Two New Keys To Unlock Your Salesforce Users Event Data

Two New Keys To Unlock Your Users Event Data

Have you been exploring the new release with Event Monitoring? If so, you might have seen the Event Monitoring event log lines that contain Login_Key and Session_Key columns. These are new fields that tie together all the different events in a Salesforce user’s or admin’s login session or activity session, respectively.

Introducing Login Key and Session Key

Purpose of the Login Key and Session Key fields are to help provide specific identifier for a user’s login session across various log lines to give customers a better 360 degree view of users behavior within the Salesforce application for a given security investigation, understanding and exploring specific user behavior or when researching a specific application or performance issue.

Let’s see them in action. Here's an example showing URI event logs - in other words, users’ click path in the Salesforce application across the various generated log lines. To easily see a more concise view of what each user is doing, you can now use LOGIN_KEY as an identifier across the different Events to tie them together as well separate different actions together with this powerful identifier. Please see from the picture below and example of the LOGIN_KEY field within URI event logs.

Login Key and Session Key Examples

So how can you best take use of this identifier? I’ve collected couple of examples here, please leave your thoughts and additional ideas to the comments below.

Your application can generate a ton of URI log lines. When researching for specific user’s log lines, you might easily run into issues of finding the needle in the haystack. You can use LOGIN_KEY as grouping mechanism to separate different user sessions and volume of activity.

Example 1: Splitting User Activity Forensics by Different User Sessions  

Looking at URI (i.e. page views) for example in this picture below, we’ve aggregated all URI Logs for user Jari Salomaa on September 23rd. We can see there’s 5 different LOGIN_KEY’s that separate the different sessions ranging from logins from Salesforce1 Mobile, Safari, Chrome browsers from which, there’s over 200 log entries for one specific Login session that we can click and expand and investigate more closely what specific pages those URI logs contain.

Additionally for the security conscious customers, whether on Sales Cloud or Service Cloud or other Salesforce products, understanding data export activity is always important. Who is downloading customer data to their local computers and especially if that happens in very large volume.

As an example building real time alerts and policies is important when there are large volume data export activity taking place from different hours of the day outside the typical business hours. This is often the case with compromised credentials and different hacker groups placed in different countries like Russia, China and Eastern Europe targeting valuable data. If you don’t have business users logging in and exporting data in these regions you can use LOGIN_KEY and SESSION_KEY to better understand past behavior against different timezones your business operates.

Example 2: Monitoring the number of report exports with SESSION_KEY Salesforce Customers can obtain better visibility to their application’s report export behavior by grouping the ReportExport log line dataset grouped by the hour of the day

How to identify non business hours data export activity and build alerts

1. Use Event Monitoring Wave App or any of your preferred data visualization tools or Event Log File Browser if you have small volume of logs) to download ReportExport Log Lines
2. Group your ReportExport log lines by SESSION_KEY
3. Sort the logs by hour of the day
4. Identify non business hour ReportExport events based on your business hours
5. Build APEX policy with Transaction Security to alert on a specific threshold e.g. for Account, Opportunity, Lead, Case, Contact etc entity download object by specific timeframe

Example 3: Using LOGIN_KEY and SESSION_KEY as identifier across various support 25 log lines

• Use it as ID to construct a complete view for forensic investigation to user activity, for example to understand what the user did, which pages the user visited given a specific login session and pull all of that information together in it's own table
• Separate different user sessions within a specific login session within user's credentials, for example when user may have been logged in from API clients, user interface and other places and when it’s hard to understand which session contains unwanted or suspicious behavior
• Parse together otherwise complicated session keys to more holistic view

Event Logs That Support Login and Session Key

1. Apex Callout - details about callouts (external requests) during Apex code execution 2. Apex Execution - details about Apex classes that are used 3. Apex SOAP - details about Web Services API calls 4. Apex Trigger - contains details about triggers that fire in an organization 5. API - contain details about your organization’s Force.com Web Services API activity 6. Asynchronous Report Run - created for scheduled report requests that includes dashboard refreshes, asynchronous reports, scheduled reports and analytics snapshots 7. Bulk API - contains details about Bulk API requests 8. Change Set Operation - contains information from change set migrations 9. Console - contains information about the performance and use of Salesforce console whenever opened with a sidebar component 10. Dashboard - contains details about dashboards that users view 11. Login - your organization’s user login history 12. Metadata API Operation - contains details of Metadata API retrieval and deployment requests

13. Multiblock Report - contains details about Joined Report reports 14. Package Install - contains details about package installation in the organization 15. Queued Execution - details about queued executions, for example Batch Apex 16. Report - contains information about what happened when user ran a report 17. Report Export - contains details about reports that a user exported 18. REST API - contains details about REST specific requests 19. Sites - contains details of site.com browser UI or API requests 20. Transaction Security - contains details about policy execution 21. URI - contains details about user interaction with the web browser based UI 22. Visualforce Request - contains details of browser UI or API based Visualforce requests 23. Wave Change - represents route or page changes made in the Salesforce Wave Analytics user interface 24. Wave Interaction - tracks user interactions with the Wave Analytics user interface 25. Wave Performance - help you track trends in your Wave Analytics performance

For more details about supported events, see the SOAP API Guide for additional updates and details, which is updated each release. Thanks for Melissa Kulm, Mike Jacobsen and Lakshmisha Bhat for their invaluable feedback and comments on this blog.

Please feel free to leave feedback below!