Login History is always on. You do not enable it. The configuration work is on the consumption side: knowing where to find it, how to filter it, and how to archive it for long-term retention.
- Open Login History
Setup, Quick Find Login History, click the link under Identity. The default view shows the most recent 1,000 login events with the default filter applied.
- Filter by user, date, IP, or status
Use the column filters: User Type, Username, Status, Login Time, Source IP. Combine filters with AND logic. The Source IP filter is the most useful one for "where is this user connecting from" investigations.
- Drill into a single entry
Click any row to open the detail view: timestamp, IP, user agent, browser, platform, Connected App, Auth Provider, Login Flow, Status. The detail view is what you need for forensic write-ups.
- Run a SOQL query for batch analysis
Workbench or Developer Console: SELECT UserId, LoginTime, SourceIp, LoginType, Status FROM LoginHistory WHERE LoginTime >= LAST_N_DAYS:90 returns 90 days of events. Export to CSV for analysis or feeding into a SIEM.
- Set up alerts on suspicious patterns
For real-time alerting, use Transaction Security policies. Built-in templates cover impossible-travel and concurrent-session patterns. Custom policies in Apex extend the alerting to your own logic.
- Schedule a monthly external archive
For retention beyond the 1-year API window, schedule a monthly export of LoginHistory through Apex or a CI job. Push to S3 or an on-prem SIEM. This is the canonical pattern for SOC 2 and ISO 27001 compliance.
Multi-field filter on the Setup, Login History page: User, Date, Status, Source IP, Application, Browser. Combines with AND logic.
Queryable object exposed through SOAP and REST API. Supports up to 1 year of history. Used for batch analysis and SIEM integration.
Application Login, Remote Access, Visualforce Login, SAML Login. Each type has different forensic signatures.
Success, Failed, Locked Out, Suspended, Disabled, Frozen, Restricted. Captures every authentication outcome.
Real-time policies that react to Login History patterns (impossible-travel, concurrent sessions, anomalous IPs).
- Login History retention is 6 months in the UI and 1 year through the API. Older events are gone unless you exported them. Schedule monthly archives for compliance.
- Geo-location is IP-based and approximate. VPN users and mobile carrier IPs can appear in unexpected cities, generating false positives in impossible-travel detection.
- Failed login attempts include the reason in the Status field. Use this to distinguish brute-force attempts from typo-driven lockouts. The patterns look similar without the reason code.
- OAuth-based access through Connected Apps is logged differently from password-based logins. The Connected App ID appears in the entry. Filter on Connected App for integration-specific forensics.
- Login Flows that reject a session still appear in Login History as Success entries with the Login Flow ID. Cross-reference with the Login Flow logs to see why the session was terminated.