Newer Version Available

This content describes an older version of this product. View Latest

ReportAnomalyEvent (Beta)

Tracks anomalies in how users run or export reports, including unsaved reports. This object is available in API version 48.0 and later.

Supported Calls

As a beta feature, the ReportAnomalyEvent platform event is a preview and not part of the “Services” under your master subscription agreement with Salesforce. Use this feature at your sole discretion, and make your purchase decisions only on the basis of generally available products and features. Salesforce doesn’t guarantee general availability of this feature within any particular time frame or at all, and we can discontinue it at any time. This feature is for evaluation purposes only, not for production use. It’s offered as is and isn’t supported, and Salesforce has no liability for any harm or damage arising out of or in connection with it. All restrictions, Salesforce reservation of rights, obligations concerning the Services, and terms for related Non-Salesforce Applications and Content apply equally to your use of this feature. You can provide feedback and suggestions for this feature in the Salesforce Official: Shield group in the Trailblazer Community.

Note

describeSObjects()

Supported Subscribers

Subscriber Supported?
Apex Triggers
Flows
Processes
Streaming API (CometD) Yes

Streaming API Subscription Channel

/event/ReportAnomalyEvent

Special Access Rules

Accessing this object requires either the Salesforce Shield or Event Monitoring add-on subscription and the View Data Leakage Detection Events user permission.

Fields

Field Details
EventDate
Type
dateTime
Properties
Nillable
Description
The time when the anomaly was reported. For example, 2020-01-20T19:12:26.965Z. Milliseconds are the most granular setting.
EventIdentifier
Type
string
Properties
Nillable
Description
The unique ID of the event. For example, 0a4779b0-0da1-4619-a373-0a36991dff90.
LoginKey
Type
string
Properties
Nillable
Description
The string that ties together all events in a given user’s login session. The session starts with a login event and ends with either a logout event or the user session expiring. For example, lUqjLPQTWRdvRG4.
ReplayId
Type
string
Properties
Nillable
Description
Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
Report
Type
string
Properties
Nillable
Description
The report ID for the report for which this anomaly event was detected. For example, 00OD0000001leVCMAY.

If this anomaly resulted from a user executing an unsaved report, the value of this field is null.

Score
Type
double
Properties
Nillable
Description
A number from 0 through 100 that represents the anomaly score for the report execution or export tracked by this event. The anomaly score shows how the user's current report activity is different from their typical activity. A low score indicates that the user's current report activity is similar to their usual activity, a high score indicates that it's different.
SecurityEventData
Type
string
Properties
Nillable
Description
The set of features about the report activity that triggered this anomaly event. While there are many features that can trigger the event, this field contains only the top five contributing ones.

Let’s say, for example, that a user typically downloads 10 accounts but then they deviate from that pattern and download 1,000 accounts. This event is triggered and the contributing features are captured in this field. Potential features include row count, column count, average row size, the day of week, and the browser used for the report activity. The data captured in this field also shows how much a particular feature contributed to this anomaly event being triggered, represented as a percentage. The data is in JSON format.

Example
This example shows that the average row count contributed more than 95% to the anomaly being triggered. Other anomalous features, such as the autonomous system, day of the week the report was run, the browser used, and the number of columns, contributed much less.
1'contributions': [
2        {'featureContribution': '95.31 %',
3         'featureName': 'rowCount',
4         'featureValue': '584518'},
5        {'featureContribution': '2.00 %',
6         'featureName': 'autonomousSystem',
7         'featureValue': '53813'},
8        {'featureContribution': '1.42 %',
9         'featureName': 'dayOfWeek',
10         'featureValue': 'Tuesday'},
11        {'featureContribution': '1.21 %',
12         'featureName': 'userAgent',
13         'featureValue': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36'},
14        {'featureContribution': '0.06 %',
15         'featureName': 'numberColumns',
16         'featureValue': '22'}]
SessionKey
Type
string
Properties
Nillable
Description
The user’s unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example, vMASKIU6AxEr+Op5.
SourceIp
Type
string
Properties
Nillable
Description
The source IP address of the client that logged in. For example, 126.7.4.2.
UserId
Type
reference
Properties
Nillable
Description
The origin user’s unique ID. For example, 005000000000123.
Username
Type
string
Properties
Nillable
Description
The origin username in the format of user@company.com at the time the event was created.