Activity |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The action the user attempted that requires identity
verification. Possible values include:
-
AccessReports—The user
attempted to access reports or
dashboards.
-
Apex—The user attempted to
access a Salesforce resource with a verification
Apex method.
-
ChangeEmail—The user
attempted to change an email address.
-
ConnectSms—The user
attempted to connect a phone number.
-
ConnectToopher—The user
attempted to connect Salesforce
Authenticator.
-
ConnectTotp—The user attempted to
connect a one-time password generator.
-
ConnectU2F—The user attempted to register a U2F security
key.
-
ConnectWebAuthRoaming—The user attempted
to register a WebAuthn security key.
-
ConnectedApp—The user attempted
to access a connected app.
-
EnableLL—The user attempted
to enroll in Lightning Login.
-
ExportPrintReports—The user
attempted to export or print reports or
dashboards.
-
ExternalClientApp— The user attempted to
access an external client app.
-
ExtraVerification—ExtraVerification—Reserved for future
use.
-
ListView—The user attempted
to access a list view.
-
Login—The user attempted to
log in.
-
Registration—Reserved for future
use.
-
TempCode—The user attempted
to generate a temporary verification
code.
|
City |
- Type
- string
- Properties
- Nillable
- Description
- The city where the user’s IP address is physically located. This value isn’t
localized. Due to the nature of geolocation technology,
the accuracy of this field can vary.
|
Country |
- Type
- string
- Properties
- Nillable
- Description
- The country where the user’s IP address is physically located. This value isn’t
localized. Due to the nature of geolocation technology,
the accuracy of this field can vary.
|
CountryIso |
- Type
- string
- Properties
- Nillable
- Description
- The ISO 3166 code for the country where the user’s IP
address is physically located. For more information, see
Country Codes - ISO
3166.
|
EventDate |
- Type
- dateTime
- Properties
- Filter, Sort
- Description
- The date and time of the identity
verification attempt, for example, 7/19/2025, 3:19:13 PM
PDT. The time zone is based on GMT.
|
EventGroup |
- Type
- string
- Properties
- Nillable
- Description
- ID of the verification
attempt. Verification can involve several attempts
and use different verification methods. For example,
in a user’s session, a user enters an invalid
verification code (first attempt). The user then
enters the correct code and successfully verifies
identity (second attempt). Both attempts are part of
a single verification and, therefore, have the same
ID.
|
EventIdentifier |
- Type
- string
- Properties
- Filter, Sort
- Description
- The unique ID of the event, which is shared with the
corresponding storage object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate
the event with its storage object.
|
Latitude |
- Type
- double
- Properties
- Nillable
- Description
- The latitude where the user’s IP address is physically located. Due to the nature of
geolocation technology, the accuracy of this field can
vary.
|
LoginHistoryId |
- Type
- reference
- Properties
- Nillable
- Description
- Tracks a user session so that you can correlate user
activity with a particular login instance.
|
LoginKey |
- Type
- string
- Properties
- Nillable
- Description
- The string that ties together all events in a given user’s
login session. The session starts with a login event and ends with either a
logout event or the user session expiring.
|
Longitude |
- Type
- double
- Properties
- Nillable
- Description
- The longitude where the user’s IP address is physically located. Due to the nature of
geolocation technology, the accuracy of this field can
vary.
|
Policy |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The identity verification
security policy or setting.
-
CustomApex—Identity verification made by a verification Apex
method.
-
DeviceActivation—Identity
verification required for users logging in from an
unrecognized device or new IP address. This
verification is part of Salesforce’s risk-based
authentication.
-
EnableLightningLogin— Identity
verification required for users enrolling in
Lightning Login. This verification is triggered
when the user attempts to enroll. Users are
eligible to enroll if they have the Lightning
Login User user permission and the org has enabled
Allow Lightning Login in Session
Settings.
-
ExtraVerification—Reserved
for future use.
-
HighAssurance—High assurance
session required for resource access. This
verification is triggered when the user tries to
access a resource, such as a connected app,
report, or dashboard, that requires a
high-assurance session level.
-
LightningLogin—Identity
verification required for internal users logging
in via Lightning Login. This verification is
triggered when the enrolled user attempts to log
in. Users are eligible to log in if they have the
Lightning Login User user permission and have
successfully enrolled in Lightning Login. Also,
from Session Settings in Setup, Allow Lightning
Login must be enabled.
-
PageAccess—Identity verification required for users
attempting to perform an action, such as changing
an email address or adding a verification method
for multi-factor authentication (MFA).
-
Passwordless
Login—Identity
verification required for customers attempting to
log in to an Experience Cloud site that is set up
for passwordless login. The admin controls which
registered verification methods can be used, for
example, email, SMS, Salesforce Authenticator, or
TOTP.
-
ProfilePolicy—Session
security level required at login. This
verification is triggered by the Session security
level required at login setting on the user’s
profile.
-
TwoFactorAuthentication—Multi-factor
authentication (formerly called two-factor
authentication) required at login. This
verification is triggered by the Multi-Factor
Authentication for User Interface Logins user
permission assigned to a custom profile. Or the
user permission is included in a permission set
that is assigned to a user.
|
PostalCode |
- Type
- string
- Properties
- Nillable
- Description
- The postal code where the user’s IP address is physically located. This value isn’t
localized. Due to the nature of geolocation technology,
the accuracy of this field can vary.
|
Remarks |
- Type
- string
- Properties
- Nillable
- Description
-
The text users see on the
page or in Salesforce Authenticator when prompted to
verify their identity. For example, if identity
verification is required for users to log in, they
see “You’re trying to Log In to Salesforce.” In
this case, the Remarks value is “Log In to Salesforce.”
But if the Activity value is Apex, the Remarks value is
a custom description specified in the Apex method. If
users are verifying their identity using Salesforce
Authenticator, the custom description also appears in
the app. If the custom description isn’t specified, the
Remarks value is the name of the Apex method. The label
is Activity Message.
|
ResourceId |
- Type
- reference
- Properties
- Nillable
- Description
- If the
Activity value is
ConnectedApp, the ResourceId
value is the ID of the connected app. The label is
Connected App ID.
|
SessionKey |
- Type
- string
- Properties
- Nillable
- Description
- The user’s unique session ID. Use this value to identify
all user events within a session. When a user logs out and logs in again, a new
session is started.
|
SessionLevel |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- Session-level security controls user access to features
that support it, such as connected apps and reporting.
Possible values are:
-
HIGH_ASSURANCE—Used for resource
access. For example, when the user tries to access
a resource such as a connected app, report, or
dashboard that requires a high-assurance session
level.
-
LOW—Indicates that the user’s security
level for the current session meets the lowest
requirements. This low level is not available or
used in the Salesforce UI. User sessions through
the UI are either standard or high assurance. You
can set this level using the API, but users
assigned this level experience unpredictable and
reduced functionality in their Salesforce
org.
-
STANDARD—Indicates that the
user’s security level for the current session
meets the Standard requirements set in the org’s
Session Security Levels.
|
SourceIp |
- Type
- string
- Properties
- Nillable
- Description
- The IP address of the machine from
which the user attempted the action that requires
identity verification. For example, the IP address
of the machine from where the user tried to log in
or access reports. If it’s a non-login action that
required verification, the IP address can be
different from the address from where the user
logged in. This address can be an IPv4 or IPv6
address.
|
Status |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The status of the identity
verification attempt.
-
AutomatedSuccess—Salesforce
approved the request for access because the
request came from a trusted location. After a user
enables location services in Salesforce, the user
can designate trusted locations. When the user
trusts a location for a particular activity, such
as logging in from a recognized device, that
activity is approved from the trusted location for
as long as the location is trusted.
-
Denied—The user denied the
approval request in the authenticator
app.
-
FailedGeneralError—An error caused by
something other than an invalid verification code,
too many verification attempts, or authenticator
app connectivity.
-
FailedInvalidCode—The user entered an
invalid verification code.
-
FailedInvalidPassword—The user
entered an invalid password.
-
FailedPasswordLockout—The user
attempted to enter a password too many
times.
-
FailedTooManyAttempts—The user attempted
to verify identity too many times. For example,
the user entered an invalid verification code
repeatedly.
-
InProgress—Salesforce challenged
the user to verify identity and is waiting for
either the user to respond or for Salesforce to
send an automated response.
-
Initiated—Salesforce initiated identity verification but
hasn’t yet challenged the user.
-
ReportedDenied—The user denied the
approval request in the authenticator app, such as
Salesforce Authenticator, and also flagged the
approval request to report to an
administrator.
-
Succeeded—The user’s identity was verified.
|
Subdivision |
- Type
- string
- Properties
- Nillable
- Description
- The name of the subdivision where the user’s IP address is physically located. In the
United States, this value is usually the state name (for
example, Pennsylvania). This value isn’t localized. Due
to the nature of geolocation technology, the accuracy of
this field can vary.
|
UserId |
- Type
- reference
- Properties
- Nillable
- Description
- ID of the user verifying identity.
|
Username |
- Type
- string
- Properties
- Nillable
- Description
- The username of the user challenged for identity
verification in user@company.com
format.
|
VerificationMethod |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The method by which the user attempted to verify identity in the
verification event.
-
BuiltInAuthenticator—A built-in
authenticator set up on the user’s device, such as
Touch ID or Windows Hello, generated the required
credentials. This value is available in API
version 53.0 and later.
-
Email—Salesforce sent an email
with a verification code to the address associated
with the user’s account.
-
EnableLL—Salesforce
Authenticator sent a notification to the user’s
mobile device to enroll in Lightning
Login.
-
LL—Salesforce
Authenticator sent a notification to the user’s
mobile device to approve login via Lightning
Login.
-
Password—Salesforce prompted for a password.
-
SalesforceAuthenticator—Salesforce
Authenticator sent a notification to the user’s
mobile device to verify account
activity.
-
Sms—Salesforce sent a text message
with a verification code to the user’s mobile
device. SMS messaging requires a Salesforce add-on
license for Identity Verification
Credits.
-
TempCode—A
Salesforce admin or a user with the Manage
Multi-Factor Authentication in User Interface
permission generated a temporary verification code
for the user.
-
Totp—An authenticator app
generated a time-based, one-time password (TOTP)
on the user’s mobile device.
-
U2F—A U2F
security key-generated required credentials for
the user.
-
WebAuthnRoamingAuthenticator—A WebAuthn
security key generated the required credentials
for the user.
|