Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Use Real-Time Event Monitoring to Audit User Activity

Learning Objectives

After completing this unit, you’ll be able to:

  • Use Visual Studio Code and the Salesforce Extension Pack to create an Apex class.
  • Use SOQL to query Real-Time Event Monitoring big objects synchronously.

Introduction

As a developer or an administrator, it’s important to have the best tools to get your job done. In this unit, you learn how to use SOQL queries in Salesforce Extensions with Visual Studio Code to query Real-Time Events. Querying Real-Time Events allows you to gain greater insight into who has viewed what data and when, where data was accessed, when a user changes a record using the User Interface (UI), and more. Querying events also allows you to determine appropriate thresholds for normal business usage before creating transaction security policies. 

Let’s take a look at how to use Visual Studio Code to query Real-Time Event Monitoring big objects synchronously. Visual Studio Code is an integrated development environment (IDE) that consists of a code editor, build automation tools, a debugger, and intelligent code completion. Before you go any further, make sure you’ve completed the steps in Quick Start: Visual Studio Code for Salesforce Development

Create a Project

  1. Open Visual Studio Code.
  2. Press Command + Shift + P on Mac or Ctrl + Shift + P on Windows to open the command palette.
  3. Type SFDX: Create Project
Note

This should autocomplete when you type any part of the command name. If it isn’t working, make sure the prompt starts with > 

  1. Press Enter to accept the default standard project type. 
  2. 5. Project Name: RealTimeEventMonitoring
  3. Save the project to your desktop so it is easy to find later on.
  4. Wait for the new Visual Studio Code window to open. You should see an indication that the extension is preparing your project before populating the file explorer.

Extension notice: Running SFDX: Create Project

Authenticate to Your Playground

Note

You should use the same playground you used in Unit 2. For instructions on setting up your playground, see Unit 2.

  1. Press Command + Shift + P on Mac or Ctrl + Shift + P on Windows to make the command palette appear.
  2. Type SFDX: Authorize an Org
  3. To accept the default login URL, press Enter.
  4. Press Enter to accept the default alias.
  5. Notice that your default browser opens a new Salesforce login window. Log in to your playground using your playground username and password.
  6. When you are asked to grant access to the connected app, click to allow.

The Allow Access page for a global connected app

  1. Close the browser window.

Check it out—your successful integration was logged in the output panel!

Successfully authorized USER with org ID; you may now close the browser

Create an Apex Class

Note

We’ll use a SOQL query to poll the data, but in order to check your work, we have to deploy it to your Trailhead Playground as part of an Apex class.

  1. Press Command + Shift + P on Mac or Ctrl + Shift + P on Windows to open the command palette.
  2. Type SFDX: Create Apex Class.
  3. Enter the name EventQueryHandler.
  4. If Visual Studio Code asks, select force-app/main/default/classes as the directory you wish to add EventQueryHandler.cls to.
  5. In the newly opened EventQueryHandler.cls file, replace the default code with the following:
public with sharing class EventQueryHandler {
    public static List<ReportEvent> getReportEvents() {
        return [SELECT ColumnHeaders,EventDate,ExportFileFormat,Format,NumberOfColumns,QueriedEntities,Records,ReportId,RowsProcessed,UserId,Username FROM ReportEvent where EventDate = Today];
        }
    }
  1. Click Save.

Run the SOQL Query

Now run your SOQL query against your playground org to filter objects by today’s date.

  1. In line 3 of the code, highlight the query SELECT ColumnHeaders,EventDate,ExportFileFormat,Format,NumberOfColumns,QueriedEntities,Records,ReportId,RowsProcessed,UserId,Username FROM ReportEvent where EventDate = Today
  2. Press Command + Shift + P on Mac or Ctrl + Shift + P on Windows to make the command palette appear.
  3. Search for SFDX:Execute SOQL Query with Currently Selected Text.
  4. Press Enter.
  5. Select REST API.
  6. In the Output tab of the integrated terminal, view the results of your query. A message at the end of the command output reads "ended with exit code 0.”, which means the command successfully ran. You also receive a popup indicating the successful execution.

The Output tab displaying the ReportEvent records received from your Trailhead Playground.

Deploy Your Code

The last step is to deploy your code to your playground from within Visual Studio Code.

  1. Right click the classes folder.

With the classes folder right-clicked, SFDX: Deploy Source to Org is selected in the options list.

  1. Click SFDX: Deploy Source to Org.
  2. In the Output tab, a message at the end of the command output reads "ended with exit code 0.”, which means the command successfully ran. You also receive a popup indicating the successful execution.

Parting Thoughts

You’ve defined Real-Time Event Monitoring and Real-Time Events, set up Real-Time Event Monitoring via Event Manager, and used Visual Studio Code and the Salesforce Extensions to directly execute highlighted SOQL and query Real-Time Events. Now you’re ready to use Real-Time Event Monitoring in your organization to audit user activity and investigate possible anomalies. Great work!

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback