login-forensics

Investigate Salesforce login activity using LoginHistory, IdentityVerificationHistory, and Login Forensics (Event Monitoring add-on): reconstruct per-user login timelines, identify failed logins, analyze source IPs, review identity verification events, and configure Login Flows for step-up authentication. NOT for MFA setup (use org-setup-and-configuration). NOT for downloading EventLogFile CSVs or configuring real-time threat detection (use event-monitoring).

Best use case

login-forensics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Investigate Salesforce login activity using LoginHistory, IdentityVerificationHistory, and Login Forensics (Event Monitoring add-on): reconstruct per-user login timelines, identify failed logins, analyze source IPs, review identity verification events, and configure Login Flows for step-up authentication. NOT for MFA setup (use org-setup-and-configuration). NOT for downloading EventLogFile CSVs or configuring real-time threat detection (use event-monitoring).

Teams using login-forensics should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/login-forensics/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/security/login-forensics/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/login-forensics/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How login-forensics Compares

Feature / Agentlogin-forensicsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Investigate Salesforce login activity using LoginHistory, IdentityVerificationHistory, and Login Forensics (Event Monitoring add-on): reconstruct per-user login timelines, identify failed logins, analyze source IPs, review identity verification events, and configure Login Flows for step-up authentication. NOT for MFA setup (use org-setup-and-configuration). NOT for downloading EventLogFile CSVs or configuring real-time threat detection (use event-monitoring).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Login Forensics

This skill activates when a practitioner needs to investigate individual or bulk user login activity in a Salesforce org — reconstructing timelines, identifying failed or anomalous logins, analyzing source IPs, reviewing identity verification outcomes, and tracing session origins. It covers the `LoginHistory` sObject (free, 6-month retention), the Login Forensics feature in the Event Monitoring add-on (extended session metadata), `IdentityVerificationHistory`, and Login Flows. It does not cover MFA configuration (use org-setup-and-configuration), EventLogFile bulk log download (use event-monitoring), or real-time threat detection (use event-monitoring).

---

## Before Starting

Gather this context before working on anything in this domain:

- **LoginHistory retention**: The `LoginHistory` standard object retains records for up to 6 months. Records older than 6 months are automatically purged. If the investigation window exceeds 6 months, no recovery path exists unless the org exports to a SIEM.
- **Login Forensics vs. LoginHistory**: "Login Forensics" (capital F) refers specifically to a feature in the Event Monitoring add-on that provides enriched per-session data beyond what `LoginHistory` contains — including session duration, pages accessed, and correlated API calls. Free orgs only have `LoginHistory`. Confirm which the requester has.
- **Permission required**: SOQL on `LoginHistory` requires the "View Login Forensics" permission (Salesforce Shield / Event Monitoring add-on) OR System Administrator profile. Standard users cannot query other users' `LoginHistory` records.
- **LoginHistory is read-only**: You cannot insert, update, or delete `LoginHistory` records. Attempts will throw a `System.DmlException`.
- **Limits**: SOQL against `LoginHistory` supports a maximum of 30,000 rows per query. For high-volume orgs, always filter by `LoginTime` and `UserId` to avoid governor limit failures.

---

## Core Concepts

### Mode 1 — LoginHistory SOQL (Free, All Orgs)

The `LoginHistory` sObject is available in every Salesforce org at no extra cost and stores up to 6 months of login records. Key fields:

| Field | Type | Notes |
|---|---|---|
| `UserId` | ID | The user who attempted the login |
| `LoginTime` | DateTime | UTC timestamp of the login attempt |
| `LoginType` | String | e.g., `Application`, `SAML Federated SSO`, `Remote Access 2.0` |
| `LoginUrl` | String | The login endpoint used (e.g., `login.salesforce.com`, custom domain) |
| `SourceIp` | String | IPv4 or IPv6 source address |
| `Status` | String | `Success`, `Failed`, `Invalid Password`, `No Salesforce.com Access`, etc. |
| `Browser` | String | User-Agent browser string |
| `Platform` | String | Operating system reported by the client |
| `AuthenticationServiceId` | ID | Identity provider for SSO logins |

Query pattern for failed logins over a period:

```soql
SELECT UserId, LoginTime, LoginType, SourceIp, Status, Browser, Platform
FROM LoginHistory
WHERE LoginTime >= 2025-01-01T00:00:00Z
  AND LoginTime <= 2025-03-31T23:59:59Z
  AND Status != 'Success'
ORDER BY LoginTime DESC
LIMIT 1000
```

Query pattern for a specific user's full login timeline:

```soql
SELECT LoginTime, LoginType, SourceIp, Status, Browser, Platform
FROM LoginHistory
WHERE UserId = '005XXXXXXXXXXXXXXX'
ORDER BY LoginTime DESC
LIMIT 500
```

IP-based breadth query — find all users who logged in from a suspicious IP block:

```soql
SELECT UserId, LoginTime, SourceIp, Status
FROM LoginHistory
WHERE SourceIp LIKE '203.0.113.%'
  AND LoginTime >= LAST_N_DAYS:30
ORDER BY LoginTime DESC
```

### Mode 2 — Login Forensics Feature (Event Monitoring Add-On)

The Login Forensics feature (available with Salesforce Shield or the Event Monitoring add-on) extends session-level data beyond `LoginHistory`. It surfaces:

- Session duration and activity patterns per login session
- Correlated API usage within a session
- More granular event details accessible via the `LoginEvent` object in Real-Time Event Monitoring

The `LoginEvent` object is part of Real-Time Event Monitoring (RTEM) and is distinct from `LoginHistory`. It fires as a streaming event, not a stored record. To analyze historical login events at this level, use the `EventLogFile` with `EventType = 'Login'` (covered by the event-monitoring skill).

For Login Forensics specifically, the workflow is:

1. Navigate to Setup > Login Forensics to access the UI-based drill-down for per-session investigation.
2. Filter by user, date range, or session ID.
3. Export session data for SIEM ingestion if needed.

### Mode 3 — IdentityVerificationHistory and Login Flows

**IdentityVerificationHistory** tracks when Salesforce prompted a user for identity verification (e.g., email verification code, SMS, TOTP authenticator) and whether they passed or bypassed:

```soql
SELECT UserId, VerificationTime, Activity, Status, Comments
FROM IdentityVerificationHistory
WHERE UserId = '005XXXXXXXXXXXXXXX'
ORDER BY VerificationTime DESC
LIMIT 200
```

Status values include `Success`, `Failure`, `Skipped`, and `Trusted`. A `Skipped` or `Trusted` status means the user was not prompted — investigate whether their device/network was trusted unexpectedly.

**Login Flows** are Screen Flows attached to a profile or connected app via Setup > Login Flows. They intercept the login process after credential validation and before session creation, allowing conditional step-up authentication:

- Use case: require an additional TOTP code for users in a privileged profile
- Use case: block logins from non-approved countries by calling a Flow-invocable Apex class that checks `$Flow.CurrentDate` and source IP
- Login Flows do not themselves log events; the underlying `LoginHistory` record is still created

---

## Common Patterns

### Pattern: Incident Response Login Timeline Reconstruction

**When to use:** A user account is suspected compromised. You need to reconstruct the full timeline of login events, including source IPs, browser fingerprints, and failure patterns, to determine the blast radius.

**How it works:**
1. Query `LoginHistory` for the user over the suspected window:
   ```soql
   SELECT LoginTime, LoginType, SourceIp, Status, Browser, Platform, LoginUrl
   FROM LoginHistory
   WHERE UserId = '005XXXXXXXXXXXXXXX'
     AND LoginTime >= LAST_N_DAYS:30
   ORDER BY LoginTime DESC
   ```
2. Pivot on `SourceIp` — group IPs that appear across multiple users to detect credential stuffing:
   ```soql
   SELECT SourceIp, COUNT(Id) loginCount, COUNT_DISTINCT(UserId) affectedUsers
   FROM LoginHistory
   WHERE LoginTime >= LAST_N_DAYS:7
     AND Status != 'Success'
   GROUP BY SourceIp
   ORDER BY loginCount DESC
   ```
3. Cross-reference with `IdentityVerificationHistory` to see whether MFA was completed or skipped:
   ```soql
   SELECT UserId, VerificationTime, Activity, Status
   FROM IdentityVerificationHistory
   WHERE UserId = '005XXXXXXXXXXXXXXX'
   ORDER BY VerificationTime DESC
   LIMIT 50
   ```
4. Freeze the user account in Setup > Users while the investigation continues.
5. Revoke active sessions: Setup > Session Management, or via Apex: `Auth.SessionManagement.revokeSessionsForUser(userId)`.

**Why not to rely on the UI alone:** Setup > Login History in the UI only shows the most recent 20,000 records and does not support complex filtering or cross-user pivots. SOQL is mandatory for incident response at any scale.

### Pattern: Geo-Anomaly Detection Without Shield

**When to use:** The org does not have Shield or Event Monitoring, but the security team wants to identify logins from unexpected geographies using free tools.

**How it works:**
1. Export `LoginHistory` via SOQL using the REST API or Data Loader.
2. Run the exported `SourceIp` values through a free IP geolocation API (e.g., `ip-api.com`) in a local Python script.
3. Flag logins from country codes outside the org's known user base.
4. Note: Salesforce does **not** include country or region in `LoginHistory` natively — IP-to-geo mapping must be done externally.

**Why not built-in geo-blocking:** Transaction Security Policies (event-monitoring skill) can block logins by country in real time, but that requires the Shield or Event Monitoring add-on. For free orgs, Login Hours + Login IP Ranges on profiles are the only native controls.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Investigate a single compromised user's login history | SOQL on `LoginHistory` filtered by `UserId` | Fastest; free; 6-month lookback |
| Find all users affected by a suspicious source IP | SOQL on `LoginHistory` grouped by `SourceIp` | Cross-user pivot not possible in UI |
| Check whether MFA was completed or bypassed | SOQL on `IdentityVerificationHistory` | Dedicated table for verification outcomes |
| Review enriched session-level details (pages visited, API calls per session) | Login Forensics feature in Setup (requires Event Monitoring add-on) | `LoginHistory` alone does not have session-level correlation |
| Block logins from unauthorized countries in real time | Transaction Security Policy (event-monitoring skill) | Real-time enforcement requires RTEM |
| Force step-up auth for a privileged profile at login time | Login Flow attached to the profile | Login Flows intercept login before session creation |
| Export login data to a SIEM for long-term retention beyond 6 months | Automate periodic SOQL export via REST API into external storage | `LoginHistory` purges at 6 months; SIEM provides indefinite retention |

---


## Recommended Workflow

Step-by-step instructions for an AI agent or practitioner activating this skill:

1. Gather context — confirm the org edition, relevant objects, and current configuration state
2. Review official sources — check the references in this skill's well-architected.md before making changes
3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above
4. Validate — run the skill's checker script and verify against the Review Checklist below
5. Document — record any deviations from standard patterns and update the template if needed

---

## Review Checklist

Run through these before marking work in this area complete:

- [ ] Confirmed whether the org has the Event Monitoring add-on (determines Login Forensics feature availability)
- [ ] SOQL queries are filtered by `LoginTime` range to avoid querying full table and hitting 30,000-row limit
- [ ] Cross-user IP pivot query run to identify credential stuffing scope
- [ ] `IdentityVerificationHistory` checked for `Skipped` or unexpected `Trusted` statuses
- [ ] Compromised account frozen in Setup > Users and active sessions revoked
- [ ] Investigation window confirmed against 6-month `LoginHistory` retention limit
- [ ] If Login Flow is being configured: tested against all affected profiles in a sandbox first

---

## Salesforce-Specific Gotchas

Non-obvious platform behaviors that cause real production problems:

1. **LoginHistory only retains 6 months — there is no admin override** — Records are automatically purged at the 6-month mark. There is no configuration option to extend retention, no recycle bin for these records, and no way to recover purged data. If an investigation spans longer than 6 months, the data simply does not exist in Salesforce unless the org was exporting it to a SIEM continuously.

2. **SourceIp can be a Salesforce internal IP for API logins** — When an integration or connected app authenticates using the OAuth client credentials flow or IP relaxation, the `SourceIp` field may reflect a Salesforce internal datacenter IP rather than the true client IP. This causes IP allowlisting checks to produce false negatives and makes geo-analysis unreliable for API-based logins.

3. **Status field values are not normalized across LoginType** — The `Status` field contains inconsistent values depending on whether the login was a UI login, SAML SSO, or API login. For example, a SAML login failure may appear as `Failed` while a direct login failure appears as `Invalid Password`. Grouping all failures as `Status != 'Success'` is the only reliable cross-type failure query pattern.

4. **Login Forensics (the feature) requires a separate permission — "View Login Forensics"** — Having Event Monitoring access does not automatically grant access to the Login Forensics Setup page. The `View Login Forensics` permission must be explicitly granted on the profile or permission set. Forgetting this is a common cause of 403 errors when trying to access Setup > Login Forensics.

5. **IdentityVerificationHistory 'Trusted' does not mean MFA was performed** — A `Trusted` status means the user's device or network was registered as trusted, so Salesforce skipped the MFA prompt entirely. This is expected behavior if the org allows trusted devices, but it can appear in an audit as an MFA bypass when it is actually by design. Investigate the `Activity` field value (`High Assurance Login`, `Identity Verification`) to understand what was being verified.

---

## Output Artifacts

| Artifact | Description |
|---|---|
| LoginHistory SOQL queries | Parameterized queries for single-user timelines, cross-user IP pivots, and failure-only filters |
| IdentityVerificationHistory SOQL | Queries to surface MFA skips and verification failures |
| Login Forensics investigation workflow | Step-by-step Setup UI procedure for enriched session drill-down (Event Monitoring add-on required) |
| Login Flow configuration guidance | Profile-attached Flow setup for step-up authentication enforcement |
| Incident response checklist | Freeze account, revoke sessions, rotate credentials, notify users |

---

## Related Skills

- `event-monitoring` — Use when you need to download EventLogFile Login logs in bulk, configure real-time event monitoring, or set up Transaction Security Policies to block logins by country or IP
- `org-setup-and-configuration` — Use for MFA enablement, session settings (timeout, IP locking), and Login Hours/IP Ranges on profiles
- `transaction-security-policies` — Use when you need real-time enforcement policies that react to login events automatically

Related Skills

ip-range-and-login-flow-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design and implement Salesforce Login Flows (Screen Flows assigned to profiles or Experience Cloud sites) that run post-authentication to enforce conditional MFA, IP-based branching, terms-of-service acceptance, or user data collection. Covers Login Flow creation in Flow Builder, profile/site assignment, IP-aware decision logic, and ConnectedAppPlugin extension points. NOT for static IP allowlisting or profile Login IP Ranges (see network-security-and-trusted-ips), org-wide session policies, or SSO/SAML IdP configuration.

xss-and-injection-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).

visualforce-security-and-modernization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).

transaction-security-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.

sso-saml-troubleshooting

8
from PranavNagrecha/AwesomeSalesforceSkills

Diagnosing broken SAML SSO into Salesforce — IdP-initiated vs SP-initiated flows, signing-certificate validity / expiry, NameID format mismatches, RelayState handling, audience / entityId / issuer mismatches, clock skew, the SAML Assertion Validator in Setup, the Login History debug log, and the My Domain prerequisite for SSO. Covers the standard diagnostic loop: read the SAML response, identify which check failed, fix at the IdP or SP. NOT for OAuth / OpenID Connect SSO (see security/oauth-openid-troubleshooting), NOT for setting up SSO from scratch (see security/sso-saml-setup).

shield-kms-byok-setup

8
from PranavNagrecha/AwesomeSalesforceSkills

Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.

shield-event-log-retention-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

session-management-and-timeout

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.

session-high-assurance-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Enforce step-up authentication for sensitive pages/objects using High Assurance session level and login flow policies. NOT for initial MFA enrollment UX.

service-account-credential-rotation

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing credential rotation for integration users, connected apps, named credentials, and OAuth client secrets in Salesforce. Covers rotation cadence, zero-downtime handover, secret storage, and detection of stale credentials. Triggers: 'rotate integration user password', 'connected app secret rotation', 'named credential rotation', 'stale service account', 'zero downtime secret rotation'. NOT for end-user password policies.

security-incident-response

8
from PranavNagrecha/AwesomeSalesforceSkills

When to use: active or suspected Salesforce org compromise, unauthorized access investigation, attacker containment, forensic evidence collection from EventLogFile/LoginHistory, session revocation, OAuth token cleanup, eradication of attacker persistence, and post-incident recovery verification. Trigger keywords: org compromised, suspicious login, attacker access, session revocation, forensic investigation, breach response, event log forensics, login anomaly investigation, incident response runbook. Does NOT cover general security setup, permission set design, field-level security configuration, or proactive security hardening — those are separate skills. NOT for general security setup.

security-health-check

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when running, interpreting, or acting on Salesforce Security Health Check results — reading the score, understanding risk categories, evaluating specific settings, creating or importing a custom baseline, querying the Tooling API programmatically, or planning remediation from findings. Triggers: 'security health check score', 'health check failing settings', 'custom baseline', 'remediate health check findings', 'fix risk'. NOT for org hardening implementation, permission model design, or broad baseline config beyond what Health Check directly measures.