Platform Events Developer Guide

Platform Events Developer Guide
Delivering Custom Notifications with Platform Events
Defining Your Custom Platform Event
Publishing Platform Events
Subscribing to Platform Events
Testing Your Platform Event in Apex
Encrypting Platform Event Messages at Rest in the Event Bus
Monitor Platform Event Publishing and Delivery Usage
Considerations
Examples
Reference
Platform Event Allocations
EventBusSubscriber
EventBus Class
Platform Event Error Status Codes
TriggerContext Class
Standard Platform Event Objects
Change Data Capture Events
Standard Platform Event Object List
AIPredictionEvent
AIUpdateRecordEvent
AppointmentSchedulingEvent
AssetTokenEvent
BatchApexErrorEvent
CommerceDiagnosticEvent
FlowExecutionErrorEvent
FOStatusChangedEvent
OrderStatusChangedEvent
OrderSummaryCreatedEvent
OrderSumStatusChangedEvent
PlatformStatusAlertEvent
ProcessExceptionEvent
PublishStatusEvent (Pilot)
RemoteKeyCalloutEvent
Real-Time Event Monitoring Objects
ApiAnomalyEvent
ApiAnomalyEventStore
ApiEvent
ApiEventStream
BulkApiResultEvent
BulkApiResultEventStore
ConcurLongRunApexErrEvent
CredentialStuffingEvent
CredentialStuffingEventStore
IdentityProviderEventStore
IdentityVerificationEvent
LightningUriEvent
LightningUriEventStream
ListViewEvent
ListViewEventStream
LoginAsEvent
LoginAsEventStream
LoginEvent
LoginEventStream
LogoutEvent
LogoutEventStream
MobileEmailEvent
MobileEnforcedPolicyEvent
MobileScreenshotEvent
MobileTelephonyEvent
ReportAnomalyEvent
ReportAnomalyEventStore
ReportEvent
ReportEventStream
SessionHijackingEvent
SessionHijackingEventStore
UriEvent
UriEventStream
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SessionHijackingEvent

Tracks when unauthorized users gain ownership of a Salesforce user’s session with a stolen session identifier. To detect such an event, Salesforce evaluates how significantly a user’s current browser fingerprint diverges from the previously known fingerprint using a probabilistically inferred significance of change. This object is available in API version 49.0 and later.

Supported Calls

describeSObjects()

Supported Subscribers

Subscriber Supported?
Apex Triggers
Flows
Processes
Streaming API (CometD) Yes

Streaming API Subscription Channel

/event/SessionHijackingEvent

Special Access Rules

Accessing this object requires either the Salesforce Shield or Event Monitoring add-on subscription and the View Real-Time Event Monitoring Data user permission.

Fields

Field Details
CurrentIp
Type
string
Properties
Nillable
Description
The IP address of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousIp field for the previous IP address. If the IP address didn’t contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousIp field value. For example, 126.7.4.2.
CurrentPlatform
Type
string
Properties
Nillable
Description
The platform of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousPlatform field for the previous platform. If the platform didn’t contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousPlatform field value. For example, MacIntel or Win32.
CurrentScreen
Type
string
Properties
Nillable
Description
The screen of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousScreen field for the previous screen. If the screen didn’t contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousScreen field value. For example, (900.0,1440.0) or (720,1280).
CurrentUserAgent
Type
textarea
Properties
Nillable
Description
The user agent of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousUserAgent field for the previous user agent. If the user agent didn’t contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousUserAgent field value. For example, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36.
CurrentWindow
Type
string
Properties
Nillable
Description
The browser window of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousWindow field for the previous window. If the window didn’t contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousWindow field value. For example, (1200.0,1920.0).
EvaluationTime
Type
double
Properties
Nillable
Description
The amount of time it took to evaluate the policy in milliseconds.
EventDate
Type
dateTime
Properties
Nillable
Description
The time when the anomaly was detected. For example, 2020-01-20T19:12:26.965Z. Milliseconds are the most granular setting.
EventIdentifier
Type
string
Properties
Nillable
Description
The unique ID of the event. For example, 0a4779b0-0da1-4619-a373-0a36991dff90.
LoginKey
Type
string
Properties
Nillable
Description
The string that ties together all events in a given user’s login session. The session starts with a login event and ends with either a logout event or the user session expiring. For example, lUqjLPQTWRdvRG4.
PolicyId
Type
reference
Properties
Nillable
Description
The ID of the transaction policy associated with this event. For example, 0NIB000000000KOOAY.
PolicyOutcome
Type
picklist
Properties
Nillable, Restricted picklist
Description
The result of the transaction policy. Possible values are:
  • Error - The policy caused an undefined error when it executed.
  • NoAction - The policy didn't trigger.
  • Notified - A notification was sent to the recipient.
PreviousIp
Type
string
Properties
Nillable
Description
The IP address of the previous fingerprint. The IP address of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentIp field for the newly observed IP address. For example, 128.7.5.2.
PreviousPlatform
Type
string
Properties
Nillable
Description
The platform of the previous fingerprint. The platform of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentPlatform field for the newly observed platform. For example, Win32 or iPhone.
PreviousScreen
Type
string
Properties
Nillable
Description
The screen of the previous fingerprint. The screen of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentScreen field for the newly observed screen. For example, (1200.0,1920.0).
PreviousUserAgent
Type
textarea
Properties
Nillable
Description
The user agent of the previous fingerprint. The user agent of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentUserAgent field for the newly observed user agent. For example, Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko).
PreviousWindow
Type
string
Properties
Nillable
Description
The browser window of the previous fingerprint. The window of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentWindow field for the newly observed window. For example, (1600.0,1920.0).
ReplayId
Type
string
Properties
Nillable
Description
Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
Score
Type
double
Properties
Nillable
Description
Specifies how significant the new browser fingerprint deviates from the previous one. The score is a number from 6.0 through 21.0. The event exposes five field pairs (such as CurrentIp and PreviousIp) to view the before and after data for the five most interesting browser features that contributed to this anomaly. See the SecurityEventData field for all contributing features in JSON format.

Salesforce detects session hijacking by comparing browser fingerprints in a given user session and evaluating how significantly a newly observed fingerprint deviates from the existing one. A large deviation score (6.0 or more) between two intra-session fingerprints indicates that two different browsers are active in the same session. The presence of two active browsers usually means that session hijacking has occurred.
SecurityEventData
Type
string
Properties
Nillable
Description
The set of browser fingerprint features about the session hijacking that triggered this event. See the Threat Detection documentation for the list of possible features.

For example, let’s say that a user’s current browser fingerprint diverges from their previously known fingerprint. If Salesforce concludes their session was hijacked, it fires this event and the contributing features are captured in this field in JSON format. Each feature describes a particular browser fingerprint property, such as the browser user agent, window, or platform. The data includes the current and previous values for each feature.

Example
1[
2{
3"featureName": "userAgent",
4"featureContribution": "0.45 %", 
5"previousValue": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142", 
6"currentValue": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36."
7},
8{
9"featureName": "ipAddress",
10"featureContribution": "0.23 %",
11"previousValue": "201.17.237.77",
12"currentValue": "182.64.210.144"
13},
14{
15"featureName": "platform",
16"featureContribution": "0.23 %",
17"previousValue": "Win32",
18"currentValue": "MacIntel"
19},
20{
21"featureName": "screen",
22"featureContribution": "0.23 %",
23"previousValue":"(1050.0,1680.0)",
24"currentValue": "(864.0,1536.0)"
25},
26{
27"featureName": "window",
28"featureContribution": "0.17 %",
29"previousValue": "1363x1717",
30"currentValue": "800x1200"
31}
32]
SessionKey
Type
string
Properties
Nillable
Description
The user’s unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example, vMASKIU6AxEr+Op5.
SourceIp
Type
string
Properties
Nillable
Description
The source IP address of the client that logged in. For example, 126.7.4.2.
Summary
Type
textarea
Properties
Nillable
Description
A text summary of the threat that caused this event to be created. The summary lists the browser fingerprint features that most contributed to the threat detection along with their contribution to the total score.
Example
  • Changes to (userAgent, platform, ipAddress) were not expected based on this user's profile. These top 3 deviations contributed (1, 1, 0.922) to the total score, respectively
  • Changes to (ipAddress, userAgent, platform, languages, color) were not expected based on this user's profile. These top 5 deviations contributed (1, 0.695, 0.695, 0.25, 0.223) to the total score, respectively
UserId
Type
reference
Properties
Nillable
Description
The origin user’s unique ID. For example, 005000000000123.
Username
Type
string
Properties
Nillable
Description
The origin username in the format of user@company.com at the time the event was created.