Detect Threats to Your Salesforce Org (Generally Available)

Track threats to your org’s security with three new Real-Time Event Monitoring events. Salesforce generates these events, aided by machine-learning algorithms, to identify anomalies in your users’ behavior and unauthorized access to your org.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Unlimited, and Developer editions where Event Monitoring is enabled.

Who: Event Monitoring is available to customers who purchase Salesforce Shield or Event Monitoring add-on subscriptions.

How: Use these new Real-Time Event Monitoring platform events to detect common threats to your org:

  • CredentialStuffingEvent: Tracks when a user successfully logs into Salesforce during an identified credential stuffing attack. Credential stuffing refers to large-scale automated login requests using stolen user credentials. CredentialStuffingEventStore stores the streaming data for up to 6 months.
  • ReportAnomalyEvent: Tracks anomalies in how users run or export reports. ReportAnomalyEventStore stores the streaming data for up to 6 months.
  • SessionHijackingEvent: Tracks when unauthorized users gain ownership of a Salesforce user’s session with a stolen session identifier. SessionHijackingEventStore stores the streaming data for up to 6 months.

Since the beta in Spring ’20, we added more features to Threat Detection. You can now:

  • View the three Threat Detection storage events in the Salesforce UI using the new Threat Detection app. You can also provide feedback about a particular Threat Detection event.
  • Create notification-only Transaction Security policies on the three Threat Detection storage events.
  • Read a brief summary of the detected threat with the new Summary field of each event.
  • View the full set of browser fingerprint features that triggered a session hijacking event with the new SecurityEventData field of SessionHijackingEvent.
  • Create reports on the three events by creating a custom report type that uses one of the three Threat Detection events as its primary object.
  • View the posts and feed-tracked changes to the three Threat Detection storage events and the new ThreatDetectionFeedback object.
  • Create Einstein Analytics reports and dashboards on the three Threat Detection events.