, for example when user may have been logged in from API clients, user interface and other places and when it’s hard to understand which session contains unwanted or suspicious behavior
  • Parse together otherwise complicated session keys to more holistic view

Event Logs That Support Login and Session Key

1. Apex Callout - details about callouts (external requests) during Apex code execution
2. Apex Execution - details about Apex classes that are used
3. Apex SOAP - details about Web Services API calls
4. Apex Trigger - contains details about triggers that fire in an organization
5. API - contain details about your organization’s Force.com Web Services API activity
6. Asynchronous Report Run - created for scheduled report requests that includes dashboard refreshes, asynchronous reports, scheduled reports and analytics snapshots
7. Bulk API - contains details about Bulk API requests
8. Change Set Operation - contains information from change set migrations
9. Console - contains information about the performance and use of Salesforce console whenever opened with a sidebar component
10. Dashboard - contains details about dashboards that users view
11. Login - your organization’s user login history
12. Metadata API Operation - contains details of Metadata API retrieval and deployment requests
13. Multiblock Report - contains details about Joined Report reports
14. Package Install - contains details about package installation in the organization
15. Queued Execution - details about queued executions, for example Batch Apex
16. Report - contains information about what happened when user ran a report
17. Report Export - contains details about reports that a user exported
18. REST API - contains details about REST specific requests
19. Sites - contains details of site.com browser UI or API requests
20. Transaction Security - contains details about policy execution
21. URI - contains details about user interaction with the web browser based UI
22. Visualforce Request - contains details of browser UI or API based Visualforce requests
23. Wave Change - represents route or page changes made in the Salesforce Wave Analytics user interface
24. Wave Interaction - tracks user interactions with the Wave Analytics user interface
25. Wave Performance - help you track trends in your Wave Analytics performance

For more details about supported events, see the SOAP API Guide for additional updates and details, which is updated each release. Thanks for Melissa Kulm, Mike Jacobsen and Lakshmisha Bhat for their invaluable feedback and comments on this blog.

Please feel free to leave feedback below!

02 October 2016

Event Monitoring at Dreamforce 16

Getting ready for Dreamforce? 

Mark your calendars and come join the session about Event Monitoring and Field Audit Trail on Thursday 6th October at 3.30pm - 4.15pm at Moscone West.

We'll have also Yousuf Khan, VP of IT from PureStorage to present their case for Event Monitoring project for their Salesforce application.

We'll provide latest roadmap details and insights how to get the most out of your Salesforce application for security and compliance monitoring, application development and performance monitoring as well as user behavior and adoption monitoring.

We'll highlight also some of the exciting ISV vendor solutions built on top of Event Monitoring APIs to help you analyze, optimize and grow your application securely.

Remember also to check out the latest Salesforce Shield and Event Monitoring demos at the Salesforce Expo Campground during the conference. We'll have staff to answer any questions related to using the analytics APIs for logs, Login Forensics and Transaction Security policies for customers and partners.

Details about the Event Monitoring session available here.

You might be additionally interested to check our Platform Encryption - Bring Your Own Key session.

See you in Dreamforce! Hope you have a great time!

Cheers, Jari

07 July 2016

Get Your Event Monitoring Wave App

Hey there! Salesforce Shield and Event Monitoring expands from Event Log API to built in, out of the box data visualization with Event Monitoring Wave App. Now Generally Available (GA)! Big thanks to Adam for all the heavy lifting with the Admin Analytics pilot (former name). 

If you missed the announcement from June, here's the deal what you need to know.
  • Event Monitoring supports 32 different Salesforce event types and it can be quite a job to integrate the data flow and figure out which events to subscribe and visualize and build custom dashboards
  • Event Monitoring customers and partners have now access to Event Monitoring Wave App with 15 built-in dashboards for the core use cases 1. Security, 2. Application Development and Performance monitoring and 3. Salesforce Use and Adoption
  • Event Monitoring Wave App includes API integration with Event Log Files API providing immediate value out of the box by simply turning Event Monitoring on for your app but also a great point and click interface to slice and dice the data your way with ways to customize dashboards your own way
  • The Event Monitoring Wave App is licensed for 10 users and 50 million record row limit and there's configuration wizard to select which datasets to include and for how long (default is 7 days) depending on your app's data volume

Security and compliance are a very strong drivers for Event Monitoring customers and we have spent the most of our time building different views for security and compliance related dashboards. Hope you enjoy them, here's a quick walkthrough of each:
  • My Trust: inspired by trust.salesforce.com, My Trust is a single place to view the health of your Salesforce app, active users, total transactions, average and max page time and end user page time. Drill down to different event types and compare daily trends.
  • Report Downloads: see the percentage of viewed reports that resulted in exports, as well as report export trends by different user agents and IPs that can be filtered down by inactive users to indicate suspicious or large volume of data export activity
  • REST API: analyze who is using the API for example with Data Loader to manage or move large data sets and identify possible hot spots for REST API that are used by managed packages 
  • Login As: understand admin behavior logging in as end users and identify possible abuse, where they logged in and who are they and what pages were accessed
  • User Logins: see login trends per user, who is using the application the most, identify IP addressed with shared logins for signs of suspicious use as well as understand what browsers are being used and average times being logged in
  • Setup Audit Trail: identify what admins are doing in the setup and keep track on most common audit changes and their types
  • Files: get visibility which files are being downloaded by different roles, period of time to help identify the top files or resources that are barely being used

Application Development and Performance is also a very important topic to continuously monitor and stay in the know of the application health and understand if some reports are taking long to produce or if certain Apex jobs should be timed differently to avoid hitting governance limits. Here's what we've built for Salesforce developers:

  • Apex Execution: help to prioritize which Apex classes to fix to improve overall performance by comparing overall Apex performance, CPU time, SOQL and DML interactions based on total DB time
  • Reports: see report usage trends accross users and profiles and identify top reports and get visibility into most used reports as well as their performance to load
  • API: see API trends per Object and the overall API performance during certain period of time including average CPU time per API
  • Dashboards: get visibility into Dashboard usage trends over time and the performance of these dashboards so you can prioritize in troubleshooting

Last but definitely not least, understanding Adoption and User Engagement for the Salesforce application is key. What are my users doing, how are they accessing the application, when and what are the top resources or click paths. These are valuable for the line of business, executives, IT teams as well as developers alike:

  • Lightning SFX: provides visibility who are the users using the new Lightning User Interface and how it's performing, see how many total user interactions took place and what the average and max end user page time (EPT) looks like
  • Page Views (URI): see what pages the users are clicking the most and how much time they are spending, on average, on these pages. Drill down to additional details for users details and he/she is accessing or drill down to actual pages who are the users using them
  • Visualforce Requests: see the most used Visualforce pages and prioritize troubleshooting based on performance e.g. sorting by runtime you can quickly see the slowest pages, or AppExchange adoption
  • Wave Adoption: last but not least, you have pushed out Event Monitoring Wave App or Sales or Service Wave, and you want to know are your users actually using it, identify details at user level and how many interactions they have with Wave dashboards and which ones they are customizing
We hope you enjoy the app and will find these built in visualizations useful. You can use your 10 permission set licenses as viewers or editors/managers. If you require more users or are nearing the 50 million limit you can get in touch with your Account Executive to get more with Wave Platform.

If you are an existing Event Monitoring customer and haven't yet tried out the Event Monitoring Wave App: please follow these instructions to get set up. If you're new a customer interested to learn more about Event Monitoring and the Event Monitoring Wave App, get in touch with you Salesforce Account Executive to get started. 

For anything else, please leave questions or comments here or reach out on Twitter to @salomaa. Thanks and sunny summertime from San Francisco!