Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Real-Time Event Monitoring Definitions
Considerations for Using Real-Time Event Monitoring
Enable Access to Real-Time Event Monitoring
Stream and Store Event Data
Create Logout Event Triggers
How Chunking Works with ReportEvent and ListViewEvent
Enhanced Transaction Security
Threat Detection
Session Hijacking
Credential Stuffing
Report Anomaly
Training and Inference Steps
Investigate Report Anomalies
Best Practices for Investigating Report Anomalies
Report Anomaly Detection Examples
API Anomaly
Guest User Anomaly
View Threat Detection Events and Provide Feedback
Event Log File Browser
Store and Query Log Data with Event Log Objects
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Investigate Report Anomalies

It's often necessary to further investigate a report anomaly to either rule it out as benign or to determine if a data breach occurred.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

As a Shield customer, the Real-Time Event Monitoring events provide you with the required information to perform your investigation. In particular:

  • ReportAnomalyEvent (and its storage equivalent ReportAnomalyEventStore) track when anomalies are detected about users running or exporting reports. These objects are the starting point of your investigation.
  • ReportEventStream (and its storage equivalent ReportEvent) track in general when users run or export reports in your org. Use these objects to see real-time or historical report executions.
  • LoginEventStream (and its storage equivalent LoginEvent) track all login activity in your org.

For example, say that your org receives a ReportAnomalyEvent that indicates a potential anomaly in a user’s report execution. The first thing you do is look at relevant fields of the event to get basic information about the anomaly, such as:

  • Score: A number that represents how much this user’s report execution differed from their usual activity. The higher the number, the more it diverged.
  • UserId: The user’s unique ID.
  • EventDate: When this anomaly occurred.
  • Report: The report ID for which this anomaly was detected.
  • SecurityEventData: JSON field that contains the features, such as row count or day of the week, that contributed the most to this anomaly detection.
  • Summary: A text summary of the event.

See the API documentation for the full list of fields.

This sample SOQL query returns these field values.

SELECT Score, UserId, EventDate, Report, SecurityEventData, Summary
FROM ReportAnomalyEventStore

Let’s look at the SecurityEventData field a bit more closely because it contains the contributing factors that triggered this anomaly detection. Here’s sample data: 

[
{
"featureName": "rowCount",
"featureValue": "1937568",
"featureContribution": “95.00 %"
},
{
"featureName": "autonomousSystem",
"featureValue": "Bigleaf Networks, Inc.",
"featureContribution": “1.62 %"
},
{
"featureName": "dayOfWeek",
"featureValue": "Sunday",
"featureContribution": “1.42 %"
},
{
"featureName": "userAgent",
"featureValue": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36}",
"featureContribution": “1.21 %"
},
{
"featureName": "periodOfDay",
"featureValue": “Evening”,
"featureContribution": “.09 %"
},
{
"featureName": "averageRowSize",
"featureValue": "744",
"featureContribution": “0.08 %"
},
{
"featureName": "screenResolution",
"featureValue": "900x1440",
"featureContribution": “0.07 %"
}
]

The feature that contributed the most (95.00%) to this anomaly detection was rowCount with a value of 1937568. The feature indicates that the user viewed or exported a report that had 1,937,568 rows. But based on historical data, the user rarely views or exports so much data. The other features contributed much less to the score. For example, the user executed the report on Sunday, but this feature contributed only 1.42% to the overall score.

Now that you have the data, you can investigate further.