Configuring Event Monitoring is mostly about consumption rather than setup. The platform captures events by default once licensed. The work is on the downstream side: enabling streaming for security-critical event types, building SIEM integrations, and deploying the analytics app.
- Confirm Event Monitoring licensing
Setup, Quick Find Event Monitoring. If the page does not appear, the org does not have the license. Confirm with the Salesforce account team. Event Monitoring is included in Shield and available standalone.
- Open Event Monitoring Settings
Setup, Security, Event Monitoring Settings. The page lists every event type, its delivery mode (streaming, daily, both), and current daily volume.
- Enable streaming on security-critical event types
LoginEvent, LoginAsEvent, ApiEvent, CredentialStuffingEvent, ReportEvent, ReportAnomalyEvent. Switch each to Streaming. The change takes effect within an hour. Streaming is required for real-time Transaction Security policies.
- Install the Event Monitoring Analytics App
From AppExchange or the App Manager, install Event Monitoring Analytics App. The app deploys CRM Analytics dashboards (User Activity, API Usage, Report Forensics) that refresh daily from EventLogFile data.
- Set up SIEM integration
For external archival: schedule a job (Apex Scheduled, MuleSoft, or CI cron) that pulls EventLogFile rows daily and pushes to the SIEM. For real-time: build a Platform Event subscriber (Apex, external client) that consumes streaming events as they arrive.
- Build Transaction Security policies on streaming events
Open Transaction Security Policies, create new policies on the streaming event types. The policies fire in real time against the same event stream Event Monitoring captures. This is the action layer on top of the observability layer.
- Plan retention extensions if needed
Event Monitoring retention is 30 days on platform. For compliance-driven longer retention, the choices are Event Monitoring Plus (extended on-platform retention) or external SIEM archival. Most orgs pick external archival.
Per-event-type enable/disable. Default is enabled for all types once licensed. Disable selectively if the org cannot consume the volume downstream.
Daily EventLogFile, Streaming Real-Time, or both. Streaming is required for real-time Transaction Security policies; daily for batch analytics.
30 days on platform by default. Extended retention requires Event Monitoring Plus or external SIEM archival.
Pre-built CRM Analytics dashboards for User Activity, API Usage, Report Forensics. Deployed as a managed package, refreshed daily.
Apex or external client that consumes streaming events. Used to ingest events into Big Objects or external SIEMs.
- Event Monitoring retention is 30 days on platform. Anything older is purged unless you archived to a SIEM. Plan the integration before you need the historical data.
- Streaming is required for Transaction Security real-time policies. Daily EventLogFile delivery is too slow to drive Block actions on suspicious behavior.
- ApiEvent volume can be enormous in API-heavy orgs. A single integration making 100K calls per day produces 100K event rows. Plan the SIEM ingestion capacity before enabling streaming on ApiEvent.
- The Event Monitoring Analytics App is a managed package. Customizing the dashboards inside the package is blocked. Clone to custom dashboards if you need to extend.
- Event Monitoring is not Field History Tracking and not Setup Audit Trail. Each captures different signals. Operational security needs all three.