Newer Version Available

This content describes an older version of this product. View Latest

TenantSecurityReportAnomaly

Tracks anomalies in how users run or export reports, including unsaved reports. This object stores information about Threat Detection events within connected tenants in Security Center. This object is available in API version 53.0 and later.

Supported Calls

describeSObjects(), getDeleted(), getUpdated(), query(), retrieve()

Fields

Field Details
DetailIdentifier
Type
string
Properties
Filter, Group, idLookup, Sort
Description
The ID of the individual detail record. This field is unique within your organization.
EventDate
Type
dateTime
Properties
Filter, Nillable, Sort
Description
The date when the hijacking event was reported. For example, 2020-01-20T19:12:26.965Z. Milliseconds are the most granular setting.
EventIdentifier
Type
string
Properties
Filter, Group, idLookup, Nillable, Sort
Description
The unique ID of the event. For example, 0a4779b0-0da1-4619-a373-0a36991dff90.
EventName
Type
string
Properties
Filter, Group, idLookup, Nillable, Sort
Description
The name of the event, which is Report Anomaly.
MetricIdentifier
Type
string
Properties
Filter, Group, Sort
Description
The ID of the type of metric that was counted.
MetricsType
Type
picklist
Properties
Filter, Group, Restricted picklist, Sort
Description
The type of data being collected.
Name
Type
string
Properties
Filter, Group, idLookup, Sort
Description
The name of the metric for which data is being collected.
Report
Type
string
Properties
Filter, Group, Nillable, Sort
Description
The report ID for the report for which this anomaly event was detected. For example, 00OD0000001leVCMAY. If this anomaly resulted from a user executing an unsaved report, the value of this field is null.
Score
Type
double
Properties
Filter, idLookup, Nillable, Sort
Description
A number from 0 through 100 that represents the anomaly score for the report execution or export tracked by this event. The anomaly score shows how the user's current report activity is different from their typical activity. A low score indicates that the user's current report activity is similar to their usual activity, a high score indicates that it's different.
SecurityEventData
Type
textarea
Properties
Nillable
Description
The set of features about the report activity that triggered this anomaly event. See the Threat Detection documentation for the list of possible features. Let’s say, for example, that a user typically downloads 10 accounts but then they deviate from that pattern and download 1,000 accounts. This event is triggered and the contributing features are captured in this field. Potential features include row count, column count, average row size, the day of week, and the browser’s user agent used for the report activity. The data captured in this field also shows how much a particular feature contributed to this anomaly event being triggered, represented as a percentage. The data is in JSON format.
Summary
Type
textarea
Properties
Nillable
Description
A text summary of the report anomaly that caused this event to be created.
Tenant
Type
string
Properties
Filter, Group, idLookup, Sort
Description
The ID of the tenant that was targeted in the event.
TenantName
Type
string
Properties
Filter, Group, idLookup, Nillable, Sort
Description
The name of the tenant that was targeted in the event.
UserIdentifier
Type
string
Properties
Filter, Group, Nillable, Sort
Description
The origin user’s unique ID. For example, 005000000000123.
Username
Type
string
Properties
Filter, Group, idLookup, Nillable, Sort
Description
The origin username in the format of user@company.com at the time the event was created.