Event Monitoring in Salesforce: Unveiling Security Insights and Preventing Data Theft


In the digital age, data security is paramount for organizations of all sizes. Salesforce, a leader in CRM solutions, provides a powerful tool called Event Monitoring to help businesses monitor user activities, detect anomalies, and prevent security breaches. In this article, we will explore the various types of events that can be monitored, walk through a scenario illustrating how Event Monitoring can thwart data theft attempts, and guide you through the steps to review user login logs.

Understanding Event Monitoring:

Event monitoring allows you to trace plenty of events that occur on a Salesforce Org, for example, Authentication (Logins, Logouts), API Calls, Apex Execution, View and export reports, etc.An event log file is generated when an event occurs in your organization and is obtainable to view and download after 24 hours and remains available for 30 days. Event monitoring allows you to easily see what data users are accessing, from what IP address, and also the actions done there to data. for example, API calls, logins, users who are running reports, exporting reports, downloading files, and etc.

Types of Events that can be Monitored:

Event Monitoring covers several categories of events, enabling organizations to gain a comprehensive view of user interactions and system activities:

1. Login Events: Track user logins, failed login attempts, and login sources. Detect unauthorized access attempts or suspicious login patterns.

2. Data Access Events: Monitor actions related to data access, including record views, updates, and deletions. Identify unusual data access patterns or unauthorized data retrieval.

3. Platform Events: Monitor events triggered by custom applications or integrations, helping to understand how external systems interact with Salesforce.

4. Report and Dashboard Events: Track views of reports and dashboards to gain insights into data usage and user interests.

5. Event Log File Events: Monitor changes to event log files to ensure data integrity and prevent tampering.

How does Salesforce Event Monitoring work

The event monitoring product gathers information about your Salesforce org’s all operational events, which are used to analyze usage trends and user behavior, by running queries against fields on the EventLogFile object.

1. Open the EventLogFile

  • Open Developer Console.
  • Select File > Open from the File menu. After this, select the Objects from the Entity Types drop-down menu.
  • Type EventLogFile in the Filter repository field. Under Entities, choose EventLogFile.
  • Click the Open button.
  • Click the Query button after selecting the fields for your query.
  • To complete the query, click the Execute button.


Figure 1: Select the fields and click on ‘Query’ to generate a query to fetch log files.

2. View the Salesforce Event LogsFile

  • Log in to your org.
  • Navigate to the ELF Browser application.
  • Click Production Login.
  • Enter a date range for your search.
  • Enter an event type for your search.
  • Enter an interval (daily or hourly).
  • Click Apply.
  • Find Id of LogFile in ELF Browser Application.
  • Click the direct download button to download a log to a comma-separated values (.csv) file.

Salesforce Event LogsFile

Figure 2: Open ELF Browser Application and Apply filter to get relevant data and click on download button to download file in csv format.

Download the ReportExport log file. Open it in a spreadsheet, and let’s see what we can find.

ReportExport log file

Figure 3: A .csv file which contains all event data as per filter conditions apply on ELF browser.

3. Analyzing EventLogFile Data
By analyzing the EventLogFile data, the security team identifies suspicious activity into org.

Steps to Review User Login Logs:

Step 1. Login to Salesforce Setup:

  • Log in to your Salesforce account and navigate to "Setup."
  • In the Quick Find box, type ‘Login History’ and select.

    Login History Page

    Figure 4: Find Login History in Quick Find box to open Login History Page.

    Step 2. Download Login Log file.

  • On the Login History Page Click on Download now option to download the log file.

    login log file

    Figure 5: Click on Download Now button to download the login log file.

    Step 3. Open the download log file andreview Login Data:

  • Explore the login data to gain insights into user activities.

    suspicious activity

    Figure 6: Review the log file to find any suspicious activity.


Event Monitoring in Salesforce offers a comprehensive approach to data security by tracking user activities and system interactions. By analyzing event data, organizations can detect unusual behavior, respond to potential threats, and prevent data theft attempts. This powerful tool provides insights that enhance an organization's cybersecurity posture, ensuring the safety of sensitive data and maintaining trust among customers and stakeholders. Through continuous monitoring and proactive measures, Event Monitoring empowers businesses to maintain a secure and protected environment in today's data-driven landscape.

For any queries please reach out to support@astreait.com.