---
title: Salesforce OAuth login errors
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Salesforce OAuth login errors
---

# Salesforce OAuth login errors
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detect when a failed OAuth login occurs due to a potential nonce replay or when the access token generation limit is exceeded.

## Strategy{% #strategy %}

Salesforce tracks the outcomes of failed logins, which are available in `@login_status` or `@status` depending on your logging tier.

This rule monitors for the following status messages in login events:

- `LOGIN_OAUTH_INVALID_NONCE`
- `LOGIN_OAUTH_NONCE_REPLAY`
- `LOGIN_OAUTH_EXCEED_GET_AT_LMT`

To learn more about the variety of error messaging available for login events, refer to [Salesforce documentation](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login_status.htm).

## Triage and response{% #triage-and-response %}

- Examine the IP address, ASN, and geographic location associated with the login attempts for the associated user account.
- Review the account and connected application for successful events.
- If the IP address or user account demonstrate evidence of suspicious activities, initiate your incident response plan.