Event Monitoring Breakfast BriefingOctober 26th 2017

Paul Gilmore, Solution EngineerJari Salomaa, Event Monitoring Product ManagerSam Garforth, Solution EngineerAndrea Stout, Legal

Forward-Looking Statements

This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.

Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Statement under the Private Securities Litigation Reform Act of 1995

More Data Moves to the Cloud Than Ever BeforeOpportunities to create a new kind of customer success

Financial Data

Social Data

Health Data

Web Data

Location Data

Businesses Need to Build Innovative and Trusted AppsBuilding trusted apps can be challenging

A trusted app is….

Secure Compliant

PrivateTransparent

Password  Policies

MDM

Two  Factor  Authentication

SSO

SSO

Identity

IP  Login  Restriction

s

Data  Sharing  

RulesData  Sharing  

Rules

Single  Sign  On

Password  Policies

Identity

MDM

Audit  Trail

Sharing  Rules

IP  Login  

Restrictions

Field  Level  Security

Encryption

HTTPS

Profiles  and  Permissions

Mobile  Security

Compliance and Security Concerns Stall InnovationCIOs are struggling to balance innovation and compliance

Siloed systems, regulatory burdens

Customer expectations

IoT

Internal Processes

Marketing

Service

Sales

of customers are not engaged with companies

77%

Salesforce ShieldEnhanced protection, monitoring, and retention for critical Salesforce data.

Infrastructure  Services

Network  Services

Application  Services

Secure  Data  Centers

Backup  and  Disaster  Recovery

HTTPS  Encryption

Penetration  Testing

AdvancedThreat  Detection

Identity  &  Single  Sign  On

Two  Factor  Authentication

User  Roles  &  Permissions

Secure  Firewalls

Real-­time  replication

Password  Policies

Third  Party  Certifications

IP  Login  Restrictions

CustomerAudits

Salesforce  ShieldPlatform  Encryption

Event  Monitoring

Field  Audit  Trail

Field  and  Row  Security

Enhanced protection, monitoring, and retention for critical Salesforce data. Salesforce Shield

EncryptPlatform Encryption

MonitorEvent  Monitoring

AuditField Audit Trail

greater team productivity46%

Encrypted operations / month

>120B

Meet compliance and industry regulationsEncrypt protected data and retain audit logs

Add additional security to your sensitive dataMonitor data access and enforce security policies

Drive Salesforce adoption and optimize performanceEnhance ROI, identify and improve key application usage patterns

Salesforce ShieldEnhanced protection, monitoring, and retention for critical Salesforce data.

Platform  Encryption

Seamlessly protect sensitive data at restEncrypt standard & custom fields, files, and attachments

Natively integrated with key Salesforce featuresPreserve key functionality such as search, lookups, validation rules, and chatter

Customer managed keysFlexible key management providing more control and ownership of data security

Encrypt sensitive data at rest while preserving business functionality

Natively Encrypt Your Salesforce Data at RestPlatform Encryption

Customer driven key lifecycle management

Uses secure derived keys that are never persisted in the Salesforce platform

Hardware Security Module based key management infrastructure

FIPS 140-2 compliant

Customer control over policy configuration

Select fields, files, and attachments to be encrypted

Encryption controlled with metadata to take complexity out of deployments

Preserve important functionality like search and business rules

Seamlessly upgraded with every Salesforce release

Standards based encryption built natively into the Salesforce platform

AES encryption using 256bit keys

Layers seamlessly with other Salesforce security features

Encryption Services Key Management Policy Management Platform Integration

Event Monitoring

Monitor and take action on user activityKnow who is accessing data from where

Drive user adoptionAnalyze user behavior to drive training and adoption of Salesforce

Optimize PerformanceProactively identify bottlenecks and high demand pages to improve user experience

Add visibility and automation to your Salesforce data

Field  Audit  Trail

Ensure data is accurate, complete, and reliableAudit who, what, and when data changes

Establish data retention policiesComply with internal and industry regulations

Track and access data at scaleScalable data storage allows for greater business insights and longer data retention

Strengthen data integrity for compliance and gain business insight

Field  Audit  TrailStrengthen data integrity for compliance and gain insight

After 18 months

CUSTOM AND STANDARD OBJECTS

CONSOLIDATE

FIELD HISTORY ARCHIVE

After 3 months After 12 months

60fields per

objectAccounts Opptys Custom

Objects

Up to

10years of history

Consistent query performance regardless of scale

Customizable retention policies

Async SOQL support for

data analysis

Learn Salesforce  with  Trailhead

Jari SalomaaDirector, Product Management

IT Breakfast Briefing: Event MonitoringMonitoring your Salesforce adoption, performance and compliance

User Engagement leads to Retention, which leads to Growth, which leads to $$$

How do you measure

engagement?How many users you have? What is the growth or expansion plan?

How many monthly/weekly/daily active users you have?

Numbers of MAU/WAU/DAU

What are the KPI’s? (key performance indicators)

How to create stickiness and get users to come back?

What is the first time experienceWhat business logic works, what doesn’t work?

What is the Best practice?

Takeaway: why monitoring makes sense

What’s the difference between “out of the box” vs Shield & Event Monitoring?

What’s available?

Salesforce Security Auditing, Analytics, and Actions at a Glance

Health  Check Audit  Fields Login  History Setup  Audit  Trail Field  History  Tracking  

Field  Audit  Trail

Event  Monitoring

Purpose Audit  Org  Security

Track  who  created  or  last  modified  a  record  user  and  time

Track  end-­user  logins  and  login  attempts  (e.g.  failures)

Track  Administrative  changes  in  setup  like  escalation  of  privileges  or  creation  of  new  fields

Track  state  changes  at  the  field  level Analysis:  Track  a  variety  of  server  interactions  including  report  exports,  page  views,  and  document  downloads

Action:  Automate  actionable  security  policies  such  as  limiting  data  export  or  notifying  on  concurrent  login  sessions

Example New  admin  inherits  Salesforce  Org

Tom  Terminated  modified  the  Acme  account  earlier  today

Tom  Terminated    logged  in  using  Chrome  v  42.0  on  Mac  OSX

Permission  set  Modify  All  Data  assigned  to  user  Adam  Torman

Tom  Terminated    changed  the  Case  status  from  Open  to  Closed

Tom  Terminated  clicked  on  Marc  Benioff’s  patient  record  and  downloaded  the  20,000  rows  of  a  customer  list

Tom  Terminated  was  prevented  downloading  the  20,000  rows  customer  list

Interface Setup  UI Record  Detail  UI  and  API

Setup  UI  and  API Setup  UI  and  API Setup  /  Related  List  UI  and  API API  (CSV  download)  +  Wave  Integration

Setup  UI

[Profile  or  Sharing]  Permissions  Required

View/Edit  Health  Check

*Read/Query  requires  sharing  access  to  parent  record

Manage  User  permission

*View  Setup  and  Configuration  permission

Configure  requires  Customize  Application  permission

*Read/Query  requires  sharing  access  to  parent  record

*View  Event  Log  Files  permission  AND*  View  Login  Forensics

Author  ApexANDCustomize  Application

Data  Retention  Policy

6  months  FIFO Life  of  the  record/  18  Months  depending  on  org  inception  date

6  months  FIFO 6  months  FIFO 20  fields  for  18  months

60  fields  for  10  years

Up  to  30  days  for  Event  Log  Files  and  10  years  for  Login  Forensics

Doesn’t  Apply

Pricing $0 $0 $0 $0 $0 **  $add-­on $0  -­ Login/Logout  Event  Log  Files  for  1  day

**  $add-­on  -­ 44  log  files  for  30  days  +  Login  Forensics  +  Transaction  Security

Online  Docs

Health  Check Audit  Fields Login  History Setup  Audit Field  History Field  Audit Event  Monitoring Transaction  Security

Why customers love Event Monitoring data…

Top  Use  Cases

Understand  Application  Adoption  and  User  EngagementWho  are  your  most  active  or  productive  usersWhat  are  your  most/least  used  resourcesIs  your  application  and  business  logic  working  -­ be  in  your  customer's  shoes  and  optimize

Monitor  Development  and  Application  Performance  Prioritize  your  application  development  effortsMake  informed,  data  driven  decisionsBe  ahead  of  your  customers  -­ don’t  wait  until  they  file  a  support  ticket

Ensure  Security  and  ComplianceIdentify  and  avoid  data  leakageSpot  unusual,  suspicious  or  impossible  loginsElevate  security  with  fine  grain  Transaction  Security  policiesDon’t  just  detect  -­ also  prevent!

Why  Application  Analytics  is  important  business,  developers  and  security!

Event  Monitoring  Features

Add Visibility and Automation to your Salesforce data Event Monitoring with Transaction Security

Event Log Files Real Time Events* Policy Management Machine Learning* Data Visualization

API-first service44 event types

Real time event streaming, policy actions and storage in database

Synchronous policy actions with flow engine or Apex

Anomaly detection for data leakage

Integrated Analytics app and ISV ecosystem

*in pilot

Event Log FilesDaily Event Log Files (GA)Hourly Event Log Files (Pilot - target Beta Spring’18)

Event Log Files - Winter’ 1844 supported types1. Apex Callout

2. Apex Execution

3. Apex SOAP

4. Apex Trigger

5. API

6. Asynchronous Run Report

7. Bulk API

8. Change Set Operation

9. Console

10. Content Distribution

11. Content Document Link

12. Content Transfer

13. Dashboard

14. Document Attachment Downloads

15. External Cross-Org Callout

16. External Custom Apex Callout

17. External OData Callout

18. Knowledge Article View

19. Lightning Error

20. Lightning Interaction

21. Lightning Page View

22. Lightning Performance

23. Login As

24. Login

25. Logout

26. Metadata API Operation

27. Multiblock Report

28. Package Install

29. Queued Execution

30. Report

31. Report Export

32. REST API

33. Sandbox

34. Search

35. Search Click

36. Sites

37. Platform Encryption

38. Time-Based Workflow

39. Transaction Security

40. URI

41. Visualforce Request

42. Wave Change

43. Wave Interaction

44. Wave Performance

Using EM: https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htmSF Object Ref: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile.htm

Real Time Events New Event Monitoring 2.0 architecture

•Streaming user activity in real time through Kafka•Trigger actions or alerts with Condition Builder flows•Retaining Event data in database multiple years

Event Stream, Real Time Policy Actions and Event StoreNew architecture to capture user behavior in Salesforce

Stream, Real Time Policy Actions and StoreNew architecture to capture user behavior in Salesforce

Stream, Real Time Policy Actions and StoreNew architecture to capture user behavior in Salesforce

Policy Management Expanding to no-code policies

•Apex policies (GA)•Lightning based Condition Builder (Pilot)•No coding experience required

Transaction Security Condition BuilderNew architecture to capture user behavior in Salesforce

DEMO!

Machine Learning Post processing of events

•Anomaly Detection for Report Export & Data Leakage Use Case (pilot)•Automated email notifications and alerts to your inbox

Introduction to Anomaly DetectionWhat is it?● Anomaly Detection means identification of

events which do not conform to an expected pattern

● Significant deviation from expected user behavior is reported as an anomaly

● Anomaly Detection Pilot uses artificial intelligence algorithms to track user behavior

● Salesforce does not look at customer data, instead we analyze how the users interact with the data

● Customer has ability to provide feedback whether the detected event pose a high, medium or low risk to their data

● This feedback trains our algorithm to detect suspicious activity more accurately

Salesforce Anomaly Detection*How does it work?

● Salesforce is using profile based event detection algorithm to protect access to the customer data

● Collecting a 60-90 day window of user’s API and Report log lines we formulate a statistical baseline in about 24-48 hrsfrom the actual event

● Statistically significant changes in user behavior can indicate a potential risk (see list of detection rules on the right)

● These could be inside actors, malware on client systems or other potential threats

1. Average row count

2. Average row size

3. Autonomous System Number (ASN)

4. Day of the month

5. Day of the week

6. Hour of the day

7. Implied travel speed

8. IP Geolocation

9. Minute

10. Month of the year

11. Number of columns

12. Number of exception filters

13. Number of column to column filters

14. Number of filters

15. Number of historical filters

16. Number of snap historical filters

*Marketing Cloud, Commerce Cloud, Quip, SalesforceIQ not included in this pilot

Example

Data Visualization Making data to meet your business needs

•Bundled Event Monitoring Analytics App (formerly known as Wave App)•Active ecosystem of ISV solutions for variety of use cases including adoption, performance and security

Use a large ecosystem of partners for insights and policiesExplore the Different Use Case Benefits

Easy to use business analytics for any user

General log collection, analytics Security analytics and security policies

Built for the business minded user and provides user behavioral analytics

Application Performance Monitoring (APM) with Insights

Open source tooling for low-cost but very powerful analytics

Event denormalization for usernames

Event denormalization for usernames, reports, files, dashboards

Event denormalization for usernames, reports, files, dashboards

Event denormalization for usernames, reports, files, dashboards, custom objects

Configurable but not available out of the box

Configurable but not available out of the box

15 events, configurable for 1-30 days with 50 million rows limit (upgradable to Analytics Platform)

All events, no limits available for free for existing Splunk customers

All events, no limits(built into the price)

All events, no limits included in priceSupports Hourly & Real time

All events, no limits All events, no limits with code example for Salesforce connector

10 user licenses included (purchase Analytics Platform licenses for more users)

Cloud vs On-premise pricing (roughly ~100GB is $10k)

$5/user per month with multi-app discounts

$2-$15/user per month- Multi-app discounts- Dedicated technical account manager included

Unlimited users, priced at $250 / 75M Events / month

No user licensing, open source technology “do it yourself”

16 Dashboards for adoption, performance and security

80 dashboards across app management, SFDC adoption and security

Multiple dashboards around security and compliance

Analytic Library of 60+ pre- built reports for security, compliance, performance and usage & adoption, Multiple dashboards

Multiple dashboards for performance monitoring

“Do it yourself”

Contact: Umair Rauf / Jari Salomaa Salesforce

Contact: Elias Haddad, PM Splunk, Jason Conger, SE

Contact: Jennifer Sands PM, Andrew Davidson BD

Contact: Chris Arnold PM FairWarning, Mike Mason

Contract: Heiko Leibenath, Steven Scheinfield BD

Github example code

Summary1. Event Log Files2. Real Time Events 3. Policy Management with Transaction Security4. Machine Learning and Anomaly Detection5. Data Visualization with Event Monitoring Analytics App and

number of ISV solutions