Quick Start: Event Monitoring

Assign the Event Monitoring Permission

Set up Event Monitoring with one permission. The Event Monitoring User permission gives you access to event log files (ELFs), event log objects (ELOs), real-time events, and the Threat Detection app.

1. From Setup, in the Quick Find box, enter Permission, and then click Permission Sets.
2. Click Event Monitoring User | Manage Assignments.
3. Select a user, and then click Add Assignments.

Turn On Event Monitoring

Turn on critical ELF settings.

1. From Setup, in the Quick Find box, enter Event Monitoring, and then select Event Monitoring Settings.
2. Turn on:
   1. View event log data in analytics apps—Shows ELF data in CRM Analytics.
   2. Generate event log files—Generates over 70 different ELF types. Generate event log files is on by default for Shield & Event Monitoring customers.
   3. Retain event log files—Stores ELF data for one year.
      

      Note If needed, Backup & Recover can retain ELF data for longer than a year.
   4. (Optional) Delete event monitoring data—Allows manual deletion of ELF data, which is sometimes required to meet regulatory and privacy requirements such as GDPR.
   5. (Optional) Enable Lightning Logger—Adds observability to your Lightning web components (LWCs) by using the Custom Component Instrumentation API. Manually instrument your org's LWCs by using the Lightning Logger. Logs generated by the Lightning Logger publish through the Lightning Logger Event Type.
   

Turn On Real-Time Event Monitoring Storage and Streaming

Real-Time Event Monitoring (RTEM) publishes user events in near real-time. You can store and query RTE data in Salesforce big objects for auditing and reporting purposes.

RTEM events stored in Salesforce don’t count against your data storage limits. Many of the storage events are Salesforce big objects, which are ideal for storing large volumes of data. See Real-Time Event Monitoring Data Storage.

Note We recommend turning on storage for all real-time events.

You can subscribe to real-time Events published by Salesforce to monitor activity in your org. See Real-Time Event Monitoring Data Streaming.

Note Only turn on streaming if you plan to set up a subscriber using CometD or the Pub/Sub API.

1. From Setup, in the Quick Find box, enter Event Manager, and then click Event Manager.
2. From the dropdown next to an event, click Enable Storage and Enable Streaming.

Set Up Event Log Object Analytics

Gain visibility into platform performance, security threats, and user behavior when you transform log data by using event log objects (ELO) analytics. Actionable insights help you proactively identify and resolve latent system bottlenecks and detect security anomalies before they impact the production environment.

1. From the App Launcher, find and select Analytics Studio.
2. Click Create, and select App.
3. In the Search bar, enter Event Monitoring Event Log Objects Analytics.
4. Click the Event Monitoring Event Log Objects Analytics template, and then click Continue.
5. Name your app and click Create.
   

Query and Visualize Event Log Objects

Access and analyze visual log data quickly for earlier detection of security and performance incidents.

1. From Setup, in the Quick Find box, enter Analytics Studio, and select Analytics Studio.
2. To create a dashboard, click Create and then, from the dropdown list, select Dashboard.
3. Drag the Chart option to your dashboard.
4. To select a data source, click the new chart.
5. In the data source window, go to the Salesforce Object tab.
6. To see all event log objects, search for event log.
7. Select the event log object data you want to visualize. See Visualize Data With Charts.
8. You can visualize your data in a variety of chart types using Salesforce Direct. Limit the number of panels on your dashboard to avoid any timeouts. See Salesforce Direct Data Queries.
   

Create Transaction Security Policies

Use the Transaction Security Condition Builder to create transaction security policies (TSPs) that can notify you or block an action when a user takes a potentially malicious or risky action in Salesforce.

Note Work with your InfoSec or security teams to choose appropriate events and configure transaction security policies correctly. Engaging security stakeholders helps to align Event Monitoring with your overall security strategy and compliance goals.

For information on included TSPs, examples, and using Apex for advanced use cases, see Essential Transaction Security Policies to Enhance Your Security Posture.

This example creates a policy that notifies you when someone downloads a report that contains more than 10,000 records.

1. From Setup, in the Quick Find box, enter Transaction Security, and then select Transaction Security Policies.
2. Click New, and then select Condition Builder.
3. Click Next.
4. Select or enter:
   1. Event: Report Event
   2. Condition Logic: All Conditions Are Met (AND)
   3. Condition: Operation Equals ReportExported
   4. Condition: Rows Processed Greater than 10,000
5. Click Next.
6. Select or enter:
   1. Action: None
   2. Notification: Email Notification
   3. Recipient: Select yourself
   4. Name: Enter a name
   5. Status: Enabled
7. Click Finish.

Set Up Threat Detection

Before you can view the Threat Detection events in Salesforce and provide feedback, you must make the app visible to users. You also specify which of the tabs are visible to different user profiles.

Note We recommend creating transaction security policies that notify you when threat detection events are published.

Confirm you have the Event Monitoring User permission set which includes View Threat Detection Events.

1. Use Event Manager to enable streaming and storage for the Threat Detection events: ReportAnomalyEvent, SessionHijackingEvent, GuestUserAnomalyEvent, LoginAnomalyEvent and CredentialStuffingEvent.Create a permission set that’s associated with the Salesforce license.
2. Edit the Tab Settings of each user profile that uses the Threat Detection app and specify the visibility of the tabs. The tabs are named Report Anomaly Event Store, Session Hijacking Event Store, Credential Stuffing Event Store, and Threat Detection Feedback.
   For example, system administrators usually access everything in the UI, so set the visibility of all tabs to Default On for the System Administrator profile. If you created a Threat Detection Administrator profile, set the same visibility. If you don’t want standard users to view feedback, set the visibility of Threat Detection Feedback for the Standard User profile to Tab Hidden.
3. From Setup, in the Quick Find box, enter App Manager.
4. Edit the Threat Detection app by selecting Edit in the dropdown to the right of the app.
   
5. In the Assign to Profiles section, select the profiles for which the Threat Detection app is visible.
   
6. Save your changes.

View Threat Detection Details and Provide Feedback

Threat Detection uses statistical and machine learning methods to detect threats to your Salesforce org, and captures that data in real-time event objects. View recent or all Threat Detection events using the Threat Detection app in the Salesforce UI.

1. From the App Launcher, find and select Threat Detection.
2. Click the tabs for list views of recent or all events stored in the Threat Detection objects.
3. To view event details, click the event.
   See Threat Detection for information on how to read threat event details.
4. To view feedback associated with an event, click Related .

Optional Resources

Now that you have access to Event Monitoring features, learn more about what else you can do.

Third-Party Integrations

Most security information and event management (SIEM) and observability solutions can import Event Monitoring data through our APIs. These partners and SIEM solutions support connections that make it easy to import Event Monitoring data.