T1213.004 Google Chronicle · YARA-L

Detect Customer Relationship Management Software in Google Chronicle

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.

MITRE ATT&CK

Tactic
Collection
Technique
T1213 Data from Information Repositories
Sub-technique
T1213.004 Customer Relationship Management Software
Canonical reference
https://attack.mitre.org/techniques/T1213/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1213_004_crm_bulk_data_export {
  meta:
    author = "df00tech"
    description = "Detects bulk data exports or repeated export-type actions from CRM platforms indicating potential data mining activity (T1213.004 - Collection: CRM Software)"
    mitre_attack_technique = "T1213.004"
    mitre_attack_tactic = "Collection"
    severity = "HIGH"
    priority = "HIGH"
    platforms = "SaaS"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    (
      re.regex($e.target.application.name, `(?i)salesforce|microsoft dynamics|zendesk|hubspot|zoho crm|servicenow`) or
      re.regex($e.metadata.product_name, `(?i)salesforce|dynamics 365|zendesk|hubspot|zoho|servicenow`) or
      re.regex($e.metadata.vendor_name, `(?i)salesforce|microsoft|zendesk|hubspot|zoho|servicenow`)
    )
    (
      re.regex($e.metadata.event_subtype, `(?i)export|bulk_export|data_export|report_download|mass_download|bulk_download|list_view_export|export_to_file`) or
      re.regex($e.target.resource.name, `(?i)export|bulk|download|report`) or
      re.regex($e.security_result.description, `(?i)export|bulk|download|report`)
    )
    $e.principal.user.userid = $user
    $e.principal.ip = $ip

  match:
    $user, $ip over 1h

  condition:
    #e >= 3
}
high severity medium confidence

Chronicle YARA-L 2.0 rule using the UDM event model to detect repeated CRM export-type actions. Correlates USER_RESOURCE_ACCESS events from CRM platforms (Salesforce, Dynamics 365, Zendesk, HubSpot, Zoho, ServiceNow) by principal user and IP, triggering when 3 or more export-type actions occur within a 1-hour match window. Uses regex matching against application name, product name, vendor name, event subtype, resource name, and security result description to maximize coverage across varied CRM log parsers ingested into Chronicle. Maps to T1213.004.

Data Sources

Google Chronicle UDM (Unified Data Model)Salesforce audit trail ingested via Chronicle SIEM Salesforce parserMicrosoft Dynamics 365 / Microsoft 365 Unified Audit Log via Chronicle O365 parserZendesk, HubSpot, Zoho, and ServiceNow cloud audit logs via Chronicle universal parsers

Required Tables

USER_RESOURCE_ACCESS UDM event type

False Positives & Tuning

  • CRM integration service accounts legitimately performing scheduled bulk exports for downstream analytics pipelines, data warehouse loads, or BI tool synchronization — typically appear as non-human principal usernames at consistent times.
  • Power users or sales operations analysts generating large account lists, opportunity exports, or contact record downloads during quarterly business review (QBR) or board reporting preparation.
  • Automated backup or compliance archival processes exporting CRM records to cloud storage on a scheduled basis for regulatory retention or disaster recovery purposes.
  • Revenue intelligence platforms (Outreach, SalesLoft, Apollo) making elevated-volume API calls to sync contact and activity data for engagement tracking and sequence automation.
Download portable Sigma rule (.yml)

Other platforms for T1213.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Salesforce Bulk Contact Export via REST API (Python simple-salesforce)

    Expected signal: Salesforce Event Monitoring ApiTotalUsage log entry: USER_ID_DERIVED=[user], CLIENT_IP=[test IP], ENTITY_NAME=Contact, ROWS_PROCESSED=500. If Event Monitoring BulkApi type is enabled: additional BulkApi log entry. Salesforce Login History: API login event with LOGIN_TYPE=API and source IP. CloudAppEvents (if MDCA App Connector configured): AppName=Salesforce, ActionType reflecting query activity, AccountDisplayName=[user].

  2. Test 2Microsoft Dynamics 365 Bulk Contact Retrieve via Dataverse Web API

    Expected signal: Azure AD Sign-In Logs (SigninLogs): service principal authentication event for the registered app, ResourceDisplayName=Dynamics CRM or Dataverse, with ClientAppUsed=None (service-to-service). AAD Audit Logs: no separate entry per API call, but token issuance is logged. Microsoft 365 Unified Audit Log: OfficeActivity table, RecordType=DynamicsCRM, Operation=RetrieveMultipleRecords. CloudAppEvents (MDCA): AppName=Microsoft Dynamics CRM with read/query ActionType.

  3. Test 3Salesforce Report-Based Customer Data Extraction via Reports REST API

    Expected signal: Salesforce Event Monitoring Report log entry (salesforce:logfile:Report): USER_ID_DERIVED=[user], CLIENT_IP=[IP], REPORT_ID=[id], ROWS_PROCESSED=[n], RENDER_FORMAT=API. The RENDER_FORMAT=API value specifically distinguishes programmatic report execution from browser-based access, which is a key adversary indicator. Salesforce Login History: API login event correlated by timestamp.

  4. Test 4Zendesk Bulk Customer User and Ticket Export via REST API

    Expected signal: Zendesk Admin Security Log: API access entries with endpoint /api/v2/users.json and /api/v2/tickets.json, authenticated admin email, source IP, and timestamp. Zendesk Audit Events API (/api/v2/audit_logs.json): entries with resource_type=user, action=view for each record accessed, plus ticket view events. CloudAppEvents (if MDCA App Connector for Zendesk is configured): AppName=Zendesk with ActionType reflecting read/list operations and high EventCount.

Last updated: 2026-04-19 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001ConfluenceT1213.002SharepointT1213.003Code RepositoriesT1213.005Messaging ApplicationsT1213.006Databases

Related Techniques

T1213Data from Information RepositoriesT1213.002SharepointT1530Data from Cloud StorageT1048Exfiltration Over Alternative ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1566PhishingT1078.004Cloud AccountsT1199Trusted RelationshipT1606Forge Web Credentials

Same Tactic: Collection

Popular Detections