VitePress

Appearance

Exercise 1: Using the Audit Trail

Monitoring tools help you answer the questions: Who changed what, and when? and Is someone behaving suspiciously? This exercise covers three key tools for tracking policy changes and session behavior in your Salesforce org.

1. The Setup Audit Trail: Tracking Policy Changes

The Setup Audit Trail tracks changes to security settings — it's your best defense against accidental or malicious modifications to your session configuration.

What it tracks: Changes to MFA requirements, modifications to Login IP Ranges, and permission set assignments.

Scenario: You configured a strict Login IP Range for your org, but a week later, it's gone. Here's how to investigate:

  1. Go to Setup → Security → View Setup Audit Trail.
  2. Download the last six months of data as a .csv.
  3. Search for keywords like Login IP, MFA, or Permission Set.
  4. The result: you can see exactly which admin deleted the IP range and at what time, enabling a focused post-mortem.

2. Login History: Tracking Session Behavior

While the Setup Audit Trail tracks policy changes, Login History tracks user behavior. This is where you find "Impossible Travelers" or credential stuffing attempts.

What it tracks: Every login attempt (Success or Failure), the Source IP, the Browser/Platform, and the Login Type (e.g., Application, Service, or SAML for SSO).

How to use it:

  1. Go to Setup → Users → Login History.
  2. Filter by Status: Look for Invalid Password or Failed: IP Restricted. A high volume of these for a single user suggests a brute-force attack.
  3. Check MFA Challenges: Look for the Identity Verification status. If a user has 50 successful logins but 0 Identity Verification challenges, your MFA policy might not be applied to them correctly.
  4. Identify Old Protocols: Look for logins using outdated TLS versions or browsers. You can use this data to prompt users to upgrade for a more secure session.

3. Login Forensics: The Advanced Audit

For admins who need more than just a list of IPs, Login Forensics (part of Event Monitoring) provides deeper insights into session security without needing a full Shield license.

The benefit: It doesn't just show where users logged in — it identifies anomalies.

What it spots:

  • Average Login Volume: If a user typically logs in 5 times a day but suddenly logs in 500 times, the system flags it.
  • Suspicious Timeframes: Logins occurring at 3:00 AM for a user who only works 9-to-5.

Summary

The Setup Audit Trail, Login History, and Login Forensics give you the visibility to detect both accidental and malicious changes in your org. Together, they form the foundation of a reactive security strategy — and the evidence you need when something goes wrong.