Loading
Ongoing maintenance for Salesforce HelpRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Investigate Login Anomalies

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Investigate Login Anomalies

            It's often necessary to further investigate a login anomaly to determine if a login was unauthorized or to rule it out as benign.

            Required Editions

            Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.

            Available in: Enterprise, Unlimited, and Developer Editions

            Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

            When an unusual login is detected, you will get an email informing you of the suspicious activity. The email has buttons for you to indicate whether a login was legitimate or not. This feedback helps improve the detection model's accuracy. If a login isn't legitimate, you can initiate a reauthentication flow directly from the email.

            This will log out the potential malicious user. It will also require a password reset. All Salesforce customers get this threat mitigation. Event monitoring customers get granular visibility into these attacks. These customers can collect useful information about the attacks in real time and send notifications to other users in Salesforce. You can build Transaction Security Policies on top of these events in Event Monitoring for more custom actions. You can also trigger Platform flows on these events

            Frequently Asked Questions (FAQ) for Investigations

            Question Answer
            Why did this user receive an email about an anomalous login? An anomalous, successful login activity was detected on the user's account, raising suspicion that their credentials might have been compromised.
            Why was this user sent an email asking for feedback on a login? While the login was flagged as anomalous, user feedback is needed to confirm if it was malicious or a false positive. Malicious confirmations trigger a password reset, while false positives help refine the detection model.
            What steps should this user take in response to this notification? The user should use the buttons in the email to confirm whether the login was legitimate.
            What happens if the user received a false positive email? False positives are possible. User feedback helps improve the model's accuracy and reduce future false positives.
            What is the current time to respond to these incidents? The notification email is typically sent within approximately one hour of the anomalous login.
            How can the user test if Anomalous Login response actions are executing? Upon a detected anomalous login, the user will receive an email. If they indicate the activity is unrecognized, following the email instructions will log them out and prompt for re-authentication.
             
            Loading
            Salesforce Help | Article