Two New Keys to Unlock Your Users’ Event Data

By

Have you been exploring the Winter ’17 release with event monitoring? If so, you might have seen the Event Monitoring log lines that contain LOGIN_KEY and SESSION_KEY. These new fields tie together all the different events in a Salesforce user’s login session or admin’s activity session, respectively.

Introducing Login Key and Session Key

The Login Key and Session Key fields provide an identifier for a user’s login session across various log lines. You now get a 360-degree view of user behavior within the Salesforce application to help you with such things as a security investigation, gaining a better understanding user behavior, and researching an application or performance issue.

Let’s see it in action. This example shows URI event logs—users’ click paths in the Salesforce application across the various generated log lines. To see a more concise view of what each user is doing, you can now use LOGIN_KEY as an identifier across the various events and different actions to tie them together.

Login Key and Session Key Examples

Here are a few examples to help you best take advantage of this identifier. More ideas? Share your thoughts in the comments below.

Your application can generate a ton of URI log lines. When researching a specific user’s log lines, it can be like finding a needle in a haystack. Instead, use LOGIN_KEY as a grouping mechanism to separate different user sessions.

Example 1: Split User Activity Forensics by Different User Sessions

Let’s say you want to look at URIs (pageviews). This screenshot shows that we aggregated all URI logs for user Jari Salomaa on September 23. Five different LOGIN_KEYs separate the different sessions, ranging from logins from the Salesforce1 mobile app to the Safari and Chrome browsers. One login session has over 200 entries, which you can click and expand to investigate which pages those URI logs contain.

For security-conscious customers, whether on Sales Cloud, Service Cloud, or other Salesforce products, understanding data export activity is always important. You want to know who is downloading customer data to a local computer, especially if it’s happening in a large volume.

Building real-time alerts and policies is important for detecting large data export activities taking place at times of the day outside of typical business hours. The problem can be hacker groups with compromised credentials in different countries and time zones targeting valuable data. If you don’t have business users logging in and exporting data in these regions, you can use LOGIN_KEY and SESSION_KEY to view past behavior across the different time zones in which your business operates.

Example 2: Monitor Report Exports

Monitor the number of report exports with SESSION_KEY to give yourself better visibility of the application’s report export behavior by grouping the ReportExport log line dataset by the hour of the day.

To identify data export activity during non-business hours and build alerts:

  1. Use the Event Monitoring Wave App or your preferred data visualization tools (or Event Log File Browser if you have a small volume of logs) to download ReportExport log lines.
  2. Group your ReportExport log lines by SESSION_KEY.
  3. Sort the logs by hour of the day.
  4. Identify non-business hour ReportExport events based on your business hours.
  5. Build an Apex policy with Transaction Security to alert on a specific object threshold, for example, Account, Opportunity, Lead, Case, or Contact, within a specific timeframe.

Example 3:

Use  LOGIN_KEY and SESSION_KEY as identifiers across all supported event log lines.

  • Use the keys as an ID to construct a complete view for a forensic investigation of user activity, such as which pages the user visited in a specific login session, and then pull all the information together in a table.
  • Separate a user’s different sessions within a specific login session. For example, a user might have logged in from an API client, the user interface, and other places, so it’s hard to understand which session contains unwanted or suspicious behavior.
  • Parse together otherwise complicated session keys for a more holistic view.

Event Logs That Support Login and Session Keys

1. Apex Callout—Details about callouts (external requests) during Apex code execution
2. Apex Execution—Details about the Apex classes used
3. Apex SOAP—Details about web services API calls
4. Apex Trigger—Details about triggers that fire in an org
5. API—Details about an org’s Force.com Web Services API activity
6. Asynchronous Report Run—Created for scheduled report requests regarding dashboard refreshes, asynchronous reports, scheduled reports, and analytics snapshots
7. Bulk API—Details about Bulk API requests
8. Change Set Operation—Information from change set migrations
9. Console—Information about the performance and use of the Salesforce console when opened with a sidebar component
10. Dashboard—Details about dashboards that users view
11. Login—An org’s user login history
12. Metadata API Operation—Details of Metadata API retrieval and deployment requests
13. Multiblock Report—Details about Joined Report reports
14. Package Install—Details about package installation in the org
15. Queued Execution—Details about queued executions, for example, Batch Apex
16. Report—Information about what happened when the user ran a report
17. Report Export—Details about reports that a user exported
18. REST API—Details about REST-specific requests
19. Sites—Details of site.com browser UI or API requests
20. Transaction Security—Details about policy execution
21. URI—Details about user interaction with the web browser-based UI
22. Visualforce Request—Details of browser UI- or API-based Visualforce requests
23. Wave Change—Represents route or page changes made in the Salesforce Wave Analytics user interface
24. Wave Interaction—Tracks user interactions with the Wave Analytics user interface
25. Wave Performance—Helps you track trends in your Wave Analytics performance

For more information about supported events, see the SOAP API Guide, which is updated with each release.

Leave feedback below!

Learn Moar Admin Badge and text that says, “Scoping Rules."

Learn MOAR in Winter ’23 with Scoping Rules

Follow and complete a Learn MOAR Winter ’23 trailmix for admins or developers by November 30, 2022, 11:59 PM PT to earn a special community badge and enter for a chance to win one of five $200 USD Salesforce Certification vouchers. Restrictions apply. Learn how to participate and review the Official Rules by visiting the […]

READ MORE
Learn Moar Admin Badge and text that says, “Automatic Change Tracking.”

Learn MOAR in Winter ’23 with Automatic Change Tracking

Follow and complete a Learn MOAR Winter ’23 trailmix for admins or developers by November 30, 2022, 11:59 PM PT to earn a special community badge and enter for a chance to win one of five $200 USD Salesforce Certification vouchers. Restrictions apply. Learn how to participate and review the Official Rules by visiting the […]

READ MORE

Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?

SHARE YOUR IDEA