Salesforce Event Monitoring Facts – Fighting Fundamental Misunderstandings

A key component of the Salesforce Shield security suite, Event Monitoring allows organizations to boost data security and improve forensic investigations within their Salesforce orgs. Thousands of customers around the world use this tool to provide greater visibility around user activity in Salesforce, but there are many common misconceptions about Event Monitoring facts – particularly what it does and doesn’t do.

The goal of this blog post is to set the record straight so you can better understand your security options and the scope of your solutions. Here, we’ll look at three commonly misunderstood Event Monitoring facts so you can fully master and utilize your security solution.

First: What is Event Monitoring?

Many organizations purchase additional Salesforce security in the form of Event Monitoring. You can buy Event Monitoring on its own or bundled with Field Audit Trail and Platform Encryption in a full package known as Salesforce Shield. Event Monitoring essentially documents and exports the raw audit log files from your Salesforce orgs. These log files are a record of user activity within your instance – also known as “events.” By monitoring your org’s events, you can…

  • Protect your organizations’ sensitive data
  • Track trends
  • Learn more about individual events
  • Identify abnormal behavior

With insiders causing more than 50 percent of data breaches, it’s critical to monitor internal user access to your mission-critical data in order to maintain trust and compliance within your organization.

The Event Monitoring starter package includes select pre-built options; if you want customization, you’ll need to know the data set and write the reports yourself. The package can help you get started, but if you really want to take full advantage of the visibility Event Monitoring provides, consider layering a pre-built application on top. Some organizations may consider building their own solution, but most companies choose to buy a tried-and-true solution that works off the shelf.

Einstein Analytics is also included for free in Salesforce’s Event Monitoring package; this application sits atop Event Monitoring and provides some visibility into the activity documented within the raw log files. This leads us, however, to our first misunderstanding — that Einstein Analytics consumes all of your Salesforce log files.

Myth #1: Einstein Analytics consumes all log files.

Fact #1: Einstein Analytics consumes a subset of log files (usually somewhere between 13 and 16, although the number can change).

As of Spring 2019, Event Monitoring will record 48 different log files from your Salesforce data. These events may include login activity, API calls, Apex executions, exported reports, and more. But not every event type makes it into the Event Monitoring reports. Your organization’s specific Salesforce software edition will determine which log file events you receive.

You have a few options to make sense of the data you receive:

  • You can import the data into a data lake and try to correlate the information back, making connections as you see fit.
  • You can leverage an off-the-shelf user activity monitoring application from a strategic Salesforce ISV partner to make these auto logs human-readable and easy to understand.

Myth #2: Event Monitoring 1.0 files are downloaded in real time.

Fact #2: While Salesforce events generate log data in real time, Event Monitoring 1.0 log data only comes once a day. The files are refreshed and delivered daily, generated during non-peak hours the day after an event occurs. This means you won’t be able to access the log files from an event until at least 24 hours later.

If you want hourly or real-time activity, you’ll have to write an API call that pulls the data down into your data repository. This can require a lot of manual effort (which other alert-based solutions can take care of for you).

Myth #3: Event Monitoring log files are retained forever (or an extended period of time).

Fact #3: Event Monitoring log files are natively retained for a rolling 30 days. After 30 days, the log files are purged. An off-the-shelf solution from a strategic ISV partner can extend the retention of log files beyond 30 days, giving you analytics and behavioral monitoring for longer periods and making it much easier to perform forensic investigations. After all, most data breaches take an average of 197 days to identify, so if your data is purged after 30 days, you won’t be able to go back any further than one month to determine the source of a breach.

Make no mistake: This myth-busting isn’t meant to dissuade you from using Event Monitoring – quite the opposite, in fact. Instead, by examining these misconceptions, you can more fully understand what Event Monitoring does for your business and how it, along with other tools, can provide greater visibility of how users are accessing what data, when, and from where – along with possible issues with usage, adoption, performance, and compliance. This greater visibility, in turn, helps you handle security concerns more quickly and proactively avoid breaches. With the data that Even Monitoring records, you can monitor for data loss, increase adoption, and optimize performance across multiple orgs. All you have to do is feed that data to the right tool.

Boost Your Cloud Security with FairWarning