salesforce.com Eoghan Casey
August 27, 2025

Learn how to detect, investigate, and respond to Salesforce security incidents with logs, permissions, and backups.

A guide to investigating Salesforce security incidents with logs, permissions, and backups to strengthen response and resilience.

I am increasingly asked by customers how to investigate potential security incidents in their Salesforce environments. Common questions are: What did a specific user do during that time? and What data was impacted? Every organization and incident is unique, and the answer to these questions depends on the specific situation, but there is some general guidance I can provide.

Three key sources of information for investigating a security incident in Salesforce environments are activity logs, user permissions, and backup data.