Salesforce Real-Time Events (Beta)

USERNAME="YOUR_USER_MAME"
PASSWORD="YOUR_PASSWORD"
SECURITY_TOKEN="YOUR_SECURITY_TOKEN"
LOGIN_BASE="https://login.salesforce.com"  # or test.salesforce.com for sandbox
API_VERSION="v64.0"
AWS_REGION="YOUR_AWS_REGION"  # Must be in capital
AWS_ACCOUNT_ID="YOUR_AWS_ACCOUNT_ID"

schema: Salesforce.RealtimeEvent
description: Salesforce Real-Time Events for monitoring activity in your Salesforce account.
referenceURL: https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/platform_events_objects_monitoring.htm
fields:
  - name: Type
    required: true
    description: The type of event that occurred. For example, LoginEventStream.
    type: string
  - name: EventDate
    description: The login time of the specified event. For example, 2020-01-20T19:12:26.965Z. Milliseconds are the most granular setting.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: AdditionalInfo
    description: JSON serialization of additional information that’s captured from the HTTP headers during a login request.
    type: string
  - name: ApiType
    description: 'The type of API that’s used to log in. Values include: SOAP Enterprise, SOAP Partner, REST API'
    type: string
  - name: ApiVersion
    description: The version number of the API. If no version number is available, “Unknown” is returned.
    type: string
  - name: Application
    description: The application used to access the org.
    type: string
  - name: AuthMethodReference
    description: The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol.
    type: string
  - name: AuthServiceId
    description: The 18-character ID for an authentication service for a login event. For example, you can use this field to identify the SAML or authentication provider configuration with which the user logged in.
    type: string
    indicators:
      - trace_id
  - name: Browser
    description: The browser name and version if known.
    type: string
  - name: CipherSuite
    description: The TLS cipher suite used for the login. Values are OpenSSL-style cipher suite names, with hyphen delimiters.
    type: string
  - name: City
    description: "The city where the user's IP address is physically located. This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
    type: string
  - name: ClientVersion
    description: The version number of the login client. If no version number is available, "Unknown" is returned.
    type: string
  - name: Country
    description: "The country where the user's IP address is physically located. This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
    type: string
  - name: CountryIso
    description: The ISO 3166 code for the country where the user's IP address is physically located. For more information, see Country Codes - ISO 3166.
    type: string
  - name: EvaluationTime
    description: The amount of time it took to evaluate the transaction security policy, in milliseconds.
    type: float
  - name: EventIdentifier
    description: The unique ID of the event, which is shared with the corresponding storage object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate the event with its storage object. Also, use this field as the primary key in your queries. Available in API version 42.0 and later.
    type: string
    indicators:
      - trace_id
  - name: EventUuid
    description: A universally unique identifier (UUID) that identifies a platform event message. This field is available in API version 52.0 and later.
    type: string
    indicators:
      - trace_id
  - name: ForwardedForIp
    description: The value in the X-Forwarded-For header of HTTP requests sent by the client. For logins that use one or more HTTP proxies, the X-Forwarded-For header is sometimes used to store the origin IP and all proxy IPs. The ForwardedForIp field stores whatever value the client sends, which might not be an IP address. The maximum length is 256 characters. Longer values are truncated. The ForwardedForIp field isn't populated for logins completed via OAuth flows or single sign-on (SSO). Available in API version 61.0 and later.
    type: string
    indicators:
      - ip
  - name: HttpMethod
    description: The HTTP method of the login request; possible values are GET, POST, and Unknown.
    type: string
  - name: LoginGeoId
    description: The Salesforce ID of the LoginGeo object associated with the login user's IP address. For example, 04FB000001TvhiPMAR.
    type: string
  - name: LoginHistoryId
    description: Tracks a user session so you can correlate user activity with a particular login instance. This field is also available on the LoginHistory, AuthSession, and LoginHistory objects, making it easier to trace events back to a user's original authentication. For example, 0YaB000002knVQLKA2.
    type: string
    indicators:
      - trace_id
  - name: LoginKey
    description: The string that ties together all events in a given user's login session. The session starts with a login event and ends with either a logout event or the user session expiring. For example, lUqjLPQTWRdvRG4.
    type: string
    indicators:
      - trace_id
  - name: LoginLatitude
    description: "The latitude where the user's IP address is physically located. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
    type: float
  - name: LoginLongitude
    description: "The longitude where the user's IP address is physically located. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
    type: float
  - name: LoginSubType
    description: The type of login flow used. See the LoginSubType field of LoginHistory in the Object Reference guide for the list of possible values. Label is Login Subtype.
    type: string
  - name: LoginType
    description: The type of login used to access the session. See the LoginType field of LoginHistory in the Object Reference guide for the list of possible values.
    type: string
  - name: LoginUrl
    description: The URL of the login host from which the request is coming. For example, yourInstance.salesforce.com.
    type: string
    indicators:
      - url
      - hostname
  - name: NetworkId
    description: The ID of the Experience Cloud site that the user is logging in to. This field is available if Salesforce Experience Cloud is enabled for your organization.
    type: string
  - name: Platform
    description: The operating system name and version that are used during the login event. If no platform name is available, "Unknown" is returned. For example, Mac OSX or iOS/Mac.
    type: string
  - name: PolicyId
    description: The ID of the transaction security policy associated with this event. For example, 0NIB000000000KOOAY.
    type: string
  - name: PolicyOutcome
    description: 'The result of the transaction policy. Possible values are: Block, Error, ExemptNoAction, FailedInvalidPassword, FailedPasswordLockout, MeteringBlock, MeteringNoAction, NoAction, Notified, TwoFAAutomatedSuccess, TwoFADenied, TwoFAFailedGeneralError, TwoFAFailedInvalidCode, TwoFAFailedTooManyAttempts, TwoFAInitiated, TwoFAInProgress, TwoFANoAction, TwoFARecoverableError, TwoFAReportedDenied, TwoFASucceeded.'
    type: string
  - name: PostalCode
    description: "The postal code where the user's IP address is physically located. This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
    type: string
  - name: RelatedEventIdentifier
    description: Represents the EventIdentifier of the related event. For example, bd76f3e7-9ee5-4400-9e7f-54de57ecd79c. This field is populated only when the activity that this event monitors requires extra authentication, such as multi-factor authentication. In this case, Salesforce generates more events and sets the RelatedEventIdentifier field of the new events to the value of the EventIdentifier field of the original event. Use this field with the EventIdentifier field to correlate all the related events. If no extra authentication is required, this field is blank.
    type: string
    indicators:
      - trace_id
  - name: RemoteIdentifier
    description: Reserved for future use.
    type: string
  - name: ReplayId
    description: Represents an ID value that is populated by the system and refers to the position of the event in the event stream. Replay ID values aren't guaranteed to be contiguous for consecutive events. A subscriber can store a replay ID value and use it on resubscription to retrieve missed events that are within the retention window.
    type: string
  - name: SessionKey
    description: The user's unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started. For example, vMASKIU6AxEr+Op5.
    type: string
    indicators:
      - trace_id
  - name: SessionLevel
    description: 'Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are: HIGH_ASSURANCE, LOW, STANDARD.'
    type: string
  - name: SourceIp
    description: The IP address of the incoming client request that first reaches Salesforce during a login. For example, 126.7.4.2. For clients that redirect through one or more HTTP proxies, this field stores the IP address of the first proxy to reach Salesforce. To better identify the origin IP for these cases, check the ForwardedForIp field instead.
    type: string
    indicators:
      - ip
  - name: Status
    description: Displays the status of the attempted login. Status is either success or a reason for failure.
    type: string
  - name: Subdivision
    description: "The name of the subdivision where the user's IP address is physically located. In the U.S., this value is usually the state name (for example, Pennsylvania). This value isn't localized. This field is available in API version 47.0 and later. Note: Due to the nature of geolocation technology, the accuracy of this field can vary."
    type: string
  - name: TlsProtocol
    description: 'The TLS protocol version used for the login. Valid values are: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3, Unknown.'
    type: string
  - name: UserId
    description: The user's unique ID. For example, 005000000000123.
    type: string
    indicators:
      - actor_id
  - name: Username
    description: The username in the format of [email protected].
    type: string
    indicators:
      - username
      - email
  - name: UserType
    description: 'The category of user license. Each UserType is associated with one or more UserLicense records. Each UserLicense is associated with one or more profiles. Valid values are: CsnOnly, CspLitePortal, CustomerSuccess, Guest, PowerCustomerSuccess, PowerPartner, SelfService, Standard.'
    type: string
  - name: CreatedDate
    description: CreatedDate field
    type: timestamp
    timeFormats:
      - rfc3339
  - name: CreatedById
    description: The ID of the user who created the login event.
    type: string
    indicators:
      - trace_id
  - name: Operation
    description: The API call that generated the event. For example, Query.
    type: string
  - name: QueriedEntities
    description: The type of entities associated with the event.
    type: string
  - name: RequestIdentifier
    description: The unique ID of a single transaction. A transaction can contain one or more events. Each event in a given transaction has the same REQUEST_ID. For example, 3nWgxWbDKWWDIk0FKfF5D.
    type: string
    indicators:
      - trace_id
  - name: RowsProcessed
    description: Total row count for the current operation. For example, 2500.
    type: float
  - name: Score
    description: A number from 0 through 1 that represents the anomaly score for the API execution or export tracked by this event. The anomaly score shows how the user's current API activity is different from their typical activity. A low score indicates that the user's current API activity is similar to their usual activity. A high score indicates that it's different.
    type: float
  - name: SecurityEventData
    description: The set of features about the API activity that triggered this anomaly event. Let's say, for example, that a user typically downloads 10 accounts but then they deviate from that pattern and download 1,000 accounts. This event is triggered and the contributing features are captured in this field. Potential features include row count, column count, average row size, the day of week, and the browser's user agent used for the report activity. The data captured in this field also shows how much a particular feature contributed to this anomaly event being triggered, represented as a percentage. The data is in JSON format.
    type: string
  - name: Summary
    description: 'A text summary of the API anomaly that caused this event to be created. Example: API was exported from an infrequent network (BigLeaf Networks Inc.) API was generated with an unusually high number of rows (111141).'
    type: string
  - name: Uri
    description: The URI of the page that's receiving the request.
    type: string
    indicators:
      - url
      - hostname
  - name: UserAgent
    description: UserAgent used in HTTP request, post-processed by the server.
    type: string
  - name: ActionName
    description: The name of the action.
    type: string
  - name: BotId
    description: The ID of the bot.
    type: string
  - name: BotSessionIdentifier
    description: The bot session ID.
    type: string
  - name: Client
    description: The service that executed the API event. If you're using an unrecognized client, this field returns "Unknown" or a blank value.
    type: string
  - name: ConnectedAppId
    description: The 15-character ID of the connected app associated with the API call. For example, 0H4RM00000000Kr0AI. The ConnectedAppID field populates when a call triggers an OAuth 2.0 authentication process, which identifies the connected app that's authorized to access Salesforce data on behalf of a user. When a user associated with the call already has an active authentication token, the ConnectedAppID is set to a null value.
    type: string
    indicators:
      - trace_id
  - name: ElapsedTime
    description: The amount of time it took for the request to complete in milliseconds. The measurement of this value begins before the query executes and ends when the query completes. It doesn't include the amount of time it takes to return the result over the network.
    type: bigint
  - name: PlannerId
    description: The ID of the agent planner.
    type: string
    indicators:
      - trace_id
  - name: Query
    description: The SOQL query. For example, SELECT id FROM Lead.
    type: string
  - name: Records
    description: A JSON string that represents the queried objects' metadata. This metadata includes the number of results of a query per entity type and the entity IDs. The Records field is set to a null value for BULK API queries. Bulk API queries from ApiEventStream can exceed bandwidth limitations due to the size of the Records field. To reduce the payload size, the Records field is set to a null value.
    type: json
  - name: RowsReturned
    description: The number of rows of data returned in the current API batch. If RowsProcessed is less than the API batch size, RowsReturned is equal to RowsProcessed. If RowsProcessed is greater than the API batch size, RowsReturned equals either the API batch size or the number of rows in the last batch.
    type: float
  - name: AcceptLanguage
    description: 'List of HTTP Headers that specify the natural language, such as English, that the client understands. Example: zh, en-US;q=0.8, en;q=0.6.'
    type: string
  - name: CanDownloadPdf
    description: Indicates whether the downloaded PDF was converted from another file type. The default value is false.
    type: boolean
  - name: ContentSize
    description: The size of the document, in bytes.
    type: bigint
  - name: DocumentId
    description: The 18-character ID of the document that's being downloaded. The ID is a reference to the ContentDocument object. In some cases, DocumentId isn't populated for FileAction API_DOWNLOAD.
    type: string
    indicators:
      - trace_id
  - name: FileAction
    description: "The action taken on the file. Valid values are: API_DOWNLOAD, PREVIEW, UI_DOWNLOAD, UPLOAD. If a PREVIEW action is performed on an image that's already in the browser's cache, Transaction Security's blocking capabilities are impacted. This field is available in API version 58.0 and later."
    type: string
  - name: FileName
    description: The name of the file, including the file extension. FileName isn't populated for FileAction API_DOWNLOAD.
    type: string
  - name: FileSource
    description: "Origin of the document. Valid values are: 'S' — Document is located within Salesforce. Label is Salesforce. 'E' — Document is located outside of Salesforce. Label is External. 'L' — Document is located on a social network and accessed via Social Customer Service. Label is Social Customer Service."
    type: string
  - name: FileType
    description: The content type of the file. For example, PDF.
    type: string
  - name: IsLatestVersion
    description: Indicates whether the file is the most current version (true) or not (false). The default value is false.
    type: boolean
  - name: ProcessDuration
    description: The amount of time to download the file, in milliseconds.
    type: float
  - name: VersionId
    description: The specific version of a document in Salesforce CRM Content or Salesforce Files. The ID is a reference to the ContentVersion object.
    type: string
    indicators:
      - trace_id
  - name: VersionNumber
    description: The version number of the file.
    type: string
  - name: RequestedEntities
    description: 'Objects queried by the guest user. For example: [" Topic "].'
    type: string
  - name: SoqlCommands
    description: SOQL commands run by the guest user.
    type: string
  - name: TotalControllerEvents
    description: The number of times controllers were triggered.
    type: bigint
  - name: AppName
    description: The name of the application that the user accessed.
    type: string
  - name: ConnectionType
    description: 'The type of connection. Possible values: CDMA1x, CDMA, EDGE, EVDO0, EVDOA, EVDOB, GPRS, HRPD, HSDPA, HSUPA, LTE, WIFI.'
    type: string
  - name: DeviceId
    description: The unique identifier used to identify a device when tracking events. DEVICE_ID is a generated value that's created when the mobile app is initially run after installation.
    type: string
    indicators:
      - trace_id
  - name: DeviceModel
    description: The name of the device model.
    type: string
  - name: DevicePlatform
    description: 'The type of application experience in name:experience:form format. Name values: APP_BUILDER, CUSTOM, S1, SFX. Experience values: BROWSER, HYBRID. Form values: DESKTOP, PHONE, TABLET.'
    type: string
  - name: DeviceSessionId
    description: The unique identifier of the user's session based on page load time. When the user reloads a page, a new session is started.
    type: string
    indicators:
      - trace_id
  - name: Duration
    description: The duration in milliseconds since the page start time.
    type: float
  - name: EffectivePageTime
    description: Indicates how many milliseconds it took for the page to load before a user could interact with the page's functionality. Multiple factors can affect effective page time, such as network speed, hardware performance, or page complexity.
    type: float
  - name: EffectivePageTimeDeviationErrorType
    description: "Indicates the origin of an error. This field is populated when EffectivePageTimeDeviationReason contains the PageHasError value. This field is available in API version 58.0 and later. Possible values: Custom—An error originating from the customer's system or network. System—An error originating in Salesforce."
    type: string
  - name: EffectivePageTimeDeviationReason
    description: "The reason for deviation in page loading time. This field is available in API version 58.0 and later. Possible values: PageInDom—The page was loaded from a cache. PageHasError—An undefined page loading error occurred. PageNotLoaded—If a customer navigates away from a page while loading processes are in progress, the page doesn't finish loading. PreviousPageNotLoaded—When navigating to a new page, and the previous page hasn't completed loading, the next page is considered to have a deviation. Incomplete loading processes on a previous page can affect how the next page loads. InteractionsBeforePageLoaded—A user interacts with a page element before the page is fully loaded. PageInBackgroundBeforeLoaded—A background loading process runs on a page. Background processes can run when users don't interact with a page, such as when they navigate to another browser tab."
    type: string
  - name: HasEffectivePageTimeDeviation
    description: When a deviation is detected, EffectivePageTimeDeviation records true. The default value is false.
    type: boolean
  - name: OsName
    description: The operating system name.
    type: string
  - name: OsVersion
    description: The operating system version.
    type: string
  - name: PageStartTime
    description: 'The time when the page was initially loaded, measured in milliseconds. Example: 1471564788642.'
    type: timestamp
    timeFormats:
      - unix_ms
      - rfc3339
  - name: PageUrl
    description: 'Relative URL of the top-level Lightning Experience or Salesforce mobile app page that the user opened. The page can contain one or more Lightning components. Multiple record IDs can be associated with PageUrl. Example: /sObject/0064100000JXITSAA5/view.'
    type: string
  - name: PreviousPageAppName
    description: The internal name of the previous application that the user accessed from the App Launcher.
    type: string
  - name: PreviousPageEntityId
    description: The unique previous page entity identifier of the event.
    type: string
    indicators:
      - trace_id
  - name: PreviousPageEntityType
    description: The previous page entity type of the event.
    type: string
  - name: PreviousPageUrl
    description: 'The relative URL of the previous Lightning Experience or Salesforce mobile app page that the user opened. Example: /sObject/006410000.'
    type: string
  - name: RecordId
    description: The id of the record being viewed or edited. For example, 001RM000003cjx6YAA.
    type: string
    indicators:
      - trace_id
  - name: SdkAppType
    description: 'The mobile SDK application type. Possible values: HYBRID, HYBRIDLOCAL, HYBRIDREMOTE, NATIVE, REACTNATIVE.'
    type: string
  - name: SdkAppVersion
    description: The version of the mobile SDK the application uses.
    type: string
  - name: SdkVersion
    description: 'The mobile SDK application version number. Example: 5.0.'
    type: string
  - name: ColumnHeaders
    description: Comma-separated values of column headers of the list view. These values are the API names, not the labels shown in the UI. For example, Name, BillingState, Phone, Type, Owner.Alias, CaseNumber, Contact.Name, Subject, Status, Priority, CreatedDate, Owner.NameOrAlias.
    type: string
  - name: DeveloperName
    description: The unique name of the object in the API. This name contains only underscores and alphanumeric characters, and is unique in your org. If blank, the list view is a default list view (such as the list view that displays when a user clicks the Groups tab in Salesforce Classic) and not explicitly created by a user. For example, AllAccounts or AllOpenLeads.
    type: string
  - name: EventSource
    description: "The source of the event. Possible values are: 'API' — The user generated the list view from an API call. 'Classic' —The user generated the list view from a page in the Salesforce Classic UI. 'Lightning' — The user generated the list view from a page in the Lightning Experience UI."
    type: string
  - name: ExecutionIdentifier
    description: When list view execution data is divided into multiple list view events, use this unique identifier to correlate the multiple data chunks. For example, each chunk might have the same ExecutionIdentifier of a50a4025-84f2-425d-8af9-2c780869f3b5, enabling you to link them together to get all the data for the list view execution. The Sequence field contains the incremental sequence numbers that indicate the order of the multiple events.
    type: string
    indicators:
      - trace_id
  - name: FilterCriteria
    description: 'A JSON string that represents the list view''s filter criteria at the time the event was captured. Example: {"whereCondition":{"type":"soqlCondition","field":"Type","operator":"equals","values":["''Prospect''"]}}.'
    type: json
  - name: ListViewId
    description: The ID of the list view associated with this event. If blank, the list view is a default list view (such as the list view that displays when a user clicks the Groups tab in Salesforce Classic) and not explicitly created by a user. For example, 00BB0000001c73kMAA.
    type: string
    indicators:
      - trace_id
  - name: Name
    description: The display name of the list view/report. The value is null for report previews. If blank, the list view is a default list view (such as the list view that displays when a user clicks the Groups tab in Salesforce Classic) and not explicitly created by a user. For example, All Accounts and All Open Leads.
    type: string
  - name: NumberOfColumns
    description: The number of columns in the list view.
    type: bigint
  - name: OrderBy
    description: The column that the list view is sorted by. For example, if a list view of accounts is sorted alphabetically by name, the OrderBy value is [Name ASC NULLS FIRST, Id ASC NULLS FIRST]. If the list is sorted alphabetically by type, the OrderBy value is [Type ASC NULLS FIRST, Id ASC NULLS FIRST].
    type: string
  - name: OwnerId
    description: The ID of the org or user who owns the list view. If the list view wasn't saved, this value is the same as UserId. For example, 005B0000001vURvIAM.
    type: string
    indicators:
      - trace_id
  - name: Scope
    description: "Represents the filter criteria for the list view. Possible values are: Delegated—Records delegated to another user for action; for example, a delegated task. Everything—All records, for example All Opportunities. Mine—Records owned by the user running the list view, for example My Opportunities. MineAndMyGroups—Records owned by the user running the list view, and records assigned to the user's queues. MyTerritory—Records in the territory of the user seeing the list view. This option is available if territory management is enabled for your org. MyTeamTerritory—Records in the territory of the team of the user seeing the list view. This option is available if territory management is enabled for your org. Queue—Records assigned to a queue. Team—Records assigned to a team."
    type: string
  - name: Sequence
    description: Incremental sequence number that indicates the order of multiple events that result from a given list view execution. When a list view execution returns many records, Salesforce splits this data into chunks based on the size of the records, and then creates multiple correlated ListViewEventStreams. The field values in each of these correlated ListViewEventStreams are the same, except for Records, which contains the different data chunks, and Sequence, which identifies each chunk in order. Every list view execution has a unique ExecutionIdentifier value to differentiate it from other list view executions. To view all the data chunks from a single list view execution, use the Sequence and ExecutionIdentifier fields in combination.
    type: bigint
  - name: DelegatedOrganizationId
    description: Organization Id of the user who is logging in as another user. For example, 00Dxx0000001gEH.
    type: string
    indicators:
      - trace_id
  - name: DelegatedUsername
    description: Username of the admin who is logging in as another user. For example, [email protected].
    type: string
    indicators:
      - username
      - email
  - name: LoginAsCategory
    description: 'Represents how the user logs in as another user. Possible values are: OrgAdmin—An administrator logs in to Salesforce as an individual user. Depending on your org settings, the individual user grants login access to the administrator. Community—A user who has been granted access to a Salesforce Experience Cloud site logs in.'
    type: string
  - name: TargetUrl
    description: The URL redirected to after logging in as another user succeeds.
    type: string
    indicators:
      - url
      - hostname
  - name: HasExternalUsers
    description: When true, external users are impacted by the operation that triggered a permission change. The default value is false.
    type: boolean
  - name: ImpactedUserIds
    description: A comma-separated list of IDs of the users affected by the event. A maximum of 1,000 user IDs are included. For example, if a permission set assigned to two users is updated, the users' IDs are recorded in this field.
    type: json
  - name: ParentIdList
    description: The IDs of the affected permission sets or permission set groups.
    type: json
  - name: ParentNameList
    description: The names of the affected permission sets or permission set groups.
    type: json
  - name: PermissionExpirationList
    description: A comma separated list of timestamps from the PermissionSetAssignment.ExpirationDate field that specifies when added permissions will be revoked. This value is null when no expiration timestamp is specified or permissions are removed for the impacted users.
    type: json
  - name: PermissionList
    description: "The list of permissions that are enabled or disabled in the event. These permissions can include: AssignPermissionSets (Assign Permission Sets), AuthorApex (Author Apex), CustomizeApplication (Customize Application), ForceTwoFactor (Multi-Factor Authentication for User Interface Logins), FreezeUsers (Freeze Users), ManageEncryptionKeys (Manage Encryption Keys), ManageInternalUsers (Manage Internal Users), ManagePasswordPolicies (Manage Password Policies), ManageProfilesPermissionsets (Manage Profiles and Permission Sets), ManageRoles (Manage Roles), ManageSharing (Manage Sharing), ManageUsers (Manage Users), ModifyAllData (Modify All Data), MonitorLoginHistory (Monitor Login History), PasswordNeverExpires (Password Never Expires), ResetPasswords (Reset User Passwords and Unlock Users), ViewAllData (View All Data). When using this event in a transaction security policy, use the permission's API name, not its label, and use the Contains operator, rather than Equals."
    type: json
  - name: PermissionType
    description: 'The type of permission that is updated in the event. Possible values are: ObjectPermission, UserPermission.'
    type: string
  - name: UserCount
    description: The number of users affected by the event. This field has a maximum value of 1,000. If the user appears more than 1,000 times, the value remains at 1,000.
    type: string
  - name: Report
    description: The report ID for the report for which this anomaly event was detected. For example, 00OD0000001leVCMAY. If this anomaly resulted from a user executing an unsaved report, the value of this field is null.
    type: string
    indicators:
      - trace_id
  - name: DashboardId
    description: The ID of the dashboard that the report was part of. For example, 01ZB0000000PmoQ.
    type: string
    indicators:
      - trace_id
  - name: DashboardName
    description: The title of the dashboard that the report was part of.
    type: string
  - name: Description
    description: The description of the report.
    type: string
  - name: DisplayedFieldEntities
    description: The API values of the fields that are displayed on the report, including the names of the entities of the grouped column fields. For example, [ACCOUNTS, OWNERS].
    type: string
  - name: ExportFileFormat
    description: 'If the user exported the report, this value indicates the format of the exported report. Possible values are: CSV, Excel.'
    type: string
  - name: Format
    description: 'The format of the report. Possible values are: Matrix, MultiBlock, Summary, Tabular.'
    type: string
  - name: GroupedColumnHeaders
    description: Comma-separated values of grouped column fields in summary, matrix, and joined reports. For example, [USERNAME, ACCOUNT.NAME, TYPE, DUE_DATE, LAST_UPDATE, ADDRESS1_STATE].
    type: string
  - name: IsScheduled
    description: If TRUE, the report was scheduled. If FALSE, the report wasn't scheduled.
    type: boolean
  - name: ReportId
    description: The ID of the report associated with this event. For example, 00OB00000032FHdMAM.
    type: string
    indicators:
      - trace_id
  - name: CurrentIp
    description: The IP address of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousIp field for the previous IP address. If the IP address didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousIp field value. For example, 126.7.4.2.
    type: string
    indicators:
      - ip
  - name: CurrentPlatform
    description: The platform of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousPlatform field for the previous platform. If the platform didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousPlatform field value. For example, MacIntel or Win32.
    type: string
  - name: CurrentScreen
    description: The screen of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousScreen field for the previous screen. If the screen didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousScreen field value. For example, (900.0,1440.0) or (720,1280).
    type: string
  - name: CurrentUserAgent
    description: The user agent of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousUserAgent field for the previous user agent. If the user agent didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousUserAgent field value. For example, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36.
    type: string
  - name: CurrentWindow
    description: The browser window of the newly observed fingerprint that deviates from the previous fingerprint. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the PreviousWindow field for the previous window. If the window didn't contribute to the observed fingerprint deviation, the value of this field is the same as the PreviousWindow field value. For example, (1200.0,1920.0).
    type: string
  - name: PreviousIp
    description: The IP address of the previous fingerprint. The IP address of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentIp field for the newly observed IP address. For example, 128.7.5.2.
    type: string
    indicators:
      - ip
  - name: PreviousPlatform
    description: The platform of the previous fingerprint. The platform of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentPlatform field for the newly observed platform. For example, Win32 or iPhone.
    type: string
  - name: PreviousScreen
    description: The screen of the previous fingerprint. The screen of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentScreen field for the newly observed screen. For example, (1200.0,1920.0).
    type: string
  - name: PreviousUserAgent
    description: The user agent of the previous fingerprint. The user agent of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentUserAgent field for the newly observed user agent. For example, Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko).
    type: string
  - name: PreviousWindow
    description: The browser window of the previous fingerprint. The window of the newly observed fingerprint deviates from this value. The difference between the current and previous values is one indicator that a session hijacking attack has occurred. See the CurrentWindow field for the newly observed window. For example, (1600.0,1920.0).
    type: string
  - name: Message
    description: The failure message if the operation being performed on the entity failed (OperationStatus=Failure).
    type: string
  - name: OperationStatus
    description: 'Whether the operation performed on the entity (such as create) succeeded or failed. When the operation starts, the value is always INITIATED. Possible values are: Failure—The operation failed. Initiated—The operation started. Note: Create and update operations can generate an extra OperationStatus=Initiated event after an operation fails. Ignore this extra record. Success—The operation succeeded.'
    type: string