Salesforce Login History: Spotting Compromised Accounts

As a senior Salesforce administrator, I've managed numerous orgs in $5B+ enterprises where security is paramount. One critical aspect of maintaining the integrity and security of these environments involves monitoring user login activities. The Salesforce Login History feature provides valuable insights into who's accessing your org and from where. By leveraging this data, you can quickly identify potential threats such as compromised accounts.

Introduction

Salesforce Login History captures a wealth of information about when and where users are logging in to your organization. This data is stored in the LoginHistory object within Salesforce, which can be queried using SOQL (Salesforce Object Query Language) to gain deeper insights into user activity. In this article, I'll walk you through how to use Login History to spot compromised accounts.

Understanding the Login History

The LoginHistory object contains several fields that provide crucial information:

• UserId: The ID of the user who logged in.
• Username: The username of the user.
• IpAddress: The IP address from which the login was made.
• Location: The location where the login occurred, based on geolocation data if available.
• IsSuccess: A boolean indicating whether the login was successful (True) or not (False).
• LoginType: Indicates how the user logged in, e.g., "Web", "Mobile", "API".
• SessionId: The ID of the session created during this login.

By examining these fields, you can identify suspicious activities that may indicate a compromised account.

Real SOQL Queries

Let's start by writing some SOQL queries to extract useful data from the LoginHistory object. These queries will help us filter out non-relevant activity and focus on potential security threats.

Query 1: Identify Failed Logins

Failed logins can be a sign of brute force attacks or password guessing attempts. The following query helps you find all failed login attempts over a specific period, say the last month:

SELECT UserId, Username, IpAddress, Location, LoginType, CreatedDate
FROM LoginHistory
WHERE IsSuccess = False AND CreatedDate >= LAST_MONTH
ORDER BY CreatedDate DESC

This query returns details about each failed login attempt, including the user ID, username, IP address, location, and the type of device used.

Query 2: Detect Suspicious Locations

Suspicious locations can indicate that a compromised account is being used from a different geographical area than usual. You can filter logins based on their Location field to identify such activities:

SELECT UserId, Username, IpAddress, Location, LoginType, CreatedDate
FROM LoginHistory
WHERE Location != 'Local' AND CreatedDate >= LAST_MONTH
ORDER BY CreatedDate DESC

This query will return all login attempts from locations other than "Local" over the last month.

Query 3: Identify Multiple Logins

Multiple logins within a short period can indicate that an account is being accessed simultaneously from different devices or locations. To detect such activities, you can use a combination of CreatedDate and LoginType:

SELECT UserId, Username, IpAddress, Location, LoginType, CreatedDate
FROM LoginHistory
WHERE CreatedDate >= LAST_WEEK AND LoginType != 'Mobile'
ORDER BY CreatedDate DESC

This query filters out logins from the past week that are not mobile-based, helping you identify potential security breaches.

Configuring Alerts and Notifications

While SOQL queries provide valuable insights, setting up automated alerts can help you respond to suspicious activities more quickly. You can configure email notifications based on specific conditions in Salesforce Setup:

1. Navigate to Setup > Platform Events.
2. Click Create Platform Event and name it something like LoginAlert__e.
3. Define the fields for this event, such as UserId, Username, IpAddress, Location, etc.
4. Go back to Setup > Process Builder.
5. Create a new process that triggers when a record is created in your LoginHistory object.
6. In the process, add an action to send an email notification with details about the suspicious login.

By setting up these alerts, you can ensure that your team is immediately notified of any potential security issues.

Best Practices

1. Regularly Review Login Histories: Schedule regular reviews of LoginHistory data to identify and address any anomalies.
2. Implement Strong Authentication: Use MFA (Multi-Factor Authentication) for all users to add an extra layer of security.
3. Monitor Third-Party Apps: Keep a close eye on which third-party apps have access to your org and monitor their activities through Salesforce's AppExchange.
4. Educate Users: Train employees about the importance of strong passwords, recognizing phishing attempts, and reporting suspicious activity.

Conclusion

Monitoring user login histories is an essential part of maintaining the security of your Salesforce organization. By leveraging SOQL queries and setting up automated alerts, you can quickly spot potential threats like compromised accounts. Implementing best practices such as regular reviews, strong authentication, and user education will further enhance your organization's security posture.

Try the Free Scanner

To make this process even easier, try out our free scanner at https://orgscanner.dev/?utm_source=devto&utm_medium=content&utm_campaign=content_poster. This tool can help you automate the detection of suspicious activities and streamline your security management.

Stay vigilant, stay secure!