Investigate Report Anomalies
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
Available in: Enterprise, Unlimited, and
Developer Editions Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. |
As a Shield customer, the Real-Time Event Monitoring events provide you with the required information to perform your investigation. In particular:
- ReportAnomalyEvent (and its storage equivalent ReportAnomalyEventStore) track when anomalies are detected about users running or exporting reports. These objects are the starting point of your investigation.
- ReportEventStream (and its storage equivalent ReportEvent) track in general when users run or export reports in your org. Use these objects to see real-time or historical report executions.
- LoginEventStream (and its storage equivalent LoginEvent) track all login activity in your org.
For example, say that your org receives a ReportAnomalyEvent that indicates a potential anomaly in a user’s report execution. The first thing you do is look at relevant fields of the event to get basic information about the anomaly, such as:
- Score: A number that represents how much this user’s report execution differed from their usual activity. The higher the number, the more it diverged.
- UserId: The user’s unique ID.
- EventDate: When this anomaly occurred.
- Report: The report ID for which this anomaly was detected.
- SecurityEventData: JSON field that contains the features, such as row count or day of the week, that contributed the most to this anomaly detection.
- Summary: A text summary of the event.
See the API documentation for the full list of fields.
This sample SOQL query returns these field values.
SELECT Score, UserId, EventDate, Report, SecurityEventData, Summary
FROM ReportAnomalyEventStore
Let’s look at the SecurityEventData field a bit more closely because it contains the contributing factors that triggered this anomaly detection. Here’s sample data:
[
{
"featureName": "rowCount",
"featureValue": "1937568",
"featureContribution": “95.00 %"
},
{
"featureName": "autonomousSystem",
"featureValue": "Bigleaf Networks, Inc.",
"featureContribution": “1.62 %"
},
{
"featureName": "dayOfWeek",
"featureValue": "Sunday",
"featureContribution": “1.42 %"
},
{
"featureName": "userAgent",
"featureValue": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36}",
"featureContribution": “1.21 %"
},
{
"featureName": "periodOfDay",
"featureValue": “Evening”,
"featureContribution": “.09 %"
},
{
"featureName": "averageRowSize",
"featureValue": "744",
"featureContribution": “0.08 %"
},
{
"featureName": "screenResolution",
"featureValue": "900x1440",
"featureContribution": “0.07 %"
}
]
The feature that contributed the most (95.00%) to this anomaly detection was rowCount with a value of 1937568. The feature indicates that the user viewed or exported a report that had 1,937,568 rows. But based on historical data, the user rarely views or exports so much data. The other features contributed much less to the score. For example, the user executed the report on Sunday, but this feature contributed only 1.42% to the overall score.
Now that you have the data, you can investigate further.