| AdditionalInfo |
- Type
- string
- Properties
- Nillable
- Description
- JSON serialization of additional information that’s
captured from the HTTP headers during a login request. For
example, {"field1":
"value1","field2": "value2"}.
|
| ApiType |
- Type
- string
- Properties
- Nillable
- Description
- The type of API that’s used to log in. Values include:
- SOAP
Enterprise
- SOAP
Partner
- REST
API
|
| ApiVersion |
- Type
- string
- Properties
- Nillable
- Description
- The version number of the API. If no version number is
available, “Unknown” is returned.
|
| Application |
- Type
- string
- Properties
- Nillable
- Description
- The application used to access the org. Possible values include:
- AppExchange
- Browser
- Salesforce for
iOS
- Salesforce
Developers API Explorer
- N/A
|
| AuthMethodReference |
- Type
- string
- Properties
- Nillable
- Description
- The authentication method used by a third-party
identification provider for an OpenID Connect single
sign-on protocol. This field is available in API version
51.0 and later.
|
| AuthServiceId |
- Type
- string
- Properties
- Nillable
- Description
- The 18-character ID for an authentication service for a
login event. For example, you can use this field to
identify the SAML or authentication provider
configuration with which the user logged in.
|
| Browser |
- Type
- string
- Properties
- Nillable
- Description
- The browser name and version if known. Possible values
for the browser name are:
- Chrome
- Firefox
- Safari
- Unknown
For example, “Chrome 77”.
|
| CipherSuite |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The TLS cipher suite used for the login. Values are
OpenSSL-style cipher suite names, with hyphen
delimiters, for example,
ECDHE-RSA-AES256-GCM-SHA384. Available in
API version 37.0 and later.
|
| City |
- Type
- string
- Properties
- Nillable
- Description
-
The city where the user’s IP address
is physically located. This value isn’t localized.
This field is available in API version 47.0 and
later.
Due to the nature of geolocation
technology, the accuracy of this field can vary.
|
| ClientVersion |
- Type
- string
- Properties
- Nillable
- Description
- The version number of the login client. If no version
number is available, “Unknown” is
returned.
|
| Country |
- Type
- string
- Properties
- Nillable
- Description
-
The country where the user’s IP
address is physically located. This value isn’t
localized.This field is available in API
version 47.0 and later.
Due to the nature of
geolocation technology, the accuracy of this field
can vary.
|
| CountryIso |
- Type
- string
- Properties
- Nillable
- Description
-
The ISO 3166 code for the
country where the user’s IP address is physically
located. For more information, see Country Codes - ISO
3166.
|
| EvaluationTime |
- Type
- double
- Properties
- Nillable
- Description
- The amount of time it took to evaluate the transaction
security policy, in milliseconds.
|
| EventDate |
- Type
- dateTime
- Properties
- Nillable
- Description
- The login time of the specified event. For example,
2020-01-20T19:12:26.965Z. Milliseconds are
the most granular setting.
|
| EventIdentifier |
- Type
- string
- Properties
- (none)
- Description
- The unique ID of the event, which is shared with the
corresponding storage object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate
the event with its storage object. Also, use this field as the primary key in your
queries. Available in API version 42.0 and later.
|
| EventUuid |
- Type
- string
- Properties
- Nillable
- Description
- A universally unique identifier (UUID) that identifies
a platform event message. This field is available in API version 52.0 and
later.
|
| ForwardedForIp |
- Type
- string
- Properties
- Filter, Group, Nillable, Sort
- Description
- The value in the X-Forwarded-For header of HTTP requests
sent by the client. For logins that use one or more HTTP
proxies, the X-Forwarded-For header is sometimes used
to store the origin IP and all proxy IPs.
- The ForwardedForIp field stores
whatever value the client sends, which might not be an
IP address. The maximum length is 256 characters. Longer
values are truncated. The
ForwardedForIp field isn’t
populated for logins completed via OAuth flows or single
sign-on (SSO).
-
Available in API version 61.0 and later.
|
| HttpMethod |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The HTTP method of the login request; possible values
are GET, POST, and Unknown.
|
| LoginGeoId |
- Type
- string
- Properties
- Nillable
- Description
- The Salesforce ID of the LoginGeo object associated with
the login user’s IP address. For example,
04FB000001TvhiPMAR.
|
| LoginHistoryId |
- Type
- reference
- Properties
- Nillable
- Description
- Tracks a user session so you can correlate user activity
with a particular login instance. This field is also
available on the LoginHistory, AuthSession, and
LoginHistory objects, making it easier to trace events
back to a user’s original authentication. For example,
0YaB000002knVQLKA2.
|
| LoginKey |
- Type
- string
- Properties
- Nillable
- Description
- The string that ties together all events in a given user’s
login session. The session starts with a login event and ends with either a
logout event or the user session expiring. For example, lUqjLPQTWRdvRG4.
|
| LoginLatitude |
- Type
- double
- Properties
- Nillable
- Description
-
The latitude where the user’s IP
address is physically located.This field is
available in API version 47.0 and later.
Due to the
nature of geolocation technology, the accuracy of
this field can vary.
|
| LoginLongitude |
- Type
- double
- Properties
- Nillable
- Description
-
The longitude where the user’s IP
address is physically located.This field is
available in API version 47.0 and later.
Due to the
nature of geolocation technology, the accuracy of
this field can vary.
|
| LoginSubType |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
-
The type of login flow
used. See the LoginSubType
field of LoginHistory in the Object Reference guide
for the list of possible values.
Label is
Login Subtype.
|
| LoginType |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The type of login used to access the session. See the
LoginType field of LoginHistory in the Object Reference guide
for the list of possible values.
|
| LoginUrl |
- Type
- string
- Properties
- Nillable
- Description
- The URL of the login host from which the request is
coming. For example, yourInstance.salesforce.com.
|
| NetworkId |
- Type
- string
- Properties
- Nillable
- Description
- The ID of the Experience Cloud site that the user is
logging in to. This field is available if Salesforce
Experience Cloud is enabled for your organization.
|
| Platform |
- Type
- string
- Properties
- Nillable
- Description
- The operating system name and version that are used
during the login event. If no platform name is
available, “Unknown” is returned. For
example, Mac OSX or iOS/Mac.
|
| PolicyId |
- Type
- reference
- Properties
- Nillable
- Description
- The ID of the transaction security policy associated
with this event. For example, 0NIB000000000KOOAY.
|
| PolicyOutcome |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The result of the transaction policy. Possible values are:
-
Block—The user was blocked from
performing the operation that triggered the
policy.
-
Error—The policy caused an
undefined error when it executed.
-
ExemptNoAction—The user is exempt
from transaction security policies, so the policy
didn’t trigger.
-
FailedInvalidPassword—The user
entered an invalid password.
-
FailedPasswordLockout—The user
entered an invalid password too many times.
-
MeteringBlock—The policy took
longer than 3 seconds to process, so the user was
blocked from performing the operation.
-
MeteringNoAction—The policy took
longer than 3 seconds to process, but the user
isn't blocked from performing the operation.
-
NoAction—The policy didn't
trigger.
-
Notified—A notification was sent
to the recipient.
-
TwoFAAutomatedSuccess—Salesforce
Authenticator approved the request for access
because the request came from a trusted location.
After users enable location services in Salesforce
Authenticator, they can designate trusted
locations. When a user trusts a location for a
particular activity, that activity is approved
from the trusted location for as long as the
location is trusted. An example of a particular
activity is logging in from a recognized device.
-
TwoFADenied—The user denied the
approval request in the authenticator app, such as
Salesforce Authenticator.
-
TwoFAFailedGeneralError—An error
caused by something other than an invalid
verification code, too many verification attempts,
or authenticator app connectivity.
-
TwoFAFailedInvalidCode—The user
provided an invalid verification code.
-
TwoFAFailedTooManyAttempts—The
user attempted to verify identity too many times.
For example, the user entered an invalid
verification code repeatedly.
-
TwoFAInitiated—Salesforce
initiated identity verification but hasn’t yet
challenged the user.
-
TwoFAInProgress—Salesforce
challenged the user to verify identity and is
waiting for the user to respond or for Salesforce
Authenticator to send an automated response.
-
TwoFANoAction—The policy
specifies multi-factor authentication (formerly
called two-factor authentication) as an action,
but the user is already in a high-assurance
session.
-
TwoFARecoverableError—Salesforce
can’t reach the authenticator app to verify
identity, but will retry.
-
TwoFAReportedDenied—The user
denied the approval request in the authenticator
app, such as Salesforce Authenticator, and also
flagged the approval request to report to an
administrator.
-
TwoFASucceeded—The user’s
identity was verified.
|
| PostalCode |
- Type
- string
- Properties
- Nillable
- Description
-
The postal code where the user’s
IP address is physically located. This value isn’t
localized.This field is available in API
version 47.0 and later.
Due to the nature of
geolocation technology, the accuracy of this field
can vary.
|
| RelatedEventIdentifier |
- Type
- string
- Properties
- Nillable
- Description
- Represents the EventIdentifier of
the related event. For example,
bd76f3e7-9ee5-4400-9e7f-54de57ecd79c.
This field
is populated only when the activity that this event
monitors requires extra authentication, such as
multi-factor authentication. In this case,
Salesforce generates more events and sets the
RelatedEventIdentifier field
of the new events to the value of the
EventIdentifier field of the
original event. Use this field with the
EventIdentifier field to
correlate all the related events. If no extra
authentication is required, this field is blank.
|
| RemoteIdentifier |
- Type
- string
- Properties
- Nillable
- Description
- Reserved for future use.
|
| ReplayId |
- Type
- string
- Properties
- Nillable
- Description
- Represents an ID value that is populated by the system
and refers to the position of the event in the event stream. Replay ID values
aren’t guaranteed to be contiguous for consecutive events. A subscriber can
store a replay ID value and use it on resubscription to retrieve missed events
that are within the retention window.
|
| SessionKey |
- Type
- string
- Properties
- Nillable
- Description
- The user’s unique session ID. Use this value to identify
all user events within a session. When a user logs out and logs in again, a new
session is started. For example, vMASKIU6AxEr+Op5.
|
| SessionLevel |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- Session-level security controls user access to features
that support it, such as connected apps and reporting.
Possible values are:
-
HIGH_ASSURANCE—A high assurance
session was used for resource access. For example,
when the user tries to access a resource such as a
connected app, report, or dashboard that requires
a high-assurance session level.
-
LOW—The user’s security level for
the current session meets the lowest
requirements.
This low level isn’t
available, nor used, in the Salesforce UI. User
sessions through the UI are either standard or
high assurance. You can set this level using the
API, but users assigned this level experience
unpredictable and reduced functionality in their
Salesforce org.
-
STANDARD—The user’s security
level for the current session meets the Standard
requirements set in the org’s Session Security
Levels.
|
| SourceIp |
- Type
- string
- Properties
- Nillable
- Description
- The IP address of the incoming client request that first
reaches Salesforce during a login. For example, 126.7.4.2. For clients
that redirect through one or more HTTP proxies, this
field stores the IP address of the first proxy to reach
Salesforce. To better identify the origin IP for these
cases, check the ForwardedForIp
field instead.
|
| Status |
- Type
- string
- Properties
- Nillable
- Description
- Displays the status of the attempted login. Status is
either success or a reason for failure.
|
| Subdivision |
- Type
- string
- Properties
- Nillable
- Description
-
The name of the subdivision
where the user’s IP address is physically located.
In the U.S., this value is usually the state name
(for example, Pennsylvania). This value isn’t
localized.This field is available in API
version 47.0 and later.
Due to the nature of
geolocation technology, the accuracy of this field
can vary.
|
| TlsProtocol |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The TLS protocol version used for the login. Valid
values are:
- TLS
1.0
- TLS
1.1
- TLS
1.2
- TLS
1.3
- Unknown
|
| UserId |
- Type
- reference
- Properties
- Nillable
- Description
- The user’s unique ID. For example, 005000000000123.
|
| Username |
- Type
- string
- Properties
- Nillable
- Description
- The username in the format of user@company.com.
|
| UserType |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The category of user license. Each
UserType is associated with one
or more UserLicense records. Each UserLicense is
associated with one or more profiles. Valid values are:
-
CsnOnly—Users whose access to the
application is limited to Chatter. This user type
includes Chatter Free and Chatter moderator
users.
-
CspLitePortal—CSP Lite Portal
license. Users whose access is limited because
they’re organization customers and access the
application through a customer portal or an
Experience Cloud site.
-
CustomerSuccess—Customer Success
license. Users whose access is limited because
they’re organization customers and access the
application through a customer portal.
- Guest
-
PowerCustomerSuccess—Power
Customer Success license. Users whose access is
limited because they’re organization customers and
access the application through a customer portal.
Users with this license type can view and edit
data they directly own or data owned by or shared
with users below them in the customer portal role
hierarchy.
-
PowerPartner—Power Partner
license. Users whose access is limited because
they’re partners and typically access the
application through a partner portal or site.
- SelfService
-
Standard—Standard user license.
This user type also includes Salesforce Platform
and Salesforce Platform One user licenses.
|
j