Queries for the SalesforceLoginHistory table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Returns count of failed login attempts by user.

SalesforceLoginHistory
| where TimeGenerated > ago(30d)
| where Status != "Success" and isnotempty(Status)
| summarize 
    FailedLoginCount = count(),
    LastFailedAttempt = max(TimeGenerated),
    DistinctSources = dcount(SourceIp),
    FailureReasons = make_set(Status)
    by UserId, Platform, CountryIso
| sort by FailedLoginCount desc

Feedback

Was this page helpful?

Last updated on 2026-04-28