shield-event-log-retention-strategy
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).
Best use case
shield-event-log-retention-strategy is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).
Teams using shield-event-log-retention-strategy should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/shield-event-log-retention-strategy/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How shield-event-log-retention-strategy Compares
| Feature / Agent | shield-event-log-retention-strategy | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Shield Event Log Retention Strategy Salesforce Shield Event Monitoring emits dozens of event types — login, API, report export, URI, lightning performance, Apex execution — and each has its own volume, value, and retention implication. The default Shield retention is short (typically 30 days for Event Monitoring log files); the default volume is high; the default search experience is slow. Teams that do not design a retention strategy end up either paying to keep everything forever, or losing audit evidence exactly when they need it. A working strategy assigns each event type to a retention tier (hot for recent investigation, warm for routine audit, cold for regulatory retention), picks a routing target (Splunk, Sentinel, Datadog, native Big Objects), and writes a query runbook so auditors can answer "did X happen" without re-ingesting cold data. --- ## Before Starting - List the Event Monitoring event types enabled in the org. - Estimate daily volume per type (rows and bytes). - List regulatory retention rules that apply (SOX, HIPAA, FedRAMP, industry-specific). - Confirm SIEM target and its ingestion cost model. ## Core Concepts ### Event Value Tiers | Tier | Examples | Retention | |---|---|---| | **High-value** | Login, LoginAs, APITotalUsage, ReportExport, RestApi | 1-7 years depending on regulation | | **Medium-value** | ApexExecution, ApexCallout, VisualforceRequest | 90-365 days | | **Low-value** | URI, LightningPageView | 30-90 days | | **Very-low-value** | LightningInteraction, LightningPerformance | 7-30 days | ### Storage Tiers 1. **Hot** — queryable from your SIEM directly. Typical retention: 30-90 days. Cost dominates here. 2. **Warm** — archived to cheaper storage (S3, Azure Blob) with a re-hydration path. Typical retention: 1-2 years. 3. **Cold** — immutable object storage with legal-hold support. Typical retention: 5-7+ years. ### Routing Paths | Path | When to use | |---|---| | Event Monitoring Analytics App | Built-in dashboards, short retention. | | Pull via Event Log File API | Hourly batch pull into SIEM; standard path. | | Push via Streaming | Real-time event bus subscription; higher cost. | | Big Objects | In-platform archive for long-retention data. | ### The Query Runbook A retention strategy is incomplete without a query runbook — documented steps to answer audit questions against each tier. Without it, cold storage is theoretically compliant and practically useless. --- ## Common Patterns ### Pattern 1: SIEM Hot + Object Storage Cold Event Log Files pulled hourly into the SIEM for 60 days of hot retention; nightly export to S3 (or equivalent) for 7-year cold retention. Queries ≤ 60 days run in SIEM; older queries trigger an Athena (or equivalent) scan. ### Pattern 2: Split By Event Type High-value events go to a long-retention SIEM index; low-value events go to a short-retention index or are discarded. Cuts SIEM cost dramatically. ### Pattern 3: Big Objects For Regulatory Audit Use Salesforce Big Objects to archive high-value events in-platform. Auditors can query without leaving Salesforce; no SIEM round-trip. ### Pattern 4: Streaming For Real-Time Detection Subscribe to the real-time event bus for Login, LoginAs, and any event that feeds fraud detection or anomaly alerting. Batch ELF stays as the archival source. ### Pattern 5: Sampling For Very-Low-Value Events Keep a 10% sample of LightningInteraction for UX debugging; drop the rest. Useful when full retention would balloon ingest. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | Regulated industry, long audit retention | SIEM hot + object storage cold | Cost-effective compliance | | Real-time fraud / anomaly detection | Streaming + SIEM correlation | Detection lag matters | | Cost-sensitive org | Split by event value + sample low-value | Largest SIEM savings | | In-platform audit preferred | Big Objects for high-value events | Simpler auditor experience | | Multi-region / sovereignty | Regional SIEM indices | Data residency | ## Review Checklist - [ ] Each event type has a retention tier. - [ ] SIEM ingestion cost is modeled and monitored. - [ ] Cold tier is immutable / legal-hold ready. - [ ] Query runbook exists and was tested against a real audit question. - [ ] Regulatory rules are mapped to the retention policy. - [ ] Sampling strategy (if any) is documented. ## Recommended Workflow 1. Enumerate event types and their volumes. 2. Classify each event by value tier. 3. Select retention per tier (aligned with regulation). 4. Design storage-tier architecture (hot / warm / cold). 5. Implement the hourly pull and archive pipeline. 6. Write the query runbook; test against a sample audit question. --- ## Salesforce-Specific Gotchas 1. Default Event Monitoring log-file retention is short; do not assume the platform keeps logs for audits. 2. Event Log File API emits hourly; gaps happen — monitor for missing intervals. 3. Big Objects have no standard SOQL reporting UI; Auditors must be trained or tooling built. 4. Some event types are off by default; "Shield" doesn't mean "every event on." 5. Real-time event bus events have their own retention (shorter) — not a substitute for ELF. ## Proactive Triggers - Retention < regulatory minimum → Flag Critical. - No cold tier for high-value events → Flag High. - SIEM ingest cost > 30% of security budget → Flag Medium. Consider splitting. - No query runbook → Flag High. - Event Monitoring enabled but no event types selected → Flag High. ## Output Artifacts | Artifact | Description | |---|---| | Retention matrix | Event type → tier → retention | | Routing architecture | Pull/push, hot/warm/cold topology | | Query runbook | Steps per common audit question | ## Related Skills - `security/event-monitoring` — enabling Shield Event Monitoring. - `security/salesforce-shield-deployment` — Shield deployment overall. - `security/security-incident-response` — incident runbook. - `data/big-objects-for-audit-archive` — Big Object archive patterns.
Related Skills
xss-and-injection-prevention
Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).
shield-kms-byok-setup
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
salesforce-shield-deployment
Roll out Shield (Platform Encryption + Event Monitoring + Field Audit Trail) end-to-end, sequencing feature enablement to avoid data lockout. NOT for Classic Encryption or general PE design.
recaptcha-and-bot-prevention
Use when configuring reCAPTCHA on Web-to-Case, Web-to-Lead, Experience Cloud forms, or Headless Identity flows, or when designing bot-mitigation strategies for Salesforce public-facing surfaces. Triggers: 'enable reCAPTCHA on Web-to-Case', 'bot spam submissions on my Experience Site', 'Headless Identity reCAPTCHA v3 setup'. NOT for AppExchange security review (use secure-coding-review-checklist), NOT for session-level login security policies (use session-management-and-timeout), NOT for IP-range-based access controls (use network-security-and-trusted-ips).
oauth-redirect-and-domain-strategy
Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.
mfa-enforcement-strategy
Plan and operate Salesforce org-wide multi-factor authentication (MFA) enforcement: verification methods, phased rollout, SSO and API-only considerations, exemptions, and operational readiness. NOT for designing Login Flow post-authentication logic, IP allowlists, or conditional step-up policies—use ip-range-and-login-flow-strategy, network-security-and-trusted-ips, or transaction-security-policies instead.
ip-range-and-login-flow-strategy
Design and implement Salesforce Login Flows (Screen Flows assigned to profiles or Experience Cloud sites) that run post-authentication to enforce conditional MFA, IP-based branching, terms-of-service acceptance, or user data collection. Covers Login Flow creation in Flow Builder, profile/site assignment, IP-aware decision logic, and ConnectedAppPlugin extension points. NOT for static IP allowlisting or profile Login IP Ranges (see network-security-and-trusted-ips), org-wide session policies, or SSO/SAML IdP configuration.
event-monitoring
Shield Event Monitoring: event log types, downloading logs via REST API and SOQL, real-time event monitoring with streaming API, and threat detection policies. NOT for debug logs (use debug-logs-and-developer-console). NOT for custom platform event publishing/subscribing (use platform-events-apex).
lwc-server-sent-events
Use when building LWCs that must react to live server pushes — Platform Events, Change Data Capture, or streaming updates — via the lightning/empApi (CometD) subscription model. Covers lifecycle, replayId, error handling, reconnection, scale considerations, and multi-tab behavior. Does NOT cover publishing events (see platform-events or apex-platform-events).
lwc-custom-event-patterns
When and how to design CustomEvent traffic out of an LWC — bubbles / composed / cancelable flag choices, detail payload shape, naming rules, and propagation control. Trigger keywords: 'event not reaching parent', 'composed shadow DOM', 'CustomEvent detail mutation', 'stopPropagation vs stopImmediatePropagation'. NOT for parent-to-child communication (use `@api` — see `lwc/component-communication`), NOT for sibling fan-out (use Lightning Message Service — see `lwc/lightning-message-service`), NOT for wire-service data plumbing.
platform-events-integration
Use when publishing Platform Events from external systems via REST API, subscribing to Platform Events from outside Salesforce via CometD or Pub/Sub API, designing replay ID strategy for durable external consumers, or handling high-volume event delivery guarantees. Trigger keywords: 'external publish platform event', 'CometD subscribe', 'Pub/Sub API', 'replay ID external', 'durable subscription', 'RetainUntilDate'. NOT for Apex-only event publishing or triggering (use platform-events-apex). NOT for Change Data Capture external subscription (use change-data-capture-integration).
platform-event-schema-evolution
Use when modifying the schema of a Platform Event that already has live publishers and subscribers — adding fields, deprecating fields, or splitting events. Triggers: 'add field to platform event without breaking subscribers', 'platform event versioning', 'evolve event schema safely', 'rename a field on a published event'. NOT for initial event design (use integration/platform-events-integration) or for Change Data Capture event schemas.