Panther supports ingesting Salesforce Real-Time events via EventBridge
Overview
The Salesforce Real-Time Events integration is in open beta starting with Panther version 1.117, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting Salesforce Real-Time Events for monitoring activity in your Salesforce account in real-time. This integration uses Amazon EventBridge to stream events directly from Salesforce to Panther.
This integration is separate from the Salesforce Event Monitoring integration where logs are pulled periodically.
Before running the script, configure the following variables:
You can get your AWS region and account ID from the Panther Console.
Click the gear icon in the upper right corner of your Panther Console and then select General. Your AWS information will be displayed at the bottom of the page.
Run the script. Copy the AWS EventBridge resources from the script output. You will need them in the following steps.
In Salesforce, the Event Relays page should show your configured relays.
You can get your AWS region and account ID from the Panther Console.
Click the gear icon in the upper right corner of your Panther Console and then select General. Your AWS information will be displayed at the bottom of the page.
You can't add the ApiEventStream or ReportEventStream Real-Time Event Monitoring events to a custom channel via Tooling API because they aren't available in Tooling API. You must add them via Metadata API instead. For more information, refer to the Platform Events Developer Guide.
In Salesforce, navigate to the Event Relays page. Copy the Partner Event Source Name from each Event Relay. You will need them in the following steps.
Step 3: Verify that all Event Relays are running in Salesforce
To check the status of Event Relays:
In Salesforce, navigate to Setup → Event Relays.
Confirm that all Event Relays show "Running" in the Status column.
Only proceed to Step 4 once all Event Relays are confirmed as running. If Event Relays are not running, you won't be able to set up the log source in Panther.
Step 4: Configure the Salesforce Real-Time log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Select Salesforce Real-Time from the list of available log sources. Click Start Setup.
On the Configure you source page, fill in the following fields:
Name: Enter a descriptive name for the source (e.g., Salesforce Real-Time Events).
EventBridge Bus Names: Enter the AWS EventBridge resources or Partner Event Source Names you copied earlier.
Add additional bus names by clicking Add Bus Name.
Click Setup.
Supported event types
The Salesforce Real-Time Events integration supports the following monitoring events:
USERNAME="YOUR_USER_MAME"
PASSWORD="YOUR_PASSWORD"
SECURITY_TOKEN="YOUR_SECURITY_TOKEN"
LOGIN_BASE="https://login.salesforce.com" # or test.salesforce.com for sandbox
API_VERSION="v64.0"
AWS_REGION="YOUR_AWS_REGION" # Must be in capital
AWS_ACCOUNT_ID="YOUR_AWS_ACCOUNT_ID"
schema: Salesforce.RealtimeEvent
description: Salesforce Real-Time Events for monitoring activity in your Salesforce account.
referenceURL: https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/platform_events_objects_monitoring.htm
fields:
- name: Type
required: true
description: The type of event that occurred. For example, LoginEventStream.
type: string
- name: EventDate
description: The login time of the specified event. For example, 2020-01-20T19:12:26.965Z. Milliseconds are the most granular setting.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: AdditionalInfo
description: JSON serialization of additional information that’s captured from the HTTP headers during a login request.
type: string
- name: ApiType
description: 'The type of API that’s used to log in. Values include: SOAP Enterprise, SOAP Partner, REST API'
type: string
- name: ApiVersion
description: The version number of the API. If no version number is available, “Unknown” is returned.
type: string
- name: Application
description: The application used to access the org.
type: string
- name: AuthMethodReference
description: The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol.
type: string
- name: AuthServiceId
description: The 18-character ID for an authentication service for a login event. For example, you can use this field to identify the SAML or authentication provider configuration with which the user logged in.
type: string
indicators:
- trace_id
- name: Browser
description: The browser name and version if known.
type: string
- name: CipherSuite
description: The TLS cipher suite used for the login. Values are OpenSSL-style cipher suite names, with hyphen delimiters.
type: string
- name: City
description: "The city where the user's IP address is physically located. This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
type: string
- name: ClientVersion
description: The version number of the login client. If no version number is available, "Unknown" is returned.
type: string
- name: Country
description: "The country where the user's IP address is physically located. This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
type: string
- name: CountryIso
description: The ISO 3166 code for the country where the user's IP address is physically located. For more information, see Country Codes - ISO 3166.
type: string
- name: EvaluationTime
description: The amount of time it took to evaluate the transaction security policy, in milliseconds.
type: float
- name: EventIdentifier
description: The unique ID of the event, which is shared with the corresponding storage object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate the event with its storage object. Also, use this field as the primary key in your queries. Available in API version 42.0 and later.
type: string
indicators:
- trace_id
- name: EventUuid
description: A universally unique identifier (UUID) that identifies a platform event message. This field is available in API version 52.0 and later.
type: string
indicators:
- trace_id
- name: ForwardedForIp
description: The value in the X-Forwarded-For header of HTTP requests sent by the client. For logins that use one or more HTTP proxies, the X-Forwarded-For header is sometimes used to store the origin IP and all proxy IPs. The ForwardedForIp field stores whatever value the client sends, which might not be an IP address. The maximum length is 256 characters. Longer values are truncated. The ForwardedForIp field isn't populated for logins completed via OAuth flows or single sign-on (SSO). Available in API version 61.0 and later.
type: string
indicators:
- ip
- name: HttpMethod
description: The HTTP method of the login request; possible values are GET, POST, and Unknown.
type: string
- name: LoginGeoId
description: The Salesforce ID of the LoginGeo object associated with the login user's IP address. For example, 04FB000001TvhiPMAR.
type: string
- name: LoginHistoryId
description: Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user's original authentication. For example, 0YaB000002knVQLKA2.
type: string
indicators:
- trace_id
- name: LoginKey
description: The string that ties together all events in a given user's login session. The session starts with a login event and ends with either a logout event or the user session expiring. For example, lUqjLPQTWRdvRG4.
type: string
indicators:
- trace_id
- name: LoginLatitude
description: "The latitude where the user's IP address is physically located. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
type: float
- name: LoginLongitude
description: "The longitude where the user's IP address is physically located. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
type: float
- name: LoginSubType
description: The type of login flow used. See the LoginSubType field of LoginHistory in the Object Reference guide for the list of possible values. Label is Login Subtype.
type: string
- name: LoginType
description: The type of login used to access the session. See the LoginType field of LoginHistory in the Object Reference guide for the list of possible values.
type: string
- name: LoginUrl
description: The URL of the login host from which the request is coming. For example, yourInstance.salesforce.com.
type: string
indicators:
- url
- hostname
- name: NetworkId
description: The ID of the Experience Cloud site that the user is logging in to. This field is available if Salesforce Experience Cloud is enabled for your organization.
type: string
- name: Platform
description: The operating system name and version that are used during the login event. If no platform name is available, "Unknown" is returned. For example, Mac OSX or iOS/Mac.
type: string
- name: PolicyId
description: The ID of the transaction security policy associated with this event. For example, 0NIB000000000KOOAY.
type: string
- name: PolicyOutcome
description: 'The result of the transaction policy. Possible values are: Block, Error, ExemptNoAction, FailedInvalidPassword, FailedPasswordLockout, MeteringBlock, MeteringNoAction, NoAction, Notified, TwoFAAutomatedSuccess, TwoFADenied, TwoFAFailedGeneralError, TwoFAFailedInvalidCode, TwoFAFailedTooManyAttempts, TwoFAInitiated, TwoFAInProgress, TwoFANoAction, TwoFARecoverableError, TwoFAReportedDenied, TwoFASucceeded.'
type: string
- name: PostalCode
description: "The postal code where the user's IP address is physically located. This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
type: string
- name: RelatedEventIdentifier
description: Represents the EventIdentifier of the related event. For example, bd76f3e7-9ee5-4400-9e7f-54de57ecd79c. This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.
type: string
indicators:
- trace_id
- name: RemoteIdentifier
description: Reserved for future use.
type: string
- name: ReplayId
description: Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren't guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
type: string
- name: SessionKey
description: The user's unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example, vMASKIU6AxEr+Op5.
type: string
indicators:
- trace_id
- name: SessionLevel
description: 'Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD.'
type: string
- name: SourceIp
description: The IP address of the incoming client request that first reaches Salesforce during a login. For example, 126.7.4.2. For clients that redirect through one or more HTTP proxies, this field stores the IP address of the first proxy to reach Salesforce. To better identify the origin IP for these cases, check the ForwardedForIp field instead.
type: string
indicators:
- ip
- name: Status
description: Displays the status of the attempted login. Status is either success or a reason for failure.
type: string
- name: Subdivision
description: "The name of the subdivision where the user's IP address is physically located. In the U.S., this value is usually the state name (for example, Pennsylvania). This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
type: string
- name: TlsProtocol
description: 'The TLS protocol version used for the login. Valid values are: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3, Unknown.'
type: string
- name: UserId
description: The user's unique ID. For example, 005000000000123.
type: string
indicators:
- actor_id
- name: Username
description: The username in the format of [email protected].
type: string
indicators:
- username
- email
- name: UserType
description: 'The category of user license. Each UserType is associated with one or more UserLicense records. Each UserLicense is associated with one or more profiles. Valid values are: CsnOnly, CspLitePortal, CustomerSuccess, Guest, PowerCustomerSuccess, PowerPartner, SelfService, Standard.'
type: string
- name: CreatedDate
description: CreatedDate field
type: timestamp
timeFormats:
- rfc3339
- name: CreatedById
description: The ID of the user who created the login event.
type: string
indicators:
- trace_id
- name: Operation
description: The API call that generated the event. For example, Query.
type: string
- name: QueriedEntities
description: The type of entities associated with the event.
type: string
- name: RequestIdentifier
description: The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. For example, 3nWgxWbDKWWDIk0FKfF5D.
type: string
indicators:
- trace_id
- name: RowsProcessed
description: Total row count for the current operation. For example, 2500.
type: float
- name: Score
description: A number from 0 through 1 that represents the anomaly score for the API execution or export tracked by this event. The anomaly score shows how the user's current API activity is different from their typical activity. A low score indicates that the user's current API activity is similar to their usual activity. A high score indicates that it's different.
type: float
- name: SecurityEventData
description: The set of features about the API activity that triggered this anomaly event. Let's say, for example, that a user typically downloads 10 accounts but then they deviate from that pattern and download 1,000 accounts. This event is triggered and the contributing features are captured in this field. Potential features include row count, column count, average row size, the day of week, and the browser's user agent used for the report activity. The data captured in this field also shows how much a particular feature contributed to this anomaly event being triggered, represented as a percentage. The data is in JSON format.
type: string
- name: Summary
description: 'A text summary of the API anomaly that caused this event to be created. Example: API was exported from an infrequent network (BigLeaf Networks Inc.) API was generated with an unusually high number of rows (111141).'
type: string
- name: Uri
description: The URI of the page that's receiving the request.
type: string
indicators:
- url
- hostname
- name: UserAgent
description: UserAgent used in HTTP request, post-processed by the server.
type: string
- name: ActionName
description: The name of the action.
type: string
- name: BotId
description: The ID of the bot.
type: string
- name: BotSessionIdentifier
description: The bot session ID.
type: string
- name: Client
description: The service that executed the API event. If you're using an unrecognized client, this field returns "Unknown" or a blank value.
type: string
- name: ConnectedAppId
description: The 15-character ID of the connected app associated with the API call. For example, 0H4RM00000000Kr0AI. The ConnectedAppID field populates when a call triggers an OAuth 2.0 authentication process, which identifies the connected app that's authorized to access Salesforce data on behalf of a user. When a user associated with the call already has an active authentication token, the ConnectedAppID is set to a null value.
type: string
indicators:
- trace_id
- name: ElapsedTime
description: The amount of time it took for the request to complete in milliseconds. The measurement of this value begins before the query executes and ends when the query completes. It doesn't include the amount of time it takes to return the result over the network.
type: bigint
- name: PlannerId
description: The ID of the agent planner.
type: string
indicators:
- trace_id
- name: Query
description: The SOQL query. For example, SELECT id FROM Lead.
type: string
- name: Records
description: A JSON string that represents the queried objects' metadata. This metadata includes the number of results of a query per entity type and the entity IDs. The Records field is set to a null value for BULK API queries. Bulk API queries from ApiEventStream can exceed bandwidth limitations due to the size of the Records field. To reduce the payload size, the Records field is set to a null value.
type: json
- name: RowsReturned
description: The number of rows of data returned in the current API batch. If RowsProcessed is less than the API batch size, RowsReturned is equal to RowsProcessed. If RowsProcessed is greater than the API batch size, RowsReturned equals either the API batch size or the number of rows in the last batch.
type: float
- name: AcceptLanguage
description: 'List of HTTP Headers that specify the natural language, such as English, that the client understands. Example: zh, en-US;q=0.8, en;q=0.6.'
type: string
- name: CanDownloadPdf
description: Indicates whether the downloaded PDF was converted from another file type. The default value is false.
type: boolean
- name: ContentSize
description: The size of the document, in bytes.
type: bigint
- name: DocumentId
description: The 18-character ID of the document that's being downloaded. The ID is a reference to the ContentDocument object. In some cases, DocumentId isn't populated for FileAction API_DOWNLOAD.
type: string
indicators:
- trace_id
- name: FileAction
description: "The action taken on the file. Valid values are: API_DOWNLOAD, PREVIEW, UI_DOWNLOAD, UPLOAD. If a PREVIEW action is performed on an image that's already in the browser's cache, Transaction Security's blocking capabilities are impacted. This field is available in API version 58.0 and later."
type: string
- name: FileName
description: The name of the file, including the file extension. FileName isn't populated for FileAction API_DOWNLOAD.
type: string
- name: FileSource
description: "Origin of the document. Valid values are: 'S' — Document is located within Salesforce. Label is Salesforce. 'E' — Document is located outside of Salesforce. Label is External. 'L' — Document is located on a social network and accessed via Social Customer Service. Label is Social Customer Service."
type: string
- name: FileType
description: The content type of the file. For example, PDF.
type: string
- name: IsLatestVersion
description: Indicates whether the file is the most current version (true) or not (false). The default value is false.
type: boolean
- name: ProcessDuration
description: The amount of time to download the file, in milliseconds.
type: float
- name: VersionId
description: The specific version of a document in Salesforce CRM Content or Salesforce Files. The ID is a reference to the ContentVersion object.
type: string
indicators:
- trace_id
- name: VersionNumber
description: The version number of the file.
type: string
- name: RequestedEntities
description: 'Objects queried by the guest user. For example: [" Topic "].'
type: string
- name: SoqlCommands
description: SOQL commands run by the guest user.
type: string
- name: TotalControllerEvents
description: The number of times controllers were triggered.
type: bigint
- name: AppName
description: The name of the application that the user accessed.
type: string
- name: ConnectionType
description: 'The type of connection. Possible values: CDMA1x, CDMA, EDGE, EVDO0, EVDOA, EVDOB, GPRS, HRPD, HSDPA, HSUPA, LTE, WIFI.'
type: string
- name: DeviceId
description: The unique identifier used to identify a device when tracking events. DEVICE_ID is a generated value that's created when the mobile app is initially run after installation.
type: string
indicators:
- trace_id
- name: DeviceModel
description: The name of the device model.
type: string
- name: DevicePlatform
description: 'The type of application experience in name:experience:form format. Name values: APP_BUILDER, CUSTOM, S1, SFX. Experience values: BROWSER, HYBRID. Form values: DESKTOP, PHONE, TABLET.'
type: string
- name: DeviceSessionId
description: The unique identifier of the user's session based on page load time. When the user reloads a page, a new session is started.
type: string
indicators:
- trace_id
- name: Duration
description: The duration in milliseconds since the page start time.
type: float
- name: EffectivePageTime
description: Indicates how many milliseconds it took for the page to load before a user could interact with the page's functionality. Multiple factors can affect effective page time, such as network speed, hardware performance, or page complexity.
type: float
- name: EffectivePageTimeDeviationErrorType
description: "Indicates the origin of an error. This field is populated when EffectivePageTimeDeviationReason contains the PageHasError value. This field is available in API version 58.0 and later. Possible values: Custom—An error originating from the customer's system or network. System—An error originating in Salesforce."
type: string
- name: EffectivePageTimeDeviationReason
description: "The reason for deviation in page loading time. This field is available in API version 58.0 and later. Possible values: PageInDom—The page was loaded from a cache. PageHasError—An undefined page loading error occurred. PageNotLoaded—If a customer navigates away from a page while loading processes are in progress, the page doesn't finish loading. PreviousPageNotLoaded—When navigating to a new page, and the previous page hasn't completed loading, the next page is considered to have a deviation. Incomplete loading processes on a previous page can affect how the next page loads. InteractionsBeforePageLoaded—A user interacts with a page element before the page is fully loaded. PageInBackgroundBeforeLoaded—A background loading process runs on a page. Background processes can run when users don't interact with a page, such as when they navigate to another browser tab."
type: string
- name: HasEffectivePageTimeDeviation
description: When a deviation is detected, EffectivePageTimeDeviation records true. The default value is false.
type: boolean
- name: OsName
description: The operating system name.
type: string
- name: OsVersion
description: The operating system version.
type: string
- name: PageStartTime
description: 'The time when the page was initially loaded, measured in milliseconds. Example: 1471564788642.'
type: timestamp
timeFormats:
- unix_ms
- rfc3339
- name: PageUrl
description: 'Relative URL of the top-level Lightning Experience or Salesforce mobile app page that the user opened. The page can contain one or more Lightning components. Multiple record IDs can be associated with PageUrl. Example: /sObject/0064100000JXITSAA5/view.'
type: string
- name: PreviousPageAppName
description: The internal name of the previous application that the user accessed from the App Launcher.
type: string
- name: PreviousPageEntityId
description: The unique previous page entity identifier of the event.
type: string
indicators:
- trace_id
- name: PreviousPageEntityType
description: The previous page entity type of the event.
type: string
- name: PreviousPageUrl
description: 'The relative URL of the previous Lightning Experience or Salesforce mobile app page that the user opened. Example: /sObject/006410000.'
type: string
- name: RecordId
description: The id of the record being viewed or edited. For example, 001RM000003cjx6YAA.
type: string
indicators:
- trace_id
- name: SdkAppType
description: 'The mobile SDK application type. Possible values: HYBRID, HYBRIDLOCAL, HYBRIDREMOTE, NATIVE, REACTNATIVE.'
type: string
- name: SdkAppVersion
description: The version of the mobile SDK the application uses.
type: string
- name: SdkVersion
description: 'The mobile SDK application version number. Example: 5.0.'
type: string
- name: ColumnHeaders
description: Comma-separated values of column headers of the list view. These values are the API names, not the labels shown in the UI. For example, Name, BillingState, Phone, Type, Owner.Alias, CaseNumber, Contact.Name, Subject, Status, Priority, CreatedDate, Owner.NameOrAlias.
type: string
- name: DeveloperName
description: The unique name of the object in the API. This name contains only underscores and alphanumeric characters, and is unique in your org. If blank, the list view is a default list view (such as the list view that displays when a user clicks the Groups tab in Salesforce Classic) and not explicitly created by a user. For example, AllAccounts or AllOpenLeads.
type: string
- name: EventSource
description: "The source of the event. Possible values are: 'API' — The user generated the list view from an API call. 'Classic' —The user generated the list view from a page in the Salesforce Classic UI. 'Lightning' — The user generated the list view from a page in the Lightning Experience UI."
type: string
- name: ExecutionIdentifier
description: When list view execution data is divided into multiple list view events, use this unique identifier to correlate the multiple data chunks. For example, each chunk might have the same ExecutionIdentifier of a50a4025-84f2-425d-8af9-2c780869f3b5, enabling you to link them together to get all the data for the list view execution. The Sequence field contains the incremental sequence numbers that indicate the order of the multiple events.
type: string
indicators:
- trace_id
- name: FilterCriteria
description: 'A JSON string that represents the list view''s filter criteria at the time the event was captured. Example: {"whereCondition":{"type":"soqlCondition","field":"Type","operator":"equals","values":["''Prospect''"]}}.'
type: json
- name: ListViewId
description: The ID of the list view associated with this event. If blank, the list view is a default list view (such as the list view that displays when a user clicks the Groups tab in Salesforce Classic) and not explicitly created by a user. For example, 00BB0000001c73kMAA.
type: string
indicators:
- trace_id
- name: Name
description: The display name of the list view/report. The value is null for report previews. If blank, the list view is a default list view (such as the list view that displays when a user clicks the Groups tab in Salesforce Classic) and not explicitly created by a user. For example, All Accounts and All Open Leads.
type: string
- name: NumberOfColumns
description: The number of columns in the list view.
type: bigint
- name: OrderBy
description: The column that the list view is sorted by. For example, if a list view of accounts is sorted alphabetically by name, the OrderBy value is [Name ASC NULLS FIRST, Id ASC NULLS FIRST]. If the list is sorted alphabetically by type, the OrderBy value is [Type ASC NULLS FIRST, Id ASC NULLS FIRST].
type: string
- name: OwnerId
description: The ID of the org or user who owns the list view. If the list view wasn't saved, this value is the same as UserId. For example, 005B0000001vURvIAM.
type: string
indicators:
- trace_id
- name: Scope
description: "Represents the filter criteria for the list view. Possible values are: Delegated—Records delegated to another user for action; for example, a delegated task. Everything—All records, for example All Opportunities. Mine—Records owned by the user running the list view, for example My Opportunities. MineAndMyGroups—Records owned by the user running the list view, and records assigned to the user's queues. MyTerritory—Records in the territory of the user seeing the list view. This option is available if territory management is enabled for your org. MyTeamTerritory—Records in the territory of the team of the user seeing the list view. This option is available if territory management is enabled for your org. Queue—Records assigned to a queue. Team—Records assigned to a team."
type: string
- name: Sequence
description: Incremental sequence number that indicates the order of multiple events that result from a given list view execution. When a list view execution returns many records, Salesforce splits this data into chunks based on the size of the records, and then creates multiple correlated ListViewEventStreams. The field values in each of these correlated ListViewEventStreams are the same, except for Records, which contains the different data chunks, and Sequence, which identifies each chunk in order. Every list view execution has a unique ExecutionIdentifier value to differentiate it from other list view executions. To view all the data chunks from a single list view execution, use the Sequence and ExecutionIdentifier fields in combination.
type: bigint
- name: DelegatedOrganizationId
description: Organization Id of the user who is logging in as another user. For example, 00Dxx0000001gEH.
type: string
indicators:
- trace_id
- name: DelegatedUsername
description: Username of the admin who is logging in as another user. For example, [email protected].
type: string
indicators:
- username
- email
- name: LoginAsCategory
description: 'Represents how the user logs in as another user. Possible values are: OrgAdmin—An administrator logs in to Salesforce as an individual user. Depending on your org settings, the individual user grants login access to the administrator. Community—A user who has been granted access to a Salesforce Experience Cloud site logs in.'
type: string
- name: TargetUrl
description: The URL redirected to after logging in as another user succeeds.
type: string
indicators:
- url
- hostname
- name: HasExternalUsers
description: When true, external users are impacted by the operation that triggered a permission change. The default value is false.
type: boolean
- name: ImpactedUserIds
description: A comma-separated list of IDs of the users affected by the event. A maximum of 1,000 user IDs are included. For example, if a permission set assigned to two users is updated, the users' IDs are recorded in this field.
type: json
- name: ParentIdList
description: The IDs of the affected permission sets or permission set groups.
type: json
- name: ParentNameList
description: The names of the affected permission sets or permission set groups.
type: json
- name: PermissionExpirationList
description: A comma separated list of timestamps from the PermissionSetAssignment.ExpirationDate field that specifies when added permissions will be revoked. This value is null when no expiration timestamp is specified or permissions are removed for the impacted users.
type: json
- name: PermissionList
description: "The list of permissions that are enabled or disabled in the event. These permissions can include: AssignPermissionSets (Assign Permission Sets), AuthorApex (Author Apex), CustomizeApplication (Customize Application), ForceTwoFactor (Multi-Factor Authentication for User Interface Logins), FreezeUsers (Freeze Users), ManageEncryptionKeys (Manage Encryption Keys), ManageInternalUsers (Manage Internal Users), ManagePasswordPolicies (Manage Password Policies), ManageProfilesPermissionsets (Manage Profiles and Permission Sets), ManageRoles (Manage Roles), ManageSharing (Manage Sharing), ManageUsers (Manage Users), ModifyAllData (Modify All Data), MonitorLoginHistory (Monitor Login History), PasswordNeverExpires (Password Never Expires), ResetPasswords (Reset User Passwords and Unlock Users), ViewAllData (View All Data). When using this event in a transaction security policy, use the permission's API name, not its label, and use the Contains operator, rather than Equals."
type: json
- name: PermissionType
description: 'The type of permission that is updated in the event. Possible values are: ObjectPermission, UserPermission.'
type: string
- name: UserCount
description: The number of users affected by the event. This field has a maximum value of 1,000. If the user appears more than 1,000 times, the value remains at 1,000.
type: string
- name: Report
description: The report ID for the report for which this anomaly event was detected. For example, 00OD0000001leVCMAY. If this anomaly resulted from a user executing an unsaved report, the value of this field is null.
type: string
indicators:
- trace_id
- name: DashboardId
description: The ID of the dashboard that the report was part of. For example, 01ZB0000000PmoQ.
type: string
indicators:
- trace_id
- name: DashboardName
description: The title of the dashboard that the report was part of.
type: string
- name: Description
description: The description of the report.
type: string
- name: DisplayedFieldEntities
description: The API values of the fields that are displayed on the report, including the names of the entities of the grouped column fields. For example, [ACCOUNTS, OWNERS].
type: string
- name: ExportFileFormat
description: 'If the user exported the report, this value indicates the format of the exported report. Possible values are: CSV, Excel.'
type: string
- name: Format
description: 'The format of the report. Possible values are: Matrix, MultiBlock, Summary, Tabular.'
type: string
- name: GroupedColumnHeaders
description: Comma-separated values of grouped column fields in summary, matrix, and joined reports. For example, [USERNAME, ACCOUNT.NAME, TYPE, DUE_DATE, LAST_UPDATE, ADDRESS1_STATE].
type: string
- name: IsScheduled
description: If TRUE, the report was scheduled. If FALSE, the report wasn't scheduled.
type: boolean
- name: ReportId
description: The ID of the report associated with this event. For example, 00OB00000032FHdMAM.
type: string
indicators:
- trace_id
- name: CurrentIp
description: The IP address of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousIp field for the previous IP address. If the IP address didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousIp field value. For example, 126.7.4.2.
type: string
indicators:
- ip
- name: CurrentPlatform
description: The platform of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousPlatform field for the previous platform. If the platform didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousPlatform field value. For example, MacIntel or Win32.
type: string
- name: CurrentScreen
description: The screen of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousScreen field for the previous screen. If the screen didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousScreen field value. For example, (900.0,1440.0) or (720,1280).
type: string
- name: CurrentUserAgent
description: The user agent of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousUserAgent field for the previous user agent. If the user agent didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousUserAgent field value. For example, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36.
type: string
- name: CurrentWindow
description: The browser window of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousWindow field for the previous window. If the window didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousWindow field value. For example, (1200.0,1920.0).
type: string
- name: PreviousIp
description: The IP address of the previous fingerprint. The IP address of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentIp field for the newly observed IP address. For example, 128.7.5.2.
type: string
indicators:
- ip
- name: PreviousPlatform
description: The platform of the previous fingerprint. The platform of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentPlatform field for the newly observed platform. For example, Win32 or iPhone.
type: string
- name: PreviousScreen
description: The screen of the previous fingerprint. The screen of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentScreen field for the newly observed screen. For example, (1200.0,1920.0).
type: string
- name: PreviousUserAgent
description: The user agent of the previous fingerprint. The user agent of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentUserAgent field for the newly observed user agent. For example, Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko).
type: string
- name: PreviousWindow
description: The browser window of the previous fingerprint. The window of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentWindow field for the newly observed window. For example, (1600.0,1920.0).
type: string
- name: Message
description: The failure message if the operation being performed on the entity failed (OperationStatus=Failure).
type: string
- name: OperationStatus
description: 'Whether the operation performed on the entity (such as create) succeeded or failed. When the operation starts, the value is always INITIATED. Possible values are: Failure—The operation failed. Initiated—The operation started. Note: Create and update operations can generate an extra OperationStatus=Initiated event after an operation fails. Ignore this extra record. Success—The operation succeeded.'
type: string
