Have you been exploring the Winter ’17 release with event monitoring? If so, you might have seen the Event Monitoring log lines that contain LOGIN_KEY and SESSION_KEY. These new fields tie together all the different events in a Salesforce user’s login session or admin’s activity session, respectively.
The Login Key and Session Key fields provide an identifier for a user’s login session across various log lines. You now get a 360-degree view of user behavior within the Salesforce application to help you with such things as a security investigation, gaining a better understanding user behavior, and researching an application or performance issue.
Let’s see it in action. This example shows URI event logs—users’ click paths in the Salesforce application across the various generated log lines. To see a more concise view of what each user is doing, you can now use LOGIN_KEY as an identifier across the various events and different actions to tie them together.
Here are a few examples to help you best take advantage of this identifier. More ideas? Share your thoughts in the comments below.
Your application can generate a ton of URI log lines. When researching a specific user’s log lines, it can be like finding a needle in a haystack. Instead, use LOGIN_KEY as a grouping mechanism to separate different user sessions.
Let’s say you want to look at URIs (pageviews). This screenshot shows that we aggregated all URI logs for user Jari Salomaa on September 23. Five different LOGIN_KEYs separate the different sessions, ranging from logins from the Salesforce1 mobile app to the Safari and Chrome browsers. One login session has over 200 entries, which you can click and expand to investigate which pages those URI logs contain.
For security-conscious customers, whether on Sales Cloud, Service Cloud, or other Salesforce products, understanding data export activity is always important. You want to know who is downloading customer data to a local computer, especially if it’s happening in a large volume.
Building real-time alerts and policies is important for detecting large data export activities taking place at times of the day outside of typical business hours. The problem can be hacker groups with compromised credentials in different countries and time zones targeting valuable data. If you don’t have business users logging in and exporting data in these regions, you can use LOGIN_KEY and SESSION_KEY to view past behavior across the different time zones in which your business operates.
Monitor the number of report exports with SESSION_KEY to give yourself better visibility of the application’s report export behavior by grouping the ReportExport log line dataset by the hour of the day.
To identify data export activity during non-business hours and build alerts:
Use LOGIN_KEY and SESSION_KEY as identifiers across all supported event log lines.
1. Apex Callout—Details about callouts (external requests) during Apex code execution
2. Apex Execution—Details about the Apex classes used
3. Apex SOAP—Details about web services API calls
4. Apex Trigger—Details about triggers that fire in an org
5. API—Details about an org’s Force.com Web Services API activity
6. Asynchronous Report Run—Created for scheduled report requests regarding dashboard refreshes, asynchronous reports, scheduled reports, and analytics snapshots
7. Bulk API—Details about Bulk API requests
8. Change Set Operation—Information from change set migrations
9. Console—Information about the performance and use of the Salesforce console when opened with a sidebar component
10. Dashboard—Details about dashboards that users view
11. Login—An org’s user login history
12. Metadata API Operation—Details of Metadata API retrieval and deployment requests
13. Multiblock Report—Details about Joined Report reports
14. Package Install—Details about package installation in the org
15. Queued Execution—Details about queued executions, for example, Batch Apex
16. Report—Information about what happened when the user ran a report
17. Report Export—Details about reports that a user exported
18. REST API—Details about REST-specific requests
19. Sites—Details of site.com browser UI or API requests
20. Transaction Security—Details about policy execution
21. URI—Details about user interaction with the web browser-based UI
22. Visualforce Request—Details of browser UI- or API-based Visualforce requests
23. Wave Change—Represents route or page changes made in the Salesforce Wave Analytics user interface
24. Wave Interaction—Tracks user interactions with the Wave Analytics user interface
25. Wave Performance—Helps you track trends in your Wave Analytics performance
For more information about supported events, see the SOAP API Guide, which is updated with each release.
Leave feedback below!
Summer ’24 is almost here. Learn more about user management below and check out Be Release Ready to discover more resources to help you prepare for this release. Welcome to a new era of user management! At Salesforce, we believe in the power of community-driven innovation. Your feedback as Trailblazers is invaluable—it’s the compass that […]
As an admin, you’ve probably heard of Data Cloud, but maybe you haven’t prioritized it right away because you have other company challenges to address. Well, now’s the time to move Data Cloud to the top and dig in. If you’re thinking, “What is Data Cloud? Can you break it down for me?”, you’re in […]
Summer ’24 is almost here! Learn more about new Flow Builder enhancements like the Automation App, Action Button (beta), and more, and check out Be Release Ready to discover more resources to help you prepare for Summer ’24. Want to see these enhancements in action? Salesforce product manager Sam Reynard and I will demo some […]
