You are here:
Enable Transaction Security Policies to Intercept Real-Time Events Control
Real-time policy engine that intercepts and evaluates user actions against custom Apex logic, blocking or alerting on risky transactions before completion using Event Monitoring data streams.
Control Name
Transaction Security Policies (Enable 'Transaction Security Policies' to intercept real-time events).
Control Overview
Real-time policy engine that intercepts and evaluates user actions against custom Apex logic, blocking or alerting on risky transactions before completion using Event Monitoring data streams.
Description
Policies trigger on 20+ event types (login, report export, mass delete, API bulk load) with configurable actions: BLOCK, AUDIT, or NOTIFY; supports complex conditions like IP geolocation, data volume thresholds, and time-of-day restrictions.
Recommended Configuration
Enable 'Transaction Security Policies' to intercept real-time events in Setup>Security>Transaction Security; create policies for high-risk actions (mass export >1000 records, login from risky IPs, bulk delete of PII objects).
Security Impact
Provides preventive control layer that stops data exfiltration, privilege abuse, and suspicious patterns in real time, complementing detective Event Monitoring with active response capabilities.
Business Impact
Protects sensitive data and workflows without user disruption when properly tuned. Reduces incident response time from hours to seconds through automated blocking and alerting.
Security Risk If Not Configured
Lack of real-time incident detection and security policies leaves org dependent on after-the-fact forensics rather than prevention.
Threat Scenarios
Inability to block or alert on suspicious user actions, allowing unauthorized data access and manipulation such as bulk PII exports, risky login patterns, or mass record deletion by compromised accounts.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
False positive risk requires careful policy tuning; Apex governor limits apply to policy execution time; test thoroughly in sandbox before production deployment.
Higher Risk When
External/Community users enabled, high-value datasets (Health Cloud PHI, Financial Services), API-heavy integrations, or history of targeted attacks against admin accounts.
Low Risk When
Internal users only, simple permission model, strong MFA enforcement, and comprehensive Event Monitoring analytics are already deployed.
Business and Integration Considerations
Start with audit mode to baseline traffic patterns before enabling BLOCK actions; integrate with Slack/Teams for real-time alerts.
Security Health Review Guidance
Strongly recommended.
Who Is Impacted
Security architects creating policies, Salesforce admins managing policy execution, end users potentially affected by blocking actions, and compliance teams reviewing policy logs.
