As Salesforce Architects, we’ve all encountered the problem of guaranteeing that our options usually are not simply practical, but in addition basically sturdy. Most of us have been in disaster conferences about gradual working processes, unusual Apex errors in manufacturing, or knowledge that will have been accessed with out permission. The important thing to a fantastic implementation will not be having zero points — however being able to triage these points shortly with knowledge to again up choices.
That is the place Salesforce Occasion Monitoring is available in. It offers the important knowledge wanted to audit efficiency, observe safety, and perceive consumer conduct, permitting you to proactively construct an answer that aligns with the Salesforce Effectively-Architected Framework.
Occasion Monitoring offers insights into consumer and system exercise. It’s the reply to among the most important questions an architect must ask, reminiscent of:
- How have you learnt who has seen a report?
- How will you see how lengthy a report took to run?
- How do you block a consumer from exporting numerous data from a delicate report?
- How do you alert somebody when “View All” and “Modify All” permissions are modified?
Constructing on a robust monitoring basis
Salesforce offers a strong set of providers to observe system and consumer exercise as a part of its normal editions. These instruments kind a important basis for any architect’s monitoring technique, offering important visibility into administrative adjustments, consumer entry, and system well being.
A pattern of those strategies, their major perform, and a few issues are listed under.
MethodologyMain OperateKey IssuesBelief Web siteSupplies a view of deliberate upkeep, incidents, and outages.Guide subscribe for notifications. API obtainable.Setup Audit PathTracks administrative configuration adjustments.Retains six months of historical past.Login Historical pastAnalyzes consumer login makes an attempt and patterns.Retains six months of historical past.Area Historical past MonitoringAudits knowledge adjustments on the report degree.Normal retention is restricted; requires paid add-on for long-term storage.Safety Well being TestAssesses safety settings towards a baseline.Supplies a safety rating however doesn’t repair the problems; requires handbook motion.Storage UtilizationSupplies a view of file and knowledge storage by Objects.Information and file storage are calculated asynchronously and your utilization isn’t up to date instantly.Limits APILists details about governor limits in your org.Requires a third-party software to programmatically entry and retailer output to trace utilization over time.Salesforce OptimizerScans for technical debt and inefficiencies.Being retired in Winter ’26. Customers should transition to various instruments.Debug LogsDeep-dive evaluation of Apex code and course of failures.Extraordinarily brief retention (24 hours for system logs), dimension limitations.Scale MiddleDesigned for proactive evaluation and determination of scale points.Out there for Limitless Version orgs. Prospects within the EU Working Zone usually are not capable of entry Scale Middle. 30 days of information obtainable.Occasion Monitoring (Free-Tier)Tracks key exercise for restricted Occasion Log Information.Enterprise, Limitless, and Efficiency Version orgs have free entry to seven Occasion Log Information with one-day knowledge retention. A paid add-on is required for the broader capabilities described on this weblog publish.
Monitoring providers obtainable in normal Salesforce editions
.Whereas these providers present a robust start line, they don’t at all times supply a whole image. A paid add-on subscription for Occasion Monitoring lets you transcend these foundational providers to reinforce your monitoring capabilities.
What’s Salesforce Occasion Monitoring?
Occasion Monitoring offers transparency into consumer conduct and system efficiency. It collects and shops consumer exercise — known as “occasions” — in log recordsdata and objects, which might then be used for evaluation. Occasion Monitoring is a core element of the Salesforce Defend product providing, a collection of providers designed to assist corporations construct an additional layer of safety, compliance, and management. Along with Occasion Monitoring, Salesforce Defend consists of Platform Encryption, Information Detect, and Area Audit Path, forming a complete resolution for shielding delicate knowledge and assembly regulatory necessities.
To entry the total vary of Occasion Monitoring capabilities, a company will need to have a Salesforce Defend or Occasion Monitoring add-on subscription. As soon as enabled, you may entry key settings from Setup below Occasion Monitoring Settings.
Entry Occasion Monitoring settings from the Setup menu.
Whereas Occasion Monitoring is one product, it presents a lot of capabilities that may be laborious to navigate inside a holistic image. Let’s take a look at the underlying key elements in an easy-to-understand diagram.
The way it works
Please notice that the next diagrams are updated as of the Winter ’26 launch. The variety of occasions listed in every diagram is supposed to be a point-in-time information that highlights key variations in occasions obtainable for every functionality of Occasion Monitoring. For brevity, Enhanced Cell Software Safety occasions have been omitted. At all times check with the documentation and launch notes for essentially the most up-to-date data.
The Occasion Log File framework
Software occasions captured by Salesforce (from many sorts of interplay) are endured. Given the character of Salesforce’s multi-tenant surroundings, the logs themselves usually are not a lot use to prospects and usually are not obtainable of their uncooked format. To make these consumable for purchasers, a lot of occasions are copied for every org.
Seventy-four occasion sorts are made obtainable to occasion monitoring prospects by making a duplicate of these transactions, particular to their org, into an ordinary object known as EventLogFile and supporting file storage. This course of is asynchronous in nature and operates in batch mode, copying transactions hourly and day by day,so present occasions can take as much as one hour to be obtainable.Given the huge volumes of utility logs captured, Salesforce shops as much as one 12 months’s price of exercise, or at some point if utilizing a Developer Version org.
Ensure you choose in for Occasion Log File era when you want log recordsdata generated and delivered to your org for Developer and Trial orgs.
Diagram displaying the occasion sorts made obtainable, hourly or day by day, for obtain as a part of the Occasion Log File framework.
You’ll be able to discover and obtain your Occasion Log File knowledge utilizing the Platform REST API or use the Occasion Log File Browser, which makes every log file obtainable within the Setup menu.
Entry your Occasion Log Information from the Setup menu with Occasion Log File Browser
The Occasion Log Object framework
The Occasion Log Object framework surfaces occasion knowledge saved in an ordinary object, known as Occasion Log Objects. They retailer important occasion knowledge you can question through Salesforce Platform APIs. Occasion log objects comprise many however not all occasions represented within the Occasion Log File framework — at the moment supporting 43 occasions.
Not like Occasion Log Information, which floor occasion knowledge as CSV recordsdata, Occasion Log Objects permit querying of occasion knowledge in a collection of normal objects. This offers some advantages, enabling simpler, sooner evaluation.
- Storage makes use of normal Salesforce objects for simplified SOQL and API assist
- Information obtainable to question inside 25-45 minutes after the occasion is logged
- Managed safety with the View Occasion Log Object Information permission
- Log knowledge retained for 30 days, with as much as 15 days of information supported at a time through question
Diagram displaying occasion sorts being made obtainable as a part of the Occasion Log Object framework.
The Actual-Time Occasion Monitoring framework
The Occasion Log File and Occasion Log Object frameworks don’t assist real-time occasions. The Actual-Time Occasion Monitoring framework addresses this concern by streaming occasions. It comprises occasions particularly designed for streaming — at the moment supporting 20 occasions (14 occasions from consumer exercise and 6 occasions from anomaly detection, coated later on this publish). These occasions are printed to the Enterprise Messaging Platform, backed by Apache Kafka and different providers. This infrastructure is managed by Salesforce to offer a scalable, performant resolution for triaging occasions in near-real time.
The Actual-Time Occasion Monitoring framework has three key elements: Menace Detection, Transaction Safety, and Occasion Storage.
The Menace Detection element
This streaming sample permits for revolutionary options that may use menace detection to search for suspicious occasions. This service makes use of machine studying and reads consumer patterns to detect anomalies, which provides an extra six occasions that may be streamed.
Diagram displaying how Menace Detection identifies anomalies.
Within the screenshot above, six anomalies are recognized: credential stuffing, session hijacking, login anomalies, API anomalies, visitor consumer anomalies, and report anomalies. Observe that if you want to generate take a look at occasions to simulate these threats to confirm enterprise logic that’s listening for these kind of occasions, you should utilize the brand new Generate Take a look at Occasions for Menace Detection (Beta).
Credential stuffing occasions
Credential stuffing will be detected by researching stuffing visitors patterns and doing time-bucketing evaluation of these patterns over time. When one of these anomaly is detected, the consumer shall be introduced with an id problem and be required to reset their password. The menace detection service additionally publishes a CredentialStuffingEvent (see docs) to the bus.
Credential Stuffing Occasion
DescriptionDetectionMitigation– Brute power username and password mixtures focusing on identical endpoint or enumerating a number of passwords– Analysis stuffing visitors patterns
– Time-bucketing evaluation
– Identical endpoint fingerprints– Id problem
– Password reset required
– Safety occasion despatched
For extra, normal data on one of these cyberattack, take a look at the article How Salesforce Helps Shield You From Credential Stuffers.
Session hijacking occasions
By fingerprinting the TLS negotiation between consumer and server, Salesforce can detect potential malware put in on a consumer’s system. When one of these anomaly is detected, the consumer has their session terminated and multi-factor authentication is required. The menace detection service additionally publishes a SessionHijackingEvent (see docs) to the bus.
Session Hijacking Occasion
DescriptionDetectionMitigation– Malware put in on consumer’s system
– Virus manipulates browser pages and collects delicate information– Fingerprinting the TLS negotiation between consumer and server– Session terminated
– MFA required
– Safety occasion despatched
Salesforce has been on the forefront of this technique of detection for some years and has documented an open-source technique for fingerprinting TLS purchasers on the wire (see particulars within the article Open Sourcing JA3).
Report anomaly occasions
Report exports are potential alternatives for knowledge loss. Transaction safety insurance policies present one mechanism to detect and block this exercise, however anomaly occasions takes it a step additional. The menace detection service baselines conduct over time. Prospects can then see threshold scores primarily based on deviation from this regular conduct and generate anomalous occasions in actual time that they will then examine. A corresponding ReportAnomalyEvent (see docs) is printed.
Report Anomaly Occasion
DescriptionDetectionMitigation– Information loss by entry and exporting knowledge over time– Mannequin report era actions over 90 days and baseline
– Rating created for report era exercise vs. baseline– No automated remediation
– Safety occasion despatched
– Buyer investigates
For extra detailed data on detecting anomalous occasions, take a look at the article How Salesforce Helps Shield You From Insider Threats and familiarize your self with the coaching and inference steps.
Login anomaly occasions
An anomalous login refers back to the detection of a possible attacker trying to realize unauthorized entry to a reliable consumer’s account. This menace detection occasion identifies login makes an attempt that deviate considerably from a consumer’s typical login conduct, reminiscent of uncommon occasions of day, unfamiliar gadgets, or sudden places. A corresponding LoginAnomalyEvent (see docs) is printed.
API anomaly occasions
Comparable rules apply to the API anomaly occasion. An API anomaly is any consumer exercise that’s sufficiently completely different from the historic exercise of the identical consumer. A corresponding ApiAnomalyEvent (see docs) is printed.
Visitor consumer anomaly occasions
This anomaly occasion makes use of the metadata in Salesforce Core utility logs to construct profiles representing visitor customers’ knowledge entry actions. Visitor customers are unauthenticated customers who can entry public-facing digital experiences, reminiscent of a Salesforce Expertise Cloud website. This menace detection occasion identifies suspicious makes an attempt to entry group knowledge. A corresponding GuestUserAnomalyEvent (see docs) is printed.
The Transaction Safety element
Fourteen occasion sorts are captured synchronously by Transaction Safety (eight exercise occasions with six menace detection occasions). Transaction Safety permits prospects to create safety insurance policies in Salesforce to deal with safety dangers. On condition that these transactions are synchronous, it offers prospects with the power to take rapid motion. The actions you are taking will be to dam the transaction or to require two-factor authentication. You can even ship an electronic mail or in-app notification to alert an individual or crew.
Diagram displaying Transaction Safety.
There are two methods to create a transaction safety coverage: with Situation Builder (declaratively), or with Apex.
Situation Builder
This software lets you create a transaction safety coverage with out writing a line of code. You arrange easy situation logic with operators to create personalized safety insurance policies to guard your knowledge.
For instance, we are able to use the Report Occasion to trace when a consumer exports greater than 2,000 rows from any report utilizing the Lead object.
Screenshot of configuring a transaction safety coverage in Situation Builder.
Apex
Should you want extra flexibility than easy circumstances permit, then you should utilize Apex. To take action, create or choose an current class that implements the TxnSecurity.EventCondition interface.
For examples, take a look at the documentation.
Coverage actions
No matter whether or not you select Apex or Situation Builder, the coverage can select which motion to take when the logic is triggered — Block or require multi-factor authentication. You can even specify who to inform and the notification technique, e.g., through an electronic mail and/or an in-app notification.
Screenshot of the way to configure actions within the Transaction Safety Coverage editor.
In our instance, when a consumer tries to export a Lead report with greater than 2,000 data, the consumer will obtain the error specified within the coverage configuration — and on this instance, blocked from exporting data.
Screenshot of a blocking motion for a Report Export operation from a consumer’s perspective.
The required particular person chosen to be the recipient of notifications (usually an administrator or somebody within the safety crew) will obtain a corresponding in-app notification.
Screenshot of an in-app notification for a Report Export operation from the notification’s recipient perspective.
The Occasion Storage element
Occasions processed by the Actual-Time Occasion Monitoring framework will be saved. Two sorts of Salesforce objects are used:
- Normal Objects are used completely for menace detection occasions as a result of their low volumes. These occasions are saved for six months.
- Huge Objects are used for all different real-time occasions the place scalable storage is required to assist the potential for a excessive variety of occasion data. Information is retained for six months (10 years for some id occasions).
Diagram displaying how real-time occasions are saved in Huge Objects and Normal Objects.
Nineteen occasions will be put into these objects and characterize an answer designed for extra scalable storage for big knowledge volumes.
In Setup, the Occasion Supervisor web page permits an administrator to pick which occasions are saved by toggling the Allow Storage drop-down menu.
Occasion Supervisor within the Setup menu permits an administrator to regulate which occasions are saved.
A comparative overview of Occasion Monitoring capabilities*
To evaluate how every functionality of Occasion Monitoring can assist your monitoring technique, this comparability desk reveals a abstract of key metrics that may assist you to decide which technique to make use of for various use instances.
A tabular comparability of Occasion Monitoring capabilities
*Enhanced Cell Software Safety occasions have been omitted for brevity. All different particulars are right as of the Winter ’26 launch.
Reporting and analytics
Prospects want a method to visualize and report on these logs. They will use the Salesforce Platform’s Bulk and REST APIs to retrieve knowledge from the occasion storage objects, or they will stream obtainable occasions in actual time. CRM Analytics additionally offers an Occasion Monitoring Analytics app with pre-built dashboards to start out exploring occasion monitoring knowledge shortly.
Diagram displaying the end-to-end Occasion Monitoring elements with analytics and Information Cloud.
Some safety data and occasion monitoring (SIEM) instruments can mixture safety logs, and a few include pre-built connectors to extract and stream the info on demand.
The occasions streamed from the Actual-Time Occasion Monitoring framework will be subscribed to from an exterior system of your selection utilizing a Pub/Sub API consumer. In Setup, the Occasion Supervisor web page permits an administrator to pick which occasions to stream and the subscription channel that the consumer ought to use for every.
Occasion Supervisor within the Setup menu permits an administrator to regulate which occasions are streamed.
The Salesforce Platform Occasions connector (Beta) lets organizations simply stream occasion knowledge from Salesforce Actual-Time Occasion Monitoring to Information Cloud. By combining Occasion Monitoring with Information Cloud, you get a scalable knowledge platform to retailer giant portions of occasions for evaluation that may now use calculated insights to mixture knowledge at scale.
How Occasion Monitoring applies to the Salesforce Effectively-Architected Framework
The Effectively-Architected Framework’s pillars offers a lens by which to view Occasion Monitoring’s worth. As an architect, it’s a good way to validate your understanding of key capabilities and offers a fantastic construction for conversations with an enterprise safety crew. We’ll check out every pillar and spotlight some key capabilities that align with the options of Occasion Monitoring, with out being an exhaustive record.
Belief Pillar
An answer well-architected to construct belief behaves in methods which can be safe, compliant, and dependable.
Safe
A safe structure protects knowledge and controls entry. Occasion Monitoring offers the info essential to implement this precept by enabling real-time menace detection and response. Transaction Safety applies your organization’s policy-driven actions, and occasion sorts assist the monitoring of consumer and utility entry over time.
Salesforce’s native Menace Detection service makes use of statistical and machine studying fashions to determine suspicious conduct. This service generates particular occasions that guard towards cyber assaults and suspicious knowledge entry.
Transaction Safety takes safety a step additional because it providesa framework that intercepts key occasions occurring in your org and applies your firm’s policy-driven actions. This transforms Occasion Monitoring from a logging software into an necessary element of an automatic safety protection.
You should use a wide range of occasion sorts to construct out this safety protection, reminiscent of:
- Login Occasion: Information each profitable and failed login try
- Login As Occasion: Tracks when an administrator logs in as one other consumer, offering an audit path for privileged entry
- Permission Replace Occasion: Captures adjustments to object, discipline, and consumer permissions, and arrange entities that happen in profiles and permission units to assessment Precept of Least Privilege initiatives
- Record View Occasion: Captures record views accessed by a consumer with column particulars
- Report Occasion: Screens when a consumer exports knowledge from a report, offering an occasion to detect customers accessing delicate data
- Apex REST API Occasion: Contains particulars on payloads being despatched into your org and the info that was queried
Compliant
A compliant structure adheres to authorized, moral, and company-specific insurance policies. Occasion Monitoring captures detailed logs of consumer and system exercise which can be essential for creating audit trails.
Architects should perceive the info retention insurance policies in place. A paid Occasion Monitoring license offers as much as one 12 months of Occasion Log File knowledge. Nonetheless, as a result of Occasion Log File knowledge will not be a everlasting system of report and may have knowledge gaps (as an illustration throughout an org migration), it shouldn’t be thought-about a system of report.
A wide range of occasions assist compliance use instances, reminiscent of:
- Permission Replace Occasion: Detects when a consumer is assigned important permissions, offering an auditable data of elevated entry
- Group Membership Occasion: Captures particulars about adjustments to public group and queue membership, reminiscent of when customers are added or eliminated
Dependable
A dependable Salesforce org operates effectively and scales with enterprise wants. Occasion Monitoring offers the target knowledge required to measure and enhance efficiency, transferring past anecdotal consumer complaints like “the app appears gradual.”
Occasions that may assist data-driven choices on efficiency metrics embrace:
- Concurrent Lengthy-Working Apex Restrict Occasion: Quantifies the potential enterprise impression of when and the way usually Apex is inflicting long-running requests to exceed your orgs restrict
- Lightning Error Occasion: Captures details about issues encountered by customers whereas navigating, interacting with elements, or performing actions within the Lightning surroundings
- Lightning Efficiency Occasion: Tracks developments and metrics associated to the efficiency of your Lightning apps, reminiscent of web page load occasions and useful resource utilization, to find efficiency points
Straightforward pillar
An answer well-architected to be simple behaves in methods which can be intentional, automated, and participating.
Intentional
One in all my favourite ideas of an intentional structure is that “options and fixes are prioritized and delivered in methods which can be clear to enterprise and expertise stakeholders alike” (view supply). By analyzing occasion logs, architects achieve insights into function adoption and consumer conduct, basically offering the info wanted to drive choices.
Occasions that may information strategic choices into the place points lie and the way they impression the enterprise are:
- URI Occasion: Tracks net clicks, offering goal knowledge on consumer conduct and adoption of options
- Report Occasion: Helps perceive which stories are getting used and which aren’t
- Record View Occasion: Exhibits which record views are getting used and which aren’t
- Dashboard Occasion: Helps observe dashboard utilization to quantify technical debt and observe efficiency
- Apex Execution Occasion: Tracks how usually a brand new customized function is being utilized by Apex used
Automated
A key idea of an automatic structure leverages effectivity to streamline processes. Occasion Monitoring, significantly with the Actual-Time Occasion Monitoring framework, allows the power to automate safety insurance policies by Transaction Safety. These insurance policies can routinely take motion to dam or implement MFA when a menace is detected, transferring from reactive, handbook firefighting to proactive, automated prevention.
With a centralized safety data and occasion monitoring (SIEM) platform, architects and safety groups can create subtle correlation guidelines to detect multi-vector assaults and automate alert administration. These programs will be configured to prioritize alerts primarily based on severity, enabling safety operations groups to concentrate on essentially the most important threats and reply extra shortly to incidents.
Partaking
A key callout within the participating facet of the simple pillar is that the appliance ought to “make it simple for individuals to entry and use apps, making customers really feel they’re getting extra high-quality work carried out, and making individuals need to use apps within the system” (view supply). Occasion Monitoring offers the occasions wanted to measure system engagement over time.
Occasions that may information strategic choices on usability embrace:
- Lightning Logger Occasion: Permits builders to trace when customers are interacting with their customized lightning net elements
- Invocable Motion Occasion: Supplies metrics to observe actions invoked throughout Agentforce flows, indicating which brokers are used and when
- Inadequate Entry Occasion: Addresses a irritating error for customers, permitting the mission crew to troubleshoot and resolve entry points proactively
Adaptable pillar
An answer well-architected to be adaptable behaves in methods which can be resilient and composable.
Resilient
A resilient structure can return to a perfect state or form in a predictable means, even within the face of change or failure. Occasion Monitoring offers insights into adjustments being made to underlying metadata and permissions, giving insights into when, what, and the way a change was utilized. When manufacturing points come up, the Actual-Time Occasion Monitoring framework allows steady monitoring and alerting.
Occasions that assist monitor change over time embrace:
- Metadata API Operation Occasion: Supplies the power to detect adjustments to an org’s construction over time, with insights into adjustments which have impacted enterprise processes adversely
- Apex Surprising Exception Occasion: Allows customers to quantify, triage, and resolve points in manufacturing which have slipped by testing with metrics on LimitExceptions
Composable
A composable structure is inbuilt models that may function gracefully with each other and will be adjusted shortly. Occasion Monitoring facilitates this by offering industry-standard entry to occasion logs and objects by APIs. This enables third-party purposes to construct connectors that may learn the usual occasion payloads to permit Occasion Monitoring logs to be a composable element in a broader enterprise structure.
Conclusion
As architects, our actuality will not be one among excellent, bug-free, blazingly quick, impenetrable purposes, however one among steady vigilance and fast response. The crises we face — the slow-running stories, the mysterious Apex exceptions, and the unsettling questions on knowledge safety — are not simply challenges; they’re alternatives to display the maturity of our architectures.
Understanding how Occasion Monitoring works below the hood, and the way its capabilities align with the Effectively-Architected Framework, will equip you with the data wanted to get essentially the most out of your monitoring designs. Realizing what is occurring throughout a Salesforce org, intimately, powers the power to shortly triage points and make knowledgeable choices. This makes Occasion Monitoring an important a part of any architect’s toolkit.
