--- title: Salesforce login activity by unauthenticated user type description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Salesforce login activity by unauthenticated user type --- # Salesforce login activity by unauthenticated user type Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) ## Goal{% #goal %} Detect successful login events initiated by unauthenticated (`Guest`) users. ## Strategy{% #strategy %} This rule monitors Salesforce login events through both Event Log File (ELF) and Real Time Event Monitoring (RTEM) logging tiers. For `@evt.name:Login` events, this rule monitors for `@login_status:"LOGIN_NO_ERROR"`, indicating a successful login. Within the log, `@user_type` filters for `Guest` users that do not require authentication, and removes `@login_type` fields related to external user Chatter Communications. For `@evt.name:LoginEvent` events, this rule monitors for a `@status:Success` result. Within the log, `@user_type` filters for `Guest` users that do not require authentication, and removes `@login_type` fields related to external user Chatter Communications. Unauthenticated `Guest` users can perform actions in your Salesforce environment if not disabled by an administrator. For information on possible user types, see Salesforce's [Profile Object documentation](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_report.htm). ## Triage and response{% #triage-and-response %} - Examine the associated user ID, user type, IP address, and triggering login events within the Salesforce audit logs. - Within the login event, `@login_type` provides additional context on how the user authenticated, such as through a third party SSO. - In RTEM logs, `@http.useragent` may contain additional useful information. - Determine if the user activity includes additional events after the successful login. To correlate data, logs may include a `@session_key` and `@login_key`. - If the login event is followed by unexpected actions within your Salesforce tenant, initiate your incident response plan.