---
title: Salesforce login from new application
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Salesforce login from new application
---

# Salesforce login from new application
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1671-cloud-application-integration](https://attack.mitre.org/techniques/T1671) 
## Goal{% #goal %}

Detects Salesforce logins from third party applications which have not been previously observed in the environment.

## Strategy{% #strategy %}

This rule monitors Salesforce `LoginEvent` login events that include an `@application` field. The `LoginEvent` type is only available through Salesforce's Real Time Event Monitoring logging tier.

Using the new value detection method, a signal is generated to identify when an application successfully authenticates to the Salesforce environment that has not been previously observed in audit logs. New applications accessing Salesforce may indicate legitimate business expansion, new integrations, or potentially malicious applications attempting unauthorized access.

## Triage & Response{% #triage--response %}

- Examine the application name and details for `{{@application}}` to determine if it represents a legitimate business application or potentially malicious software. The `@login_sub_type` field provides more context on how the application authenticates to Salesforce.
- Review recent IT change requests and application deployments to verify if the new application was authorized and expected.
- Analyze the login patterns and user accounts associated with the new application to identify any suspicious authentication activity using `@network.client.ip` and `@browser` fields.
- Check if the new application has appropriate security configurations and follows organizational security policies.
- Verify with IT administrators or application owners whether the new application access was planned and authorized.

*This detection is based on data from [Drift/Salesforce Security Update](https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Update) and [Widespread Data Theft Targets Salesforce Instances via Salesloft Drift](https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift).*