ApiAnomalyEvent

Track anomalies in how users make API calls. This object is available in API version 50.0 and later.

Supported Calls

describeSObjects()

Special Access Rules

Accessing this object requires either the Salesforce Shield or Event Monitoring add-on subscription and the View Real-Time Event Monitoring Data user permission.

Supported Subscribers

Subscriber Supported?
Apex Triggers
Flows Yes
Processes
Pub/Sub API Yes
Streaming API (CometD) Yes

Event Delivery Allocation Enforced

No

Fields

Field Details
EvaluationTime
Type
double
Properties
Nillable
Description
The amount of time it took to evaluate the policy in milliseconds. This field isn’t populated until all transaction security policies are processed for the real-time event. 
EventDate
Type
dateTime
Properties
Nillable
Description
The time when the anomaly was reported. For example, 2020-01-20T19:12:26.965Z. Milliseconds is the most granular setting.
EventIdentifier
Type
string
Properties
Nillable
Description
The unique ID of the event, which is shared with the corresponding storage object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate the event with its storage object.
EventUuid
Type
string
Properties
Nillable
Description
A universally unique identifier (UUID) that identifies a platform event message. This field is available in API version 52.0 and later.
LoginKey
Type
string
Properties
Nillable
Description
The string that ties together all events in a given user’s login session. The session starts with a login event and ends with either a logout event or the user session expiring. For example, lUqjLPQTWRdvRG4.
Operation
Type
string
Properties
Nillable
Description
The API call that generated the event. For example, Query.
PolicyId
Type
reference
Properties
Nillable
Description
The ID of the transaction policy associated with this event. For example, 0NIB000000000KOOAY. This field isn’t populated until all transaction security policies are processed for the real-time event. 
PolicyOutcome
Type
picklist
Properties
Nillable, Restricted picklist
Description
The result of the transaction policy. Possible values include:
  • Error—The policy caused an undefined error when it executed.
  • ExemptNoAction—The user is exempt from transaction security policies, so the policy didn’t trigger.
  • MeteringBlock—The policy took longer than 3 seconds to process, so the user was blocked from performing the operation.
  • MeteringNoAction—The policy took longer than 3 seconds to process, but the user isn't blocked from performing the operation.
  • NoAction—The policy didn't trigger.
  • Notified—A notification was sent to the recipient.
This field isn’t populated until all transaction security policies are processed for the real-time event. 
QueriedEntities
Type
string
Properties
Nillable
Description
The type of entities associated with the event.
ReplayId
Type
string
Properties
Nillable
Description
Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren’t guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
RequestIdentifier
Type
string
Properties
Nillable
Description
The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. For example, 3nWgxWbDKWWDIk0FKfF5D.
RowsProcessed
Type
double
Properties
Nillable
Description
Total row count for the current operation. For example, 2500.
Score
Type
double
Properties
Nillable
Description
A number from 0 through 1 that represents the anomaly score for the API execution or export tracked by this event. The anomaly score shows how the user's current API activity is different from their typical activity. A low score indicates that the user's current API activity is similar to their usual activity. A high score indicates that it's different.
SecurityEventData
Type
textarea
Properties
Nillable
Description
The set of features about the API activity that triggered this anomaly event.

Let’s say, for example, that a user typically downloads 10 accounts but then they deviate from that pattern and download 1,000 accounts. This event is triggered and the contributing features are captured in this field. Potential features include row count, column count, average row size, the day of week, and the browser’s user agent used for the report activity. The data captured in this field also shows how much a particular feature contributed to this anomaly event being triggered, represented as a percentage. The data is in JSON format.

Example
This example shows that the average row count contributed more than 95% to the anomaly being triggered. Other anomalous features, such as the autonomous system, day of the week the report was run, the browser used, and the number of columns, contributed much less.
[
{
"featureName": "rowCount",
"featureValue": "1937568",
"featureContribution": “95.00 %"
},
{
"featureName": "autonomousSystem",
"featureValue": "Bigleaf Networks, Inc.",
"featureContribution": “1.62 %"
},
{
"featureName": "dayOfWeek",
"featureValue": "Sunday",
"featureContribution": “1.42 %"
},
{
"featureName": "userAgent",
"featureValue": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36}",
"featureContribution": “1.21 %"
},
{
"featureName": "periodOfDay",
"featureValue": “Evening”,
"featureContribution": “.09 %"
},
{
"featureName": "averageRowSize",
"featureValue": "744",
"featureContribution": “0.08 %"
},
{
"featureName": "screenResolution",
"featureValue": "900x1440",
"featureContribution": “0.07 %"
}
]
SessionKey
Type
string
Properties
Nillable
Description
The user’s unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example, vMASKIU6AxEr+Op5.
SourceIp
Type
string
Properties
Nillable
Description
The source IP address of the client that logged in. For example, 126.7.4.2.
Summary
Type
textarea
Properties
Nillable
Description
A text summary of the API anomaly that caused this event to be created.
Example
  • API was exported from an infrequent network (BigLeaf Networks Inc.)
  • API was generated with an unusually high number of rows (111141)
Uri
Type
string
Properties
Nillable
Description
The URI of the page that’s receiving the request.
UserAgent
Type
string
Properties
Nillable
Description
UserAgent used in HTTP request, post-processed by the server.
UserId
Type
reference
Properties
Nillable
Description
The origin user’s unique ID. For example, 005000000000123.
Username
Type
string
Properties
Nillable
Description
The origin username in the format of user@company.com at the time the event was created.