Admins / Security

How to Monitor User Activity in Salesforce

By Mike Mason

Before you can protect your data, you have to know where the data is and who can access it. Salesforce often host an organization’s most sensitive data, and monitoring who can access that information is vital for safeguarding it. This is where user activity monitoring comes in.

User activity monitoring – tracking user actions in a digital environment for information security – is critical for protecting sensitive cloud-based data. Recorded user actions in Salesforce include permission changes, login attempts, application use, exports across platforms, and more.

Why Does User Activity Monitoring Matter?

While user activity monitoring can record nearly every user action, the purpose of monitoring users isn’t to become Big Brother to your employees. Instead, the motivation behind monitoring user actions for information security purposes is to manage permissions, mitigate risk, improve user experience, and create a more secure environment for mission-critical data. The average cost per stolen record in a data breach is $150 – and that’s before factoring in the expense of lost trust and legal or regulatory fines.

Monitoring data access enables admins to proactively deter such costs across cloud applications like Salesforce.

User Activity Monitoring in Salesforce

In Salesforce, user activity monitoring can identify:

  • Altered profiles and permissions
  • Who’s logging in, when, and from where
  • What reports are being run
  • Data exports – through reports or APIs
  • Record access trends
  • Top users
  • And more

Salesforce admins can utilize user activity monitoring to gain deeper visibility into the health of their Salesforce org, covering four critical areas: security, compliance, usage and adoption, and performance. With these insights, you can analyze your workforce, make adjustments to boost performance, and take Salesforce from a simple tool to a beacon of productivity, trust, and success.


The average cost of a data breach is $3.92 million. You may have seen companies like Facebook, Google, and Equifax suffer financially due to data breaches. Many breaches are caused by insiders, whether maliciously or unintentionally. In fact, the 2019 Cost of a Data Breach Report showed that organization insiders cause more than half of all breaches. This statistic is just one reason why the need for user activity monitoring exists. User monitoring has grown exponentially due to organizations’ need to protect sensitive data in cloud applications.

Proactive security monitoring can identify unusual user behavior like:

  • Unauthorized permission or profile changes
  • Abnormally large exports
  • Unexpected report runs
  • Atypical login activity

Admins can see if a user logs in at odd hours, such as on weekends or late at night, or if they log in from a different IP address, indicating they’re accessing Salesforce from an unexpected location. With this information, you can prevent unauthorized access that could lead to a data breach.

If you’ve entered Setup Audit Trail to see the log of administrative actions occurring in your Salesforce org, you’ve engaged in user activity monitoring. Setup Audit Trail provides a log of user-generated actions – such as new fields created or permissions changed – to identify who made the changes, when, and from where. Monitoring user activity helps you proactively safeguard your Salesforce org by identifying suspicious actions and addressing them, reducing your technological attack surface.


Regulated industries like healthcare and financial services follow compliance frameworks that require user activity monitoring. As a Salesforce user in a regulated industry, meeting compliance standards is crucial for multiple reasons: You want to reinforce trust, and you don’t want to receive hefty fines. Non-compliance with GDPR, for example, can incur fines of as much as €20 million or four percent of annual global turnover (whichever is greater).

In Salesforce, more than 170 individual user permissions can be changed, which creates opportunities for users to access data. Changes in permissions, whether intentional or not, can open your organization to risk if users have broader data access than necessary for their role. Increased access to data may put your organization at risk of being non-compliant and at risk for unwanted user activity. User activity monitoring identifies changes that can lead to security risks such as:

  • Profile or permissions changes
  • User creation and deactivation
  • Security control changes

By monitoring these areas, you don’t have to perform the time-consuming task of manually auditing your permissions and profiles, saving you time and aligning your organization with compliance and security frameworks. Instead, user activity monitoring tools can show you, at a user-centric level, details about who changed what permissions, when, and from where.

Usage and Adoption

User activity monitoring insights can also reveal how users interact with Salesforce. Usage and adoption are critical for users to leverage Salesforce to its fullest and monitoring certain actions can reveal if your team is fully utilizing the CRM.

Usage and adoption information gained from user activity monitoring can guide your training and educational efforts to encourage more effective use of the application. For example, you can pinpoint the most productive Salesforce user to create a benchmark for others’ performances. You can also use that user’s performance as a motivator or tag them to help train others – after all, learning from the best is how you become the best.

Salesforce’s Login History file records login attempts, including failures. If you’ve examined this data, you’ve monitored user activity. By looking at login history, you can tell which users log in regularly and make use of their Salesforce license. You can also identify who isn’t logging in; these users may need more training on how to use Salesforce or may not need a license at all.


Evaluating performance – the end-user experience – is essential when measuring Salesforce’s impact on operations. Measuring performance through user activity monitoring is an impactful way to know if you’re using the CRM efficiently. Admins can view events like failed logins to pinpoint if there’s a problem with the login page or account permissions. Poor page performance may reveal broken links or 404 errors. You can also assess performance based on Apex events and Community performance. User activity monitoring reports reveal areas that need to be addressed, which is critical because the performance of your Salesforce org is directly tied to productivity and ROI.

Salesforce Shield: Event Monitoring

Salesforce Shield: Event Monitoring provides Salesforce admins with org visibility through user activity monitoring-based audit logs. With Event Monitoring, you can track user activity and prevent data loss. Event Monitoring provides the audit log files from Salesforce. These logs contain information about nearly 50 unique, user-generated events.

Event Monitoring logs provide access to answers for pressing questions such as:

  • Are departing employees exporting sensitive data?
  • Are inactive users attempting to log in?
  • Which users logged in this week and which didn’t?
  • Are customers experiencing Community login failures?
  • What were the most-accessed Visualforce pages – who accessed them?
  • What’s the trend of successful vs. failed logins?
  • Who has escalated privileges to “manage” or “sysadmin?”
  • What permissions and profiles have been changed?


Enabling Event Monitoring in Salesforce can streamline and optimize your Salesforce usage. As long as you use a visibility tool to digest the raw Event Monitoring log data, you’ll be able to monitor and address user activity concerns for security, usage and adoption, performance, and compliance with ease.

If you’d like to see user activity monitoring in action, the FairWarning platform provides visibility and actionable insights through detailed reports and alerts – contact us for a demo today.

The Author

Mike Mason

Mike is the Regional Sales Director at Varonis and an accomplished entrepreneur with nearly two decades of experience in product, implementations and sales.


    Mireille Beguin
    June 16, 2022 7:31 pm
    Is it possible to produce an audit log to show which sales operators made which modification on a particular customer file? I am having a problem of some sales people changing data ton customer files. Just to say salesforce is a fantastic tool and I really enjoy using it ! Mireille

Leave a Reply