Create and Run a Data Detect Policy

Learning Objectives

After completing this unit, you’ll be able to:

• Create a Data Detect policy that defines the scope, timeframe, and exclusions for a data scan.
  
• Define the specific objects, fields, and sensitive data categories to include in your scan.
  
• Start a Data Detect scan and monitor its progress.
  

As you work with Salesforce Shield Data Detect to help you easily find sensitive information that might have accidentally been saved in your standard and custom Salesforce fields, it’s a good idea to set up policies to ensure your organization maintains better security and compliance. Let’s learn about how Zephyrus Relocation Services has handled this at their organization.

Zephyrus’s CEO, Carolyn Baumgartner, asks Calvin Green, the company’s Salesforce admin, to use Data Detect to run targeted scans to identify if any PII is hidden. If he uncovers anything, he can work with Ernesto Rondán, the IT director, to mask data in sandboxes or encrypt fields in production.

Let’s help Calvin create a policy to find this hidden data across Accounts, Cases, and Contracts.

Sign Up for a Developer Edition Org with Data Detect

To complete this module, you need a special Developer Edition org that contains Data Detect. Get the free Developer Edition and connect it to Trailhead now so you can complete the challenges in this module. Note that this Developer Edition is designed to work with the challenges in this badge, and may not work for other badges. Always check that you’re using the special Developer Edition org that we recommend.

• Sign up for a free Data Detect Developer Edition org.
  
• Fill out the form.
  

• For Email, enter an active email address.
  
• For Username, enter a username that looks like an email address and is unique, but it doesn’t need to be a valid email account (for example, yourname@example.com).
  

• After you fill out the form, click Sign me up. A confirmation message appears.
  
• When you receive the activation email (this might take a few minutes), open it and click Verify Account.
  
• Complete your registration by setting your password and answering the challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later. Also, note the org creation date.
  
• You’re logged in to your Developer Edition Org.
  

Now connect your new Developer Edition org to Trailhead.

• Make sure you’re logged in to your Trailhead account.
  
• In the Challenge section at the bottom of this page, click the playground name and then click Connect Org.
  
• On the login screen, enter the username and password for the Developer Edition you just set up.
  
• On the Allow Access? screen, click Allow.
  
• On the Want to connect this org for hands-on challenges? screen, click Yes! Save it. You’re redirected back to the challenge page and ready to use your new Developer Edition to earn this badge.
  

Create a New Policy

Your first step is to create a policy and define what and when you want to scan.

1. From the App Launcher, select Data Detect.
   
2. Select the Policies tab. This is where your policies reside.
   
3. Select New to create your first policy.
   
4. For Policy Name, enter Passport_and_PII_Audit. The name can include letters, numbers, hyphens, and underscores.
   
5. You can add a description (optional): Scanning logistics records for passport numbers and contact PII to ensure GDPR compliance.

Define the Timeframe and Exclusions

Data Detect lets you focus on specific windows of time to keep scans efficient.

To use the sample data in this badge’s org for the Hands On Challenge, select a time range that covers the date the playground was created. If you can't remember when you created the playground, search for Company Information in Setup and find the Created Date.

1. In Date Range, select a Date Range Start and Date Range End. As stated above, make sure the date range includes when the org was created. Data Detect scans for any new or changed data made within this selected timeframe. You can choose a set historical timeframe or a custom timeframe to scan a subsection of sensitive data.
   
2. Policy Exclusions: Leave this blank for now. We want a total view of the data without skipping anything.
   
3. Click Save: Your policy is now viewable from the Detection Rules tab, where you will define the scan criteria.
   

Add Objects and Fields to the Scan

Now, tell Data Detect exactly where to look for sensitive data.

1. In the Detection Rules section, under Identified Objects, click Add Object.
   
2. Select Account, then select all available by clicking on the check box next to Field Name.
   
3. Repeat this for Case, and Contract.
   
4. Click Done.
   

While it’s tempting to “select all,” scanning millions of records across multiple objects takes time. For daily maintenance, Calvin would only select the specific fields where he suspects the risk is highest.

Choose What to Detect

Now, it’s time to define the specific “fingerprints” Data Detect should look for. You can use standard categories, or create your own custom criteria for unique business needs.

Standard Categories

Data Detect comes with over 20 preconfigured sensitive data categories, covering everything from credit card numbers to HIPAA-related data.

1. Select Sensitive Data Categories from the left side of the Detection Rules tab.
   
2. Click Add Sensitive Data Categories.
   
3. Scroll through the list and select the categories you need.
   
4. For Calvin’s audit, search for and select Email Address and IP Address.
   
5. Click Done. Selecting only the categories you need helps reduce total scan time.
   

Custom Criteria: Patterns and Keywords

Sometimes, your data risks are unique to your industry. Data Detect allows you to add custom logic.

• Custom patterns (regex): Use regular expressions (regex) to find organization-specific data like employee IDs, student numbers, or specialized document formats. You can add up to 10 regular expression patterns per policy.
  
  • Tip: You can test and validate your regex before running the scan to ensure it’s accurate.
    
• Keywords: Use these to find distinct terms, project code names (like "Project Alpha"), or proprietary phrases that shouldn't be in plain text. You can add up to 10 keywords per policy.
  

Help Calvin Create the Passport Detector

Ernesto Rondán, the IT director, informs Calvin that many of their international customers use a specific passport format: two uppercase letters followed by seven digits (for example, AB1234567).

1. Under the Custom Patterns section, click Add Pattern.
   
2. Pattern Name: Passport_Number
3. Regular Expression Syntax: [A-Z]{2}\d{7}
4. In order to test, in the Enter your text field, copy and paste AB1234567 and click Validate to check the filter identifies this as a passport number.
   
5. Click Save.
   

Review, Edit, and Start the Scan

Before running, always review your policy settings.

1. To review the final policy, select the Overview tab.
   
2. To edit any part of the policy, select Edit Policy and move through the creation pages to find the area you want to change.
   
3. Make any necessary changes to the policy and save your work.
   
4. To start the scan, click Run Scan from either the Policy Overview tab or the Detection Rules tab. You see a preview of the Policy details to confirm before the scan begins.
   
5. Click Scan Policy. After the scan starts, you will see a scan confirmation message. Updates to the Scan Status appear on the right side of the page as the scan progresses. Note that once you’ve started it, you don’t need to complete your scan to check the challenge below.
   

After a scan is completed, you can view its status and details by selecting the job ID under Name from the Data Detect Job Sessions tab.

Now it’s time to check your work. Select Check Challenge for 500 points. Once you pass the challenge, you can move to the next unit where you’ll learn how to view and use the scan results dashboard to analyze risks and take action on your findings.

Resources

• Salesforce Help: Create and Run a Scan