T1213.004 Elastic Security · Elastic

Detect Customer Relationship Management Software in Elastic Security

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.

MITRE ATT&CK

Tactic
Collection
Technique
T1213 Data from Information Repositories
Sub-technique
T1213.004 Customer Relationship Management Software
Canonical reference
https://attack.mitre.org/techniques/T1213/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by user.name, source.ip with maxspan=1h
  [any where
    (
      event.provider in~ ("salesforce", "microsoft dynamics 365", "zendesk", "hubspot", "zoho crm", "servicenow") or
      event.dataset in~ ("salesforce.audit_trail", "salesforce.login", "o365.audit", "okta.system")
    ) and
    (
      event.action : ("*export*", "*Export*", "*bulk*", "*Bulk*", "*download*", "*Download*", "*report*", "*Report*") or
      event.action in (
        "Export", "BulkExport", "DataExport", "ReportDownload",
        "MassDownload", "ExportToFile", "ListViewExport", "BulkDownload",
        "exportLeads", "exportContacts", "exportAccounts", "exportOpportunities"
      )
    )
  ] with runs=3
high severity medium confidence

Detects repeated bulk data export or report download actions from CRM platforms (Salesforce, Microsoft Dynamics 365, Zendesk, HubSpot, Zoho CRM, ServiceNow) within a 1-hour window. Triggers when the same user and source IP perform 3 or more export-type actions in sequence. Uses Elastic Common Schema (ECS) event.provider and event.action fields from cloud audit log integrations. Maps to MITRE ATT&CK T1213.004 — Collection: Data from Information Repositories (CRM Software).

Data Sources

Salesforce Audit Trail (Elastic Salesforce Integration)Microsoft 365 Unified Audit Log (Elastic O365 Integration)Okta System Log (Elastic Okta Integration)Cloud Security Audit Logs via Elastic SIEM

Required Tables

logs-salesforce.audit_trail-*logs-o365.audit-*logs-okta.system-*logs-cloud_security.audit-*

False Positives & Tuning

  • CRM administrators or data analysts running scheduled bulk exports for legitimate business reporting such as monthly sales pipeline reviews or quarterly account list reconciliation.
  • ETL/ELT integration pipelines using service accounts that perform recurring large-scale CRM exports to populate data warehouses (Snowflake, BigQuery, Redshift) or BI platforms (Tableau, Power BI).
  • Sales operations or RevOps teams conducting territory realignment, account ownership transfers, or data quality audits that require bulk record downloads and re-uploads.
  • Customer data platform (CDP) integrations synchronizing CRM contact records with marketing automation tools (Marketo, Pardot) at elevated frequency during campaign launches.
Download portable Sigma rule (.yml)

Other platforms for T1213.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Salesforce Bulk Contact Export via REST API (Python simple-salesforce)

    Expected signal: Salesforce Event Monitoring ApiTotalUsage log entry: USER_ID_DERIVED=[user], CLIENT_IP=[test IP], ENTITY_NAME=Contact, ROWS_PROCESSED=500. If Event Monitoring BulkApi type is enabled: additional BulkApi log entry. Salesforce Login History: API login event with LOGIN_TYPE=API and source IP. CloudAppEvents (if MDCA App Connector configured): AppName=Salesforce, ActionType reflecting query activity, AccountDisplayName=[user].

  2. Test 2Microsoft Dynamics 365 Bulk Contact Retrieve via Dataverse Web API

    Expected signal: Azure AD Sign-In Logs (SigninLogs): service principal authentication event for the registered app, ResourceDisplayName=Dynamics CRM or Dataverse, with ClientAppUsed=None (service-to-service). AAD Audit Logs: no separate entry per API call, but token issuance is logged. Microsoft 365 Unified Audit Log: OfficeActivity table, RecordType=DynamicsCRM, Operation=RetrieveMultipleRecords. CloudAppEvents (MDCA): AppName=Microsoft Dynamics CRM with read/query ActionType.

  3. Test 3Salesforce Report-Based Customer Data Extraction via Reports REST API

    Expected signal: Salesforce Event Monitoring Report log entry (salesforce:logfile:Report): USER_ID_DERIVED=[user], CLIENT_IP=[IP], REPORT_ID=[id], ROWS_PROCESSED=[n], RENDER_FORMAT=API. The RENDER_FORMAT=API value specifically distinguishes programmatic report execution from browser-based access, which is a key adversary indicator. Salesforce Login History: API login event correlated by timestamp.

  4. Test 4Zendesk Bulk Customer User and Ticket Export via REST API

    Expected signal: Zendesk Admin Security Log: API access entries with endpoint /api/v2/users.json and /api/v2/tickets.json, authenticated admin email, source IP, and timestamp. Zendesk Audit Events API (/api/v2/audit_logs.json): entries with resource_type=user, action=view for each record accessed, plus ticket view events. CloudAppEvents (if MDCA App Connector for Zendesk is configured): AppName=Zendesk with ActionType reflecting read/list operations and high EventCount.

Last updated: 2026-04-19 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001ConfluenceT1213.002SharepointT1213.003Code RepositoriesT1213.005Messaging ApplicationsT1213.006Databases

Related Techniques

T1213Data from Information RepositoriesT1213.002SharepointT1530Data from Cloud StorageT1048Exfiltration Over Alternative ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1566PhishingT1078.004Cloud AccountsT1199Trusted RelationshipT1606Forge Web Credentials

Same Tactic: Collection

Popular Detections