Newer Version Available
Use Async SOQL with Real-Time Event Monitoring
Here are some examples of using Async SOQL with real-time events.
Let’s say you’ve created a custom object called Patent__c that contains sensitive patent
information. You want to know when users query this object using any API. Use the following
Async SOQL query on the ApiEvent object to determine when Patent__c was last accessed, who
accessed it, and what part of it was accessed. The WHERE clause uses the
QueriedEntities field to narrow the results to just API queries of
the Patent__c object.
- Example URI
-
1https://yourInstance.salesforce.com/services/data/v48.0/async-queries/ - Example POST request body
-
1{ 2 "query": "SELECT EventDate, EventIdentifier, QueriedEntities, SourceIp, Username, UserAgent FROM ApiEvent 3 WHERE QueriedEntities LIKE '%Patent__c%'", 4 "targetObject": "ApiTarget__c", 5 "targetFieldMap": { 6 "EventDate": "EventDate__c", 7 "EventIdentifier": "EventIdentifier__c", 8 "QueriedEntities": "QueriedEntities__c", 9 "SourceIp": "IPAddress__c", 10 "Username": "User__c", 11 "UserAgent": "UserAgent__c" 12 } 13} - Example POST response body
-
1{ 2 "jobId" : "08PB00000066JRfMAM", 3 "message" : "", 4 "operation" : "INSERT", 5 "query" : "SELECT EventDate, EventIdentifier, QueriedEntities, SourceIp, Username, UserAgent FROM ApiEvent 6 WHERE QueriedEntities LIKE '%Patent__c%'", 7 "status" : "Complete", 8 "targetExternalIdField" : "", 9 "targetFieldMap" : { 10 "EventDate" : "EventDate__c", 11 "SourceIp" : "IPAddress__c", 12 "EventIdentifier" : "EventIdentifier__c", 13 "QueriedEntities" : "QueriedEntities__c", 14 "Username" : "User__c", 15 "UserAgent" : "UserAgent__c" 16 }, 17 "targetObject" : "ApiTarget__c", 18 "targetValueMap" : { } 19}
If you ask this question on a repeated basis for audit purposes, you can automate the query
using a cURL
script.
1curl -H "Content-Type: application/json" -X POST -d
2'{"query": "SELECT EventDate, EventIdentifier, QueriedEntities, SourceIp, Username, UserAgent FROM ApiEvent WHERE QueriedEntities LIKE '%Patent__c%'",
3 "targetObject": "ApiTarget__c",
4 "targetFieldMap": {"EventDate": "EventDate__c","EventIdentifier": "EventIdentifier__c","QueriedEntities": "QueriedEntities__c","SourceIp": "IPAddress__c","Username": "User__c","UserAgent": "UserAgent__c"}}'
5 "https://yourInstance.salesforce.com/services/data/v48.0/async-queries/" -H
6 "Authorization: Bearer 00D30000000V88A!ARYAQCZOCeABy29c3dNxRVtv433znH15gLWhLOUv7DVu.
7 uAGFhW9WMtGXCul6q.4xVQymfh4Cjxw4APbazT8bnIfxlRvUjDg"Another event monitoring use case is to identify all users who accessed a sensitive field, such as Social Security Number or Email. For example, you can use the following Async SOQL query to determine the users who saw social security numbers.
- Example URI
-
1https://yourInstance.salesforce.com/services/data/v48.0/async-queries/ - Example POST request body
-
1{ 2 "query": "SELECT Query, Username, EventDate, SourceIp FROM ApiEvent 3 WHERE Query LIKE '%SSN__c%'", 4 "targetObject": "QueryEvents__c", 5 "targetFieldMap": { 6 "Query":"QueryString__c", 7 "Username":"User__c", 8 "EventDate":"EventDate__c", 9 "SourceIp" : "IPAddress__c" 10 } 11} - Example POST response body
-
1{ 2 "jobId": "08PB000000001RS", 3 "message": "", 4 "query": "SELECT Query, Username, EventDate, SourceIp FROM ApiEvent 5 WHERE Query LIKE '%SSN__c%'", 6 "status": "Complete", 7 "targetFieldMap": {"Query":"QueryString__c", "Username":"User__c", 8 "EventDate":"EventDate__c", "SourceIp" : "IPAddress__c" 9 }, 10 "targetObject": "QueryEvents__c" 11}