Detection Event Is Definitely Anomalous but Maybe Not Malicious

Alice is a sales rep based in St. Louis. She’s often on the road to meet with clients. When she travels, she generally, but not consistently, use her company’s VPN to log into Salesforce.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.


On July 27, 2015, Alice’s account was used to generate a report from a relatively new IP address. Bob, the administrator for Alice’s org, noticed a ReportAnomalyEvent about this report generation activity. The event contained this information.

ReportAnomalyEvent Field Value
Score 95.0158
SourceIp 96.43.144.27
EventDate 2015-07-27T07:45:07.192Z
UserId 00530000009M944
Report 00OD0000001leVCMAY
SecurityEventData (see next table)

The SecurityEventData field contained this information.

featureName featureValue featureContribution
autonomousSystem Softbank Corp 73.4%
rowCount 50876 15.6%
userAgent - 9.9%
numberFilters 11 0.81%
periodOfDay Night 0.21%

Bob notices that the autonomous system—derived from the IP address—is the top-ranked feature with 73.4% feature contribution. This percentage indicates that Alice rarely uses this autonomous system. Bob also notices that the report has around 50k rows, which is not small for this org. Bob then uses the UserId to identify the user as Alice. By looking at the ReportEvent events, Bob notices that Alice typically generates reports containing 1,000–10,000 rows. But on rare occasions, Alice generated reports with more than 50k rows. The userAgent has a smaller feature contribution, which could be attributed to Alice using her mobile device less when she travels. The numberFilters and periodOfDay features have small feature contributions, and are therefore not important.

Because Alice rarely uses this autonomous system and the report is bigger than what Alice typically generates, Bob concludes that this report falls outside of typical activity. However, Bob is unable to verify whether Alice or an attacker committed this malicious act. He attempts to get more information on this incident before pursuing any threat mitigation actions.