Salesforce Security Guide
jNewer Version Available
Use Async SOQL with Real-Time Event Monitoring
Let’s say you’ve created a custom object called Patent__c that contains sensitive patent information. You want to know when users query this object using any API. Use the following Async SOQL query on the ApiEvent object to determine when Patent__c was last accessed, who accessed it, and what part of it was accessed. The WHERE clause uses the QueriedEntities field to narrow the results to just API queries of the Patent__c object.
- Example URI
-
1https://yourInstance.salesforce.com/services/data/v48.0/async-queries/ - Example POST request body
-
1{ 2 "query": "SELECT EventDate, EventIdentifier, QueriedEntities, SourceIp, Username, UserAgent FROM ApiEvent 3 WHERE QueriedEntities LIKE '%Patent__c%'", 4 "targetObject": "ApiTarget__c", 5 "targetFieldMap": { 6 "EventDate": "EventDate__c", 7 "EventIdentifier": "EventIdentifier__c", 8 "QueriedEntities": "QueriedEntities__c", 9 "SourceIp": "IPAddress__c", 10 "Username": "User__c", 11 "UserAgent": "UserAgent__c" 12 } 13} - Example POST response body
-
1{ 2 "jobId" : "08PB00000066JRfMAM", 3 "message" : "", 4 "operation" : "INSERT", 5 "query" : "SELECT EventDate, EventIdentifier, QueriedEntities, SourceIp, Username, UserAgent FROM ApiEvent 6 WHERE QueriedEntities LIKE '%Patent__c%'", 7 "status" : "Complete", 8 "targetExternalIdField" : "", 9 "targetFieldMap" : { 10 "EventDate" : "EventDate__c", 11 "SourceIp" : "IPAddress__c", 12 "EventIdentifier" : "EventIdentifier__c", 13 "QueriedEntities" : "QueriedEntities__c", 14 "Username" : "User__c", 15 "UserAgent" : "UserAgent__c" 16 }, 17 "targetObject" : "ApiTarget__c", 18 "targetValueMap" : { } 19}
1curl -H "Content-Type: application/json" -X POST -d
2'{"query": "SELECT EventDate, EventIdentifier, QueriedEntities, SourceIp, Username, UserAgent FROM ApiEvent WHERE QueriedEntities LIKE '%Patent__c%'",
3 "targetObject": "ApiTarget__c",
4 "targetFieldMap": {"EventDate": "EventDate__c","EventIdentifier": "EventIdentifier__c","QueriedEntities": "QueriedEntities__c","SourceIp": "IPAddress__c","Username": "User__c","UserAgent": "UserAgent__c"}}'
5 "https://yourInstance.salesforce.com/services/data/v48.0/async-queries/" -H
6 "Authorization: Bearer 00D30000000V88A!ARYAQCZOCeABy29c3dNxRVtv433znH15gLWhLOUv7DVu.
7 uAGFhW9WMtGXCul6q.4xVQymfh4Cjxw4APbazT8bnIfxlRvUjDg"Another event monitoring use case is to identify all users who accessed a sensitive field, such as Social Security Number or Email. For example, you can use the following Async SOQL query to determine the users who saw social security numbers.
- Example URI
-
1https://yourInstance.salesforce.com/services/data/v48.0/async-queries/ - Example POST request body
-
1{ 2 "query": "SELECT Query, Username, EventDate, SourceIp FROM ApiEvent 3 WHERE Query LIKE '%SSN__c%'", 4 "targetObject": "QueryEvents__c", 5 "targetFieldMap": { 6 "Query":"QueryString__c", 7 "Username":"User__c", 8 "EventDate":"EventDate__c", 9 "SourceIp" : "IPAddress__c" 10 } 11} - Example POST response body
-
1{ 2 "jobId": "08PB000000001RS", 3 "message": "", 4 "query": "SELECT Query, Username, EventDate, SourceIp FROM ApiEvent 5 WHERE Query LIKE '%SSN__c%'", 6 "status": "Complete", 7 "targetFieldMap": {"Query":"QueryString__c", "Username":"User__c", 8 "EventDate":"EventDate__c", "SourceIp" : "IPAddress__c" 9 }, 10 "targetObject": "QueryEvents__c" 11}