4 More Salesforce Event Monitoring Myths: Understanding What Event Monitoring Does (and Doesn’t) Do

One of the biggest challenges customers face when they want to leverage and maximize the value of Salesforce Shield’s Event Monitoring is understanding the basic controls. In order to use the solution to its fullest, you need to know which changes are being made in the back end of Salesforce when a new object is added, when a new workflow is deleted, when there’s a change to a permission set, etc. If you have Event Monitoring layered atop Salesforce for cloud security, to maximize value from Event Monitoring, it’s critical to first understand what the tool does (and doesn’t do), and how other solutions interact with the data Event Monitoring records. Here are four more Salesforce Event Monitoring myths and facts.

Myth #1: Event Monitoring provides visibility.

Fact #1: Event Monitoring only provides raw log files. For visibility into the raw data, you’ll need a tool to translate the complex information into actionable insights. And visibility is important – 56 percent of companies, for example, report not having enterprise-wide visibility into privileged user access, which can set them up for data loss and unauthorized changes to permission sets and profiles. Salesforce automatically includes Einstein Analytics with Event Monitoring, and while Einstein can provide some visibility, its reach may be limited. If you really want to dive deep and uncover instant insights in an easy-to-read, organized dashboard, you’ll want to explore Salesforce’s ecosystem of strategic ISV partners for a more robust and proactive visibility tool that retains data beyond 30 days.

Myth #2: Event Monitoring delivers proactive alerts.

Fact #2: Event Monitoring has Transaction Security – which isn’t the same as proactive alerts. Transaction Security policies can keep users aligned with the data protection guidelines you’ve established, blocking prohibited actions in real-time. But that doesn’t mean you’ll receive proactive alerts about suspicious user behavior. If a user performs an unusual action, such as downloading an abnormally large quantity of data, Event Monitoring will record that event (which will be contained in the audit logs), but it won’t send you real-time notifications of unusual activity.

As an example, let’s examine a common use case. Say an employee tries to perform an export of a 100,000-row report, and the export is blocked by a previously-established transaction rule. But they can still export 90,000 rows without a problem. They can even run 10 90,000-row reports, netting them nearly 1 million rows of data. The employee easily skirted the enforced policy, and now they have even more data than they were originally after. Transactional security is, by nature, transactional, and therefore has limitations. With true proactive alerts, unusual behavior or exports over a specified threshold would trigger an alert, preventing this activity from going unnoticed.

Myth #3: You can alter the raw log data contained in Event Monitoring reports.

Fact #3: Event Monitoring log data is read-only. There is no way to edit, insert, or delete the raw log files. This is good news for security reasons – no users (not even admins) can change the log data, meaning you have a source of unalterable truth at your fingertips. This inability to edit the raw log files is helpful in preventing privileged user abuse, as well.

Myth #4: Event Monitoring log files are a lasting record of user activity.

Fact #4: Event Monitoring log files record activity, but they aren’t durable. If you switch your Salesforce site for maintenance, refresh instances, or experience unexpected system outages, you could lose your data. Salesforce takes efforts to prevent data loss whenever possible, but there’s still a chance you might end up with gaps in your user activity data. Along those same lines, if you get hourly log files, it’s possible that you won’t get all the event log data in the hourly log files — particularly if you’ve undergone a site switch, instance refresh, or unplanned system outage. If you want to prevent data loss, you may need to step up from basic daily log files and layer a solution that unlocks the true power of Event Monitoring.

Salesforce Event Monitoring is a valuable tool that allows you to make better use of the data that already exists in your ecosystem. By dispelling these common misunderstandings, you can get a better grasp of how Event Monitoring can power your data information processes, giving you deep visibility into the details of your organization’s Salesforce environment.