| CurrentIp |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The IP address of the newly observed fingerprint that deviates
from the previous fingerprint. The difference between the current
and previous values is one indicator that a session hijacking
attack has occurred. See the
field for the
previous IP address. If the IP address didn’t contribute to the
observed fingerprint deviation, the value of this field is the same
as the
field
value. For example, 126.7.4.2.
|
| CurrentPlatform |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The platform of the newly observed fingerprint that deviates from
the previous fingerprint. The difference between the current and
previous values is one indicator that a session hijacking attack
has occurred. See the
field
for the previous platform. If the platform didn’t contribute to the
observed fingerprint deviation, the value of this field is the same
as the
field value. For
example, MacIntel or Win32.
|
| CurrentScreen |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The screen of the newly observed fingerprint that deviates from
the previous fingerprint. The difference between the current and
previous values is one indicator that a session hijacking attack
has occurred. See the
field
for the previous screen. If the screen didn’t contribute to the
observed fingerprint deviation, the value of this field is the same
as the
field value. For
example, (900.0,1440.0) or (720,1280).
|
| CurrentUserAgent |
- Type
- textarea
- Properties
- Nillable
- Description
- The user agent of the newly observed fingerprint that deviates
from the previous fingerprint. The difference between the current
and previous values is one indicator that a session hijacking
attack has occurred. See the
field for the previous
user agent. If the user agent didn’t contribute to the observed
fingerprint deviation, the value of this field is the same as the
field value. For example,
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36.
|
| CurrentWindow |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The browser window of the newly observed fingerprint that deviates
from the previous fingerprint. The difference between the current
and previous values is one indicator that a session hijacking
attack has occurred. See the
field for the previous window. If the window didn’t contribute to
the observed fingerprint deviation, the value of this field is the
same as the
field value. For
example, (1200.0,1920.0).
|
| DetailIdentifier |
- Type
- string
- Properties
- Filter, Group, idLookup, Sort
- Description
- The ID of the individual detail record. This field is unique
within your organization.
|
| EventDate |
- Type
- dateTime
- Properties
- Filter, Nillable, Sort
- Description
- The date when the hijacking event was reported. For example,
2020-01-20T19:12:26.965Z. Milliseconds are the most granular
setting.
|
| EventIdentifier |
- Type
- string
- Properties
- Filter, Group, idLookup, Nillable, Sort
- Description
- The unique ID of the event. For example,
0a4779b0-0da1-4619-a373-0a36991dff90.
|
| EventName |
- Type
- string
- Properties
- Filter, Group, idLookup, Nillable, Sort
- Description
- The name of the event, which is Session Hijacking.
|
| MetricIdentifier |
- Type
- string
- Properties
- Filter, Group, Sort
- Description
- The ID of the type of metric that was counted.
|
| MetricsType |
- Type
- picklist
- Properties
- Filter, Group, Restricted picklist, Sort
- Description
- The type of data being collected.
|
| Name |
- Type
- string
- Properties
- Filter, Group, idLookup, Sort
- Description
- The name of the metric for which data is being collected.
|
| PreviousIp |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The IP address of the previous fingerprint. The IP address of the newly observed fingerprint deviates from this value. The difference between the current
and previous values is one indicator that a session hijacking attack has occurred. See the
field for the newly observed IP
address. For example, 128.7.5.2.
|
| PreviousPlatform |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The platform of the previous fingerprint. The platform of the
newly observed fingerprint deviates from this value. The difference
between the current and previous values is one indicator that a
session hijacking attack has occurred. See the
field for the newly observed
platform. For example, Win32 or iPhone.
|
| PreviousScreen |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- screen of the newly observed fingerprint deviates from this value.
The difference between the current and previous values is one
indicator that a session hijacking attack has occurred. See the
field for the newly observed
screen. For example, (1200.0,1920.0).
|
| PreviousUserAgent |
- Type
- textarea
- Properties
- Nillable
- Description
- The user agent of the previous fingerprint. The user agent of the
newly observed fingerprint deviates from this value. The difference
between the current and previous values is one indicator that a
session hijacking attack has occurred. See the
field for the newly
observed user agent. For example, Mozilla/5.0 (iPhone; CPU iPhone
OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like
Gecko).
|
| PreviousWindow |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The browser window of the previous fingerprint. The window of the
newly observed fingerprint deviates from this value. The difference
between the current and previous values is one indicator that a
session hijacking attack has occurred. See the
field for the newly observed
window. For example, (1600.0,1920.0).
|
| Score |
- Type
- double
- Properties
- Filter, idLookup, Nillable, Sort
- Description
- Specifies how significant the new browser fingerprint deviates
from the previous one. The score is a number from 6.0 through 21.0.
The event exposes five field pairs (such as
and
) to view the before and after
data for the five most interesting browser features that
contributed to this anomaly. See the
field for all contributing
features in JSON format. Salesforce detects session hijacking by
comparing browser fingerprints in a given user session and
evaluating how significantly a newly observed fingerprint deviates
from the existing one. A large deviation score (6.0 or more)
between two intra-session fingerprints indicates that two different
browsers are active in the same session. The presence of two active
browsers usually means that session hijacking has occurred.
|
| SecurityEventData |
- Type
- textarea
- Properties
- Nillable
- Description
- The set of browser fingerprint features about the session
hijacking that triggered this event. See the Threat Detection
documentation for the list of possible features. For
example, let’s say that a user’s current browser fingerprint
diverges from their previously known fingerprint. If Salesforce
concludes their session was hijacked, it fires this event and the
contributing features are captured in this field in JSON format.
Each feature describes a particular browser fingerprint property,
such as the browser user agent, window, or platform. The data
includes the current and previous values for each feature.
|
| Summary |
- Type
- textarea
- Properties
- Nillable
- Description
- A text summary of the threat that caused this event to be created.
The summary lists the browser fingerprint features that most
contributed to the threat detection along with their contribution
to the total score.
|
| Tenant |
- Type
- string
- Properties
- Filter, Group, idLookup, Sort
- Description
- The ID of the tenant that was targeted in the event.
|
| TenantName |
- Type
- string
- Properties
- Filter, Group, idLookup, Nillable, Sort
- Description
- The name of the tenant that was targeted in the event.
|
| UserIdentifier |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The origin user’s unique ID. For example, 005000000000123.
|
| Username |
- Type
- string
- Properties
- Filter, Group, idLookup, Nillable, Sort
- Description
- The origin username in the format of user@company.com at the time
the event was created.
|
j