Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Real-Time Event Monitoring Definitions
Considerations for Using Real-Time Event Monitoring
Enable Access to Real-Time Event Monitoring
Stream and Store Event Data
Create Logout Event Triggers
How Chunking Works with ReportEvent and ListViewEvent
Enhanced Transaction Security
Threat Detection
Session Hijacking
Credential Stuffing
Report Anomaly
API Anomaly
Training and Inference Steps
Investigate API Request Anomalies
Best Practices for Investigating API Request Anomalies
API Request Anomaly Detection Examples
API Detection Event Isn’t Anomalous
API Detection Event Possibly Anomalous
API Detection Event Is an Anomaly but Isn’t Clearly Malicious
API Detection Event Is Confirmed Malicious
Guest User Anomaly
View Threat Detection Events and Provide Feedback
Event Log File Browser
Store and Query Log Data with Event Log Objects
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

API Detection Event Isn’t Anomalous

Jason, a developer, uses APIs to query an Account object on a Sunday. He retrieves 10,000 records.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

The event contains this information.

APIAnomalyEvent Field Value
Score .5801
SourceIp 96.43.144.30
EventDate 2020-03-27T07:45:07.192Z
UserId 00530000009M946
SecurityEventData (see next table)

The SecurityEventData field contains this information.

featureName featureValue featureContribution
rowCount 1937568 95.00%
autonomousSystem Bigleaf Networks, Inc. 1.62%
dayOfWeek Sunday 1.42%
userAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36} 1.21%
periodOfDay Evening 0.09%
averageRowSize 744 0.08%
screenResolution 900x1440 0.07%

Alia, the Salesforce admin, notices that 10,000 records were retrieved from an Account object on a Sunday. She investigates further. Using the UserId field value, Alia identifies Jason as the user. She then looks through Jason’s past activity. She notices that Jason, a developer, retrieves records of varying amounts, ranging from just a handful to 20,000 records. Alia also notices in the dayOfWeek and periodOfDay features that Jason often works Sundays and nights.

Alia concludes that this detection event wasn’t anomalous because the activity is well within Jason's typical activity.