Get to Know Real-Time Events and Transaction Security

Learning Objectives

After completing this unit, you’ll be able to:

  • Define Real-Time Event Monitoring and Real-Time Events.
  • Understand how Real-Time Event Monitoring differs from Event Monitoring.
  • Distinguish between platform events and big objects.
  • Define Transaction Security.
  • Describe Real-Time Event Monitoring use cases.
Note

Note

The functionality described in this module is available in Enterprise, Unlimited, and Developer Editions. It requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. This functionality is also available in a Trailhead Playground, which you can use to complete this module.

Before You Start

This module shows you how you can use Real-Time Event Monitoring to gain visibility into your Salesforce org (in near real time) by monitoring and detecting standard events. You can access Real-Time Event Monitoring data with Salesforce Object Query Language (SOQL) and with Asynchronous (Async) SOQL, and you can use Real-Time Event Monitoring to subscribe to standard platform events published by Salesforce. To be able to understand this module, you should be familiar with SOQL, Async SOQL, and the Platform Events feature. You should also have knowledge of big objects and Streaming API. Here is a list of resources you can review to learn more about these introductory concepts before continuing. 

Understand Real-Time Event Monitoring

If you’ve taken the Event Monitoring and Event Monitoring Analytics App modules, you’ve learned how to use Event Monitoring to see the details of user activity in your organization, and to track logins, API calls, report exports, and more. 

With Real-Time Event Monitoring, you can detect user behavior sooner than with traditional Event Monitoring and take action if necessary. Real-Time Event Monitoring helps you monitor and detect standard events in Salesforce in near real time. Salesforce Real-Time Event Monitoring is a user activity and application monitoring service available to Salesforce customers through the purchase of an add-on license. Real-Time Event Monitoring is included in your Salesforce Event Monitoring license. 

Real-Time Event Monitoring can be used with Transaction Security to automatically block risky user actions and notify you in real time when they occur. Real-Time Event Monitoring stores event data for auditing or reporting purposes, in some cases much longer than data is stored using traditional Event Monitoring.

Event Monitoring vs Real-Time Event Monitoring

With Real-Time Event Monitoring, you can gain visibility into your Salesforce org in two ways: in near real time by monitoring specific platform events, and through querying events stored in big objects. Before we go any further, let’s define some terms.

  • Event: Anything that happens in Salesforce, including user clicks, record state changes, and measuring values. Events are immutable and timestamped.
  • Event Monitoring: One of the many tools that Salesforce provides to help keep your data secure, allowing you to see the granular details of user activity in your organization. We refer to these user activities as events. Unlike Real-Time Events, Event Monitoring doesn’t send real-time notifications. Instead, it stores user activity in a log that you can query.
  • Event log file: In Event Monitoring, all events are stored in EventLogFile standard object event types, which are generated when an event occurs in your organization and is available to view and download after 24 hours, as well as on an hourly cadence via Hourly EventLogFiles. Event Monitoring stores 30 days’ worth of event log files.
  • Real-Time Event Monitoring: Whereas Event Monitoring allows you to view events after 24 hours, Real-Time Event Monitoring helps you monitor and detect standard events in Salesforce in near real time. You can store the event data in big objects for auditing or reporting purposes.
  • Real-Time Events: Real-Time Events are platform events that are streamed in real time based on user actions in Salesforce. These Real-Time Events are not only streamed immediately as platform events, but they are also stored in big objects immediately as well. Once an event is stored in a big object, you can query the event with SOQL and Async SOQL.

Distinguish Between Platform Events and Big Objects

Using Real-Time Event Monitoring, you can interact with events either by subscribing to standard platform events, or by investigating events stored in big objects. Let’s take a closer look. 

Standard Platform Events

Real-Time Event Monitoring provides standard platform events that you can subscribe to for monitoring user activity in real time, such as logins and running reports. The user’s actions are captured and streamed as a platform event. You can also create custom services that subscribe to platform events so that your team can be alerted in real time when certain activity is captured by Real-Time Event Monitoring. For example, you can subscribe to the event channel for LoginEventStream to receive notifications when users log in. Other examples include reports, list views, logins, API calls, and when records are modified. 

A user logs into a Salesforce system, triggering a notification that an admin receives in real time that reads: “A user has logged in.”

Event Objects

Real-Time Event Monitoring objects have three primary uses: streaming data, storing data, and enforcing policies on data. But these uses don’t apply to all objects. For guidance on which objects are available for each use case, see Considerations for Using Real-Time Event Monitoring.

Big Objects

Some Real-Time Events are stored as big objects so that you can look at historical event data for 6 months to 10 years in the past, depending on the event, which is much longer than what you can do with event log files in Event Monitoring. This unlocks the power for your security team to investigate if an incident occurs because of malicious user behavior.

Transaction Security

You can use Real-Time Events in Transaction Security to enforce policies in near real time. When a policy is triggered, notifications are sent through email or in-app notifications. You can use standard actions, such as blocking an operation, or custom actions defined in Apex—a programming language that allows developers to execute flow and transaction control statements on the Lightning Platform server in conjunction with calls to the API. For example, you can use a Transaction Security policy on ReportEvent to limit the number of records a user can download, or trigger two-factor authentication to allow the download to continue. 

The table below describes a few of the standard platform event and object pairs for Real-Time Event Monitoring, and an indication of whether they can be used in a Transaction Security policy. For more information, see Real-Time Event Monitoring Objects in the developer documentation. Note that not all Real-Time Events are both streamed as platform events and saved as a big object. 

Note

Note

Real-Time Event Monitoring objects sometimes contain sensitive data. Assign object permissions to Real-Time Events accordingly in profiles or permission sets.

Using Real-Time Event Monitoring

You can use the events provided by Real-Time Event Monitoring to audit user activity and look for anomalous actions, enforce security policies, and keep track of application performance. 

Audit User Activity

Real-Time Event Monitoring keeps track of various user activity with over 15 different events that capture user behavior, such as:

  • Downloading a report containing account data with over 2,000 rows
  • Modifying a filter on a contact list view to include personally identifiable information (PII)
  • Querying sensitive records via version 2 of the Bulk API

You can get alerted in real time when each of these user-based activities occur. The user’s actions are captured and streamed as a platform event or stored into a big object, or both, so that you remain informed about what users are doing in your org. This unlocks the power for your security team to investigate if a security incident occurs because of malicious user behavior.

Enforce Security Policies

Your team can also use Transaction Security in conjunction with Real-Time Events to apply appropriate actions to monitor and control user activity. Each Transaction Security policy has conditions that evaluate the events and triggers real-time actions after those conditions are met. For example, you can block an action from occurring. 

Keep Track of Application Performance

In the modern data-centric, technology-driven world, applications make the world go round. Which is why it’s important to understand how your applications are performing and which resources they are using. No one likes a resource hog! 

With Real-Time Event Monitoring you can be notified in real time when a Salesforce org exceeds the concurrent long-running Apex limit. The ConcurLongRunApexErrEvent platform event object notifies subscribers of errors that occur when a Salesforce org exceeds the concurrent long-running Apex limit. 

You can also keep track of API calls that are counting toward your 24-hour limit. You can monitor how long your bulk API jobs are taking in the sandbox so that you have a better idea of how it might transpire when you run the jobs in production. All of this enables you to track your application performance in real time.

Whew! That was a lot of information. You’re now ready to get your feet wet and start using Real-Time Event Monitoring in the wild. Let’s turn to the next unit to get you set up.

Resources

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities