By Tasneem Zaveri, Senior Principal Solution Engineer at Odaseva and Doug Merrett, Founder and Principal Consultant at Platinum7
October marks Cyber Security Awareness Month in Australia — a reminder to take action today to protect our networks and digital infrastructure for the future.
The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) is leading this effort, providing best-practice guidance across all environments, from traditional systems to modern cloud services. And the focus on cloud has never been more timely: Australia’s cloud adoption is accelerating rapidly, with the market expected to reach AUD 55.33 billion by 2034, growing at a compound annual rate of 11.84%*.
One of the month’s weekly themes is event monitoring — a critical aspect of understanding and protecting your digital environment. For customers using SaaS solutions like Salesforce, event monitoring provides visibility into who is accessing your data, what actions are being performed, and where potential risks might lie.
* Source: Expert Market Research, Australia Cloud Computing Market, 2025
Who Should Read This
This blog post applies to anyone securing Salesforce and cloud environments — from admins configuring event monitoring, to IT and security teams managing log storage, to compliance officers maintaining audit trails, and leadership ensuring alignment with the shared responsibility model.
ACSC’s Logging Best Practices
The ACSC points to four core principles for effective event logging:
- Enterprise-approved event logging policy
- Centralised log access and correlation
- Secure storage and event log integrity
- Detection strategies for relevant threats
These guidelines apply equally to SaaS environments like Salesforce. In cloud systems, logging falls under the shared responsibility model: while the provider captures system-level activity, customers are accountable for monitoring user access, administrative actions, and authentication events relevant to their own data security.
Salesforce Event Monitoring in Practice
By default, Salesforce provides event logs for a small set of activities such as Login, Logout, and API Total Usage. For deeper visibility into user actions and system activity, organisations can extend their monitoring with Salesforce Event Monitoring. This powerful add-on offers detailed logs across more than 70 event types, including nearly 20 real-time events and around 60 event log objects, capturing user behaviour, performance metrics, and potential security risks. These logs can be viewed through analytics dashboards such as CRM Analytics or integrated with external observability tools in near real time, with retention periods ranging from 30 days to six months — extendable to one year. Salesforce has also introduced Event Log Objects for Hyperforce customers, allowing direct SOQL access and access via CRM Analytics to many of the same events previously available only through the EventLogFile object, with data retained for 30 days.
To complement Event Monitoring, Salesforce also offers Field Audit Trail, which preserves a long-term, immutable history of field-level changes. While Event Monitoring captures who did what and when, Field Audit Trail shows how data itself changed — together providing a comprehensive view of both user activity and data integrity for compliance and forensic analysis.
However, capturing logs alone isn’t enough — organisations also need to ensure those logs are securely stored, correlated, and actionable. Key considerations include:
- Retention – incidents may take 12–18 months to surface, while Salesforce logs often expire much earlier.
- Context – certain Salesforce objects, like User records, Share tables, and History objects, evolve over time and are critical for interpreting event data accurately.
- Integrity & Storage – ACSC highlights that logs should be stored in separate, secured environments, with redundancy and backups in place to prevent tampering.
The Retention Gap – Bridging the Window Between Incident and Detection
Cybersecurity incidents aren’t always detected immediately, and attackers often remain undetected for long periods. The ACSC highlights that:
- It can take 12–18 months to uncover certain breaches.
- Malware or advanced threats may persist undetected on a network for 70–200 days before causing visible harm.
This creates a critical challenge for Salesforce administrators . Out-of-the-box event logs typically expire within 30–180 days, depending on the log type, and with some logs that can have an extended retention for up to one year. If logs are not retained long enough, organisations risk losing key evidence needed for investigations, incident response, or regulatory audits.
The retention gap is more than a technical inconvenience — it can hinder your ability to:
- Reconstruct incidents accurately
- Understand how and when a breach occurred
- Demonstrate compliance with internal policies and external regulations
To address this, organisations need strategies to extend retention, export logs securely, and ensure historical data remains accessible well beyond Salesforce’s default periods. Doing so bridges the gap between incident occurrence and detection, providing the visibility required for effective cybersecurity management.
The Context – Reconstructing Events with Accuracy
Logs capture what happened, but without context, they tell only part of the story. In Salesforce, key objects like User records, Share tables, and History objects provide that essential context. Capturing snapshots alongside your logs makes it possible to reconstruct security events accurately.
Example: Internal Data Exfiltration
On March 1st, a user with System Administrator privileges via a temporary Share rule exported 50,000 sensitive records. On March 2nd, the user was demoted, and their temporary access was removed. If you were to rely solely on logs captured on after March 2nd, the user would appear as a standard user with no special access, and the Share rule granting the temporary permissions would no longer exist.
Snapshots solve this problem by preserving the state of key objects at the time of the event:
- User records: By comparing snapshots from March 1st, you can verify that the user had System Administrator privileges at the time of the export. Without the snapshot, looking at the logs after March 2nd would misleadingly show them as a standard user.
- Share objects: Snapshots show the user’s access through the temporary Share Group on February 25th and March 1st. Without the snapshot, the temporary access removed on March 2nd would be invisible, obscuring the true vector of the breach.
- History objects: When history tables are used without Field Audit Trail, snapshots become even more critical. Even if logs were deleted or purged on March 2nd, snapshots from March 1st or earlier capture changes to records, preserving a complete audit trail and enabling accurate reconstruction of the event.
By capturing snapshots alongside event logs, organisations maintain a full historical record, ensuring they can accurately determine what happened, who was involved, and what access existed at the time of the incident.
Secure Storage – Safeguarding Logs for Security and Compliance
The ACSC explicitly calls out the need to protect event logs because they may not only contain sensitive information but are also frequently targeted by malicious actors who may modify or delete them to avoid detection and hinder cybersecurity incident response.
According to ACSC guidance, organisations should:
- Restrict access so that only personnel with a justified need can view, modify, or delete logs, and monitor audit logs for access to the centralised logging environment.
- Store logs in a segmented or separate network with additional security controls to reduce the risk of tampering in the event of a system or network compromise.
- Implement redundancy and backup practices to ensure logs are recoverable even if one source is lost, corrupted, or compromised.
For Salesforce customers, this typically means exporting event logs to a dedicated security or backup platform, enabling organisations to:
- Retain logs for multiple years, beyond Salesforce’s native retention limits
- Meet compliance obligations and regulatory requirements
- Correlate Salesforce activity with other enterprise logs for holistic threat detection
By implementing these practices, organisations transform Salesforce data from a passive record into a strategic asset. Prioritising retention, context, and security provides better visibility, faster incident response, and stronger compliance — positioning organisations as leaders in cloud security and data management. organisations ensure that event logs remain a reliable, tamper-proof source of intelligence — not just a temporary record that disappears when it’s needed most.
How Odaseva Can Help
Odaseva extends Salesforce’s native logging capabilities by providing secure, compliant, and long-term storage of event data — including standard objects, Big Objects, and files. The Odaseva Enterprise Data Platform supports granular retention policies, immutable backups, and contextual snapshots of key objects to help organisations reconstruct incidents with accuracy and maintain audit-ready data.
For regulated entities, Odaseva’s approach aligns with Australian and international frameworks such as CPS 234, the Security of Critical Infrastructure (SOCI) Act, ISO 27001, and the ACSC’s event logging principles — helping organisations demonstrate control effectiveness, meet audit requirements, and strengthen operational resilience across their Salesforce environments.
