Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Real-Time Event Monitoring Definitions
Considerations for Using Real-Time Event Monitoring
Enable Access to Real-Time Event Monitoring
Stream and Store Event Data
Create Logout Event Triggers
How Chunking Works with ReportEvent and ListViewEvent
Enhanced Transaction Security
Types of Enhanced Transaction Security Policies
Enhanced Transaction Security Actions and Notifications
Build a Transaction Security Policy with Condition Builder
Create an Enhanced Transaction Security Policy That Uses Apex
Best Practices for Writing and Maintaining Enhanced Transaction Security Policies
Enhanced Transaction Security Metering
Test and Troubleshoot Your New Enhanced Policy
Migrate Legacy Policies to the Enhanced Transaction Security Framework
Choose an Event for the Enhanced Policy
Choose Event Fields for the Enhanced Policy Conditions
Create a Policy with a UI or with Apex Code
Differences Between the Legacy and Enhanced Apex Interfaces
Policy Migration Examples
Threat Detection
Security Guidelines for Apex and Visualforce Development
API End-of-Life
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Choose Event Fields for the Enhanced Policy Conditions

You map the legacy event properties to event object fields in the enhanced transaction security framework.
Available in: Salesforce Classic and Lightning Experience
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

In the Apex class that implements your legacy policy, you use properties of the TxnSecurity.Event class to select items of interest from the event that you’re monitoring. You then test these items to determine whether a condition has been met. For example, to create a policy that triggers when a specific user logs in, you use the Event.userId property.

In an enhanced policy, you use the fields of the appropriate event objects, such as ApiEvent.QueriedEntities or ReportEvent.RowsProcessed, in the conditions.

This table maps the TxnSecurity.Event class properties to their equivalent fields of the Real-Time Event Monitoring event objects that support transaction security policies.

Table 1. Mapping of Legacy Event Property to Real-Time Event Monitoring Event Field
Legacy Event Class Property Equivalent Event Object Field in the Enhanced Framework Notes
organizationId No equivalent The org ID is the ID of the org in which the enhanced policy is running. Use the Apex UserInfo.getOrganizationId() method to get the org ID.
userId UserId This field is available on all Real-Time Event Monitoring event objects that support transaction security policies.
entityName No equivalent This information isn’t needed in enhanced policies.
action No equivalent This property is used only with the legacy Login IP event type, which has been retired.
resourceType No equivalent The concept of resources doesn’t exist with events in the enhanced framework.

You can still mimic legacy behavior that referenced resources. For example, your legacy policy is based on the Data Export event type and Opportunity resource. You want to monitor API queries only, so you base your enhanced policy on ApiEvent. To monitor opportunities, you add this condition to your policy: "ApiEvent.QueriedEntities contains Opportunity." Be careful, though: Because an enhanced policy executes on all report operations and API queries, the policy executes more in the enhanced framework than a similar policy in the legacy framework.
entityId
  • ReportEvent.ReportID (if your legacy policy is based on a Resource Access event type)
  • ApiEvent.Records or ReportEvent.Records (if your legacy policy is based on a Data Export event type).
  • No equivalent for the legacy Login event type
timeStamp EventDate This field is available on all Real-Time Event Monitoring event objects that support transaction security policies.
data This legacy property is a Map<>. Its content differs depending on the event type that the policy is based on (Resource Access, Data Export, or Login). See the next sections for tables that map the data keys of each legacy event type to their equivalent event object fields in the enhanced framework.

Mapping Legacy Data Export Data Keys

When you migrate a legacy policy based on the Data Export event type to the enhanced framework, you choose either the ReportEvent or ApiEvent event.

Table 2. Mapping of Legacy Data Export Data Key to ReportEvent or ApiEvent Field
Legacy Data Key Name Equivalent ReportEvent Field Equivalent ApiEvent Field Notes
ApiType No equivalent ApiType
Application No equivalent Application
Browser No equivalent No equivalent To limit the browsers that your customers use, create a LoginEvent enhanced policy to block them right away.
ClientId No equivalent Client
ConnectedAppId No equivalent ConnectedAppId
EntityName QueriedEntities QueriedEntities In the enhanced framework, the QueriedEntities field contains a comma-separated list of all entities that the policy executes on. In the legacy framework, this property contains only one entity name.
ExecutionTime No equivalent ElapsedTime
IsApi Operation No equivalent The Operation field contains the type of report operation that occurred. Use these values to limit the operations that you want to monitor, such as by UI (Salesforce Classic, Lightning Experience, or mobile), API (synchronous, asynchronous, REST), or dashboard.
isScheduled isScheduled No equivalent
LoginHistoryId LoginHistoryId LoginHistoryId
NumberOfRecords RowsProcessed RowsProcessed
Platform No equivalent Platform
Query No equivalent Query
SessionLevel SessionLevel SessionLevel
SourceIp SourceIp SourceIp
Uri No equivalent No equivalent
UserAgent No equivalent UserAgent
Username Username Username

Mapping Legacy Resource Access Data Keys

When you migrate a legacy policy based on the Resource Access event type, you use the ReportEvent event.

Table 3. Mapping of Legacy Resource Access Data Keys to ReportEvent Fields
Legacy Data Key Name Equivalent ReportEvent Field
EntityId ReportId
ResourceName No equivalent
SessionLevel SessionLevel
SourceIp SourceIp
Username Username

Mapping Legacy Login Data Keys

When you migrate a legacy policy based on the Login event type, you use the LoginEvent event. All fields in LoginHistoryID and LoginGeoId are now present in LoginEvent, with the exception of the legacy fields OptionIsGet and OptionIsPost, which map to LoginEvent.HttpMethod. Remove any queries for LoginHistoryId and LoginGeoId as they are no longer available during policy execution. Instead, use fields directly from LoginEvent.

Here’s the Apex code for a legacy policy that queries LoginHistoryId. 

1global class SourceIpPolicyCondition implements TxnSecurity.PolicyCondition {
2    public boolean evaluate(TxnSecurity.Event e) {
3        String loginHistoryId = e.data.get('LoginHistoryId');
4        LoginHistory loginHistory = [SELECT SourceIp FROM LoginHistory WHERE Id = :loginHistoryId];
5        if (loginHistory.SourceIp.equals('1.1.1.1')) {
6            return true;
7        }
8        return false; 
9    }
10}

Here’s the Apex code for an enhanced policy that uses fields directly from LoginEvent.

1global class SourceIpEventCondition implements TxnSecurity.EventCondition {
2    public boolean evaluate(SObject event) {
3        LoginEvent loginEvent = (LoginEvent) event;
4        if (loginEvent.SourceIp.equals('1.1.1.1')) {
5            return true;
6        }
7        return false; 
8    }
9}
Table 4. Mapping of Legacy Login Data Keys to LoginEvent Fields
Legacy Data Key Name Equivalent LoginEvent Field
LoginHistoryId LoginHistoryId
Username Username

Follow Along with the Lead Data Export Example

Continuing with the two enhanced policies, we’re creating one based on ApiEvent, and the other based on ReportEvent.

Let's next determine the event properties used in the legacy Lead Data Export policy example and their equivalent fields in the two new enhanced policies.

The legacy policy triggers when a user’s download either:

  • Retrieves more than 2,000 lead records
  • Takes more than one second to complete

Here's the Apex code for the legacy policy. It uses the legacy event’s data Map<> for all its conditions. 

1global class DataLoaderLeadExportCondition implements TxnSecurity.PolicyCondition {
2  public boolean evaluate(TxnSecurity.Event e) {
3    // The event data is a Map<String, String>.
4    // We need to call the valueOf() method on appropriate data types to use them in our logic.
5    Integer numberOfRecords = Integer.valueOf(e.data.get('NumberOfRecords'));
6    Long executionTimeMillis = Long.valueOf(e.data.get('ExecutionTime'));
7    String entityName = e.data.get('EntityName');
8
9    // Trigger the policy only for an export on leads, where we are downloading
10    // more than 2000 records or it took more than 1 second (1000ms).
11    if ('Lead'.equals(entityName)){
12      if (numberOfRecords > 2000 || executionTimeMillis > 1000){
13        return true;
14      }
15    }
16
17    // For everything else don't trigger the policy.
18    return false;
19  }
20}

This table lists the equivalent fields in the enhanced policies that you use for adding conditions.

Legacy Data Key Name Equivalent ReportEvent Field Equivalent ApiEvent Field
EntityName QueriedEntities QueriedEntities
ExecutionTime No equivalent ElapsedTime
NumberOfRecords RowsProcessed RowsProcessed

Because the enhanced framework doesn’t monitor report execution times, you can’t add a condition for that value in your enhanced ReportEvent policy.

ReportEvent monitors both export and view operations. As a result, a policy based on ReportEvent executes whenever a user exports a report and also views a report. The legacy Data Export event type monitors only report exports. You can limit what a ReportEvent policy monitors by adding a condition on the ReportEvent.Operation field.