shield-event-log-retention-strategy

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

Best use case

shield-event-log-retention-strategy is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

Teams using shield-event-log-retention-strategy should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/shield-event-log-retention-strategy/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/security/shield-event-log-retention-strategy/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/shield-event-log-retention-strategy/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How shield-event-log-retention-strategy Compares

Feature / Agentshield-event-log-retention-strategyStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Shield Event Log Retention Strategy

Salesforce Shield Event Monitoring emits dozens of event types — login, API, report export, URI, lightning performance, Apex execution — and each has its own volume, value, and retention implication. The default Shield retention is short (typically 30 days for Event Monitoring log files); the default volume is high; the default search experience is slow. Teams that do not design a retention strategy end up either paying to keep everything forever, or losing audit evidence exactly when they need it.

A working strategy assigns each event type to a retention tier (hot for recent investigation, warm for routine audit, cold for regulatory retention), picks a routing target (Splunk, Sentinel, Datadog, native Big Objects), and writes a query runbook so auditors can answer "did X happen" without re-ingesting cold data.

---

## Before Starting

- List the Event Monitoring event types enabled in the org.
- Estimate daily volume per type (rows and bytes).
- List regulatory retention rules that apply (SOX, HIPAA, FedRAMP, industry-specific).
- Confirm SIEM target and its ingestion cost model.

## Core Concepts

### Event Value Tiers

| Tier | Examples | Retention |
|---|---|---|
| **High-value** | Login, LoginAs, APITotalUsage, ReportExport, RestApi | 1-7 years depending on regulation |
| **Medium-value** | ApexExecution, ApexCallout, VisualforceRequest | 90-365 days |
| **Low-value** | URI, LightningPageView | 30-90 days |
| **Very-low-value** | LightningInteraction, LightningPerformance | 7-30 days |

### Storage Tiers

1. **Hot** — queryable from your SIEM directly. Typical retention: 30-90 days. Cost dominates here.
2. **Warm** — archived to cheaper storage (S3, Azure Blob) with a re-hydration path. Typical retention: 1-2 years.
3. **Cold** — immutable object storage with legal-hold support. Typical retention: 5-7+ years.

### Routing Paths

| Path | When to use |
|---|---|
| Event Monitoring Analytics App | Built-in dashboards, short retention. |
| Pull via Event Log File API | Hourly batch pull into SIEM; standard path. |
| Push via Streaming | Real-time event bus subscription; higher cost. |
| Big Objects | In-platform archive for long-retention data. |

### The Query Runbook

A retention strategy is incomplete without a query runbook — documented steps to answer audit questions against each tier. Without it, cold storage is theoretically compliant and practically useless.

---

## Common Patterns

### Pattern 1: SIEM Hot + Object Storage Cold

Event Log Files pulled hourly into the SIEM for 60 days of hot retention; nightly export to S3 (or equivalent) for 7-year cold retention. Queries ≤ 60 days run in SIEM; older queries trigger an Athena (or equivalent) scan.

### Pattern 2: Split By Event Type

High-value events go to a long-retention SIEM index; low-value events go to a short-retention index or are discarded. Cuts SIEM cost dramatically.

### Pattern 3: Big Objects For Regulatory Audit

Use Salesforce Big Objects to archive high-value events in-platform. Auditors can query without leaving Salesforce; no SIEM round-trip.

### Pattern 4: Streaming For Real-Time Detection

Subscribe to the real-time event bus for Login, LoginAs, and any event that feeds fraud detection or anomaly alerting. Batch ELF stays as the archival source.

### Pattern 5: Sampling For Very-Low-Value Events

Keep a 10% sample of LightningInteraction for UX debugging; drop the rest. Useful when full retention would balloon ingest.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Regulated industry, long audit retention | SIEM hot + object storage cold | Cost-effective compliance |
| Real-time fraud / anomaly detection | Streaming + SIEM correlation | Detection lag matters |
| Cost-sensitive org | Split by event value + sample low-value | Largest SIEM savings |
| In-platform audit preferred | Big Objects for high-value events | Simpler auditor experience |
| Multi-region / sovereignty | Regional SIEM indices | Data residency |

## Review Checklist

- [ ] Each event type has a retention tier.
- [ ] SIEM ingestion cost is modeled and monitored.
- [ ] Cold tier is immutable / legal-hold ready.
- [ ] Query runbook exists and was tested against a real audit question.
- [ ] Regulatory rules are mapped to the retention policy.
- [ ] Sampling strategy (if any) is documented.

## Recommended Workflow

1. Enumerate event types and their volumes.
2. Classify each event by value tier.
3. Select retention per tier (aligned with regulation).
4. Design storage-tier architecture (hot / warm / cold).
5. Implement the hourly pull and archive pipeline.
6. Write the query runbook; test against a sample audit question.

---

## Salesforce-Specific Gotchas

1. Default Event Monitoring log-file retention is short; do not assume the platform keeps logs for audits.
2. Event Log File API emits hourly; gaps happen — monitor for missing intervals.
3. Big Objects have no standard SOQL reporting UI; Auditors must be trained or tooling built.
4. Some event types are off by default; "Shield" doesn't mean "every event on."
5. Real-time event bus events have their own retention (shorter) — not a substitute for ELF.

## Proactive Triggers

- Retention < regulatory minimum → Flag Critical.
- No cold tier for high-value events → Flag High.
- SIEM ingest cost > 30% of security budget → Flag Medium. Consider splitting.
- No query runbook → Flag High.
- Event Monitoring enabled but no event types selected → Flag High.

## Output Artifacts

| Artifact | Description |
|---|---|
| Retention matrix | Event type → tier → retention |
| Routing architecture | Pull/push, hot/warm/cold topology |
| Query runbook | Steps per common audit question |

## Related Skills

- `security/event-monitoring` — enabling Shield Event Monitoring.
- `security/salesforce-shield-deployment` — Shield deployment overall.
- `security/security-incident-response` — incident runbook.
- `data/big-objects-for-audit-archive` — Big Object archive patterns.

Related Skills

xss-and-injection-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).

shield-kms-byok-setup

8
from PranavNagrecha/AwesomeSalesforceSkills

Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.

salesforce-shield-deployment

8
from PranavNagrecha/AwesomeSalesforceSkills

Roll out Shield (Platform Encryption + Event Monitoring + Field Audit Trail) end-to-end, sequencing feature enablement to avoid data lockout. NOT for Classic Encryption or general PE design.

recaptcha-and-bot-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when configuring reCAPTCHA on Web-to-Case, Web-to-Lead, Experience Cloud forms, or Headless Identity flows, or when designing bot-mitigation strategies for Salesforce public-facing surfaces. Triggers: 'enable reCAPTCHA on Web-to-Case', 'bot spam submissions on my Experience Site', 'Headless Identity reCAPTCHA v3 setup'. NOT for AppExchange security review (use secure-coding-review-checklist), NOT for session-level login security policies (use session-management-and-timeout), NOT for IP-range-based access controls (use network-security-and-trusted-ips).

oauth-redirect-and-domain-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.

mfa-enforcement-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Plan and operate Salesforce org-wide multi-factor authentication (MFA) enforcement: verification methods, phased rollout, SSO and API-only considerations, exemptions, and operational readiness. NOT for designing Login Flow post-authentication logic, IP allowlists, or conditional step-up policies—use ip-range-and-login-flow-strategy, network-security-and-trusted-ips, or transaction-security-policies instead.

ip-range-and-login-flow-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design and implement Salesforce Login Flows (Screen Flows assigned to profiles or Experience Cloud sites) that run post-authentication to enforce conditional MFA, IP-based branching, terms-of-service acceptance, or user data collection. Covers Login Flow creation in Flow Builder, profile/site assignment, IP-aware decision logic, and ConnectedAppPlugin extension points. NOT for static IP allowlisting or profile Login IP Ranges (see network-security-and-trusted-ips), org-wide session policies, or SSO/SAML IdP configuration.

event-monitoring

8
from PranavNagrecha/AwesomeSalesforceSkills

Shield Event Monitoring: event log types, downloading logs via REST API and SOQL, real-time event monitoring with streaming API, and threat detection policies. NOT for debug logs (use debug-logs-and-developer-console). NOT for custom platform event publishing/subscribing (use platform-events-apex).

lwc-server-sent-events

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building LWCs that must react to live server pushes — Platform Events, Change Data Capture, or streaming updates — via the lightning/empApi (CometD) subscription model. Covers lifecycle, replayId, error handling, reconnection, scale considerations, and multi-tab behavior. Does NOT cover publishing events (see platform-events or apex-platform-events).

lwc-custom-event-patterns

8
from PranavNagrecha/AwesomeSalesforceSkills

When and how to design CustomEvent traffic out of an LWC — bubbles / composed / cancelable flag choices, detail payload shape, naming rules, and propagation control. Trigger keywords: 'event not reaching parent', 'composed shadow DOM', 'CustomEvent detail mutation', 'stopPropagation vs stopImmediatePropagation'. NOT for parent-to-child communication (use `@api` — see `lwc/component-communication`), NOT for sibling fan-out (use Lightning Message Service — see `lwc/lightning-message-service`), NOT for wire-service data plumbing.

platform-events-integration

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when publishing Platform Events from external systems via REST API, subscribing to Platform Events from outside Salesforce via CometD or Pub/Sub API, designing replay ID strategy for durable external consumers, or handling high-volume event delivery guarantees. Trigger keywords: 'external publish platform event', 'CometD subscribe', 'Pub/Sub API', 'replay ID external', 'durable subscription', 'RetainUntilDate'. NOT for Apex-only event publishing or triggering (use platform-events-apex). NOT for Change Data Capture external subscription (use change-data-capture-integration).

platform-event-schema-evolution

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when modifying the schema of a Platform Event that already has live publishers and subscribers — adding fields, deprecating fields, or splitting events. Triggers: 'add field to platform event without breaking subscribers', 'platform event versioning', 'evolve event schema safely', 'rename a field on a published event'. NOT for initial event design (use integration/platform-events-integration) or for Change Data Capture event schemas.