Recently, one of my customers said that he is afraid if somebody is constantly stealing his leads from Salesforce, and checked if I could do something about this. His reason for doubt was genuine because the company is underperforming in converting leads since last two-three months. And a specific competitor company wins most of the leads. He was wondering if there is any rat in his company who sells the lead data to the competitor than actually selling the products!


Now I wore the detective hat on my own and took up the investigation. I started by checking the logins, hoping to find any unusual logins by the system administrator. I couldn’t find any. I see that the Salesforce instance was configured such a way that the users could export the reports from the org. When I checked with the customer, he wanted it that way because at times he wants his employees to send ad-hoc reports in excel files. So, no way I could remove the permission to export reports from users’ profile. As preventive measures, I did setup login hours, login IP ranges, removed printable list views from the user interface,  and removed “Modify All” permission that would not let users download data loader in future. But I knew these won’t cut it in. I cannot remove API access because the company users use Genesys CTI and also chatter internally. So, can’t cut off API access. It was then that I figured out the EventLogFile in Salesforce. Boom!


EventLogFile lets you see the granular details of user activity in your Salesforce instance. You can view information about individual events or track trends in events to swiftly identify abnormal behavior and safeguard your company’s data. It provides tracking for more than 30 different types of events, including – Logins, Logouts, URI (web clicks), UITracking (mobile clicks), Visualforce page loads, API calls, Apex executions, Report exports and much more. Per Salesforce – Developer Edition (DE) organizations have free access to all 30+ log types with one-day data retention. Enterprise, Unlimited, and Performance Edition organizations have free access to the login and logout log files with one-day data retention. For an extra cost, you can access all log file types with 30-day data retention.

We contacted our Salesforce account executive and enabled the option to store Report Exports in EventLogFiles as well. And on a daily basis, we checked who are exporting the reports from the instance. You cannot monitor this from within Salesforce setup. But, you can use the workbench for that. You can either run an SOQL query on the EventLogFile object or use REST Explorer to find the response. I know you are workbench heroes and I don’t need to teach you that. There are some free tools which let to visualize the log data. Once such free Heroku app is “Salesforce Event Log File Browser“. This tool is handy for the executives and the customer, because, they can’t just run through the RAW response from the API request and figure out. This tool lets you download the logs in an excel format with which the executives are comfortable.


You know what, our guess was right! One employee was exporting the leads on a weekly basis and shared with the competitor. What a sham! Finally, the rat is out of the dark hole. I did my job perfectly and thanks to EventLogFiles for that.


I’ve now used event log files to solve a case and became a cool detective for the customer. Now you have the tools you need to investigate, secure, and improve your organization. Good luck, detective.