Detect Customer Relationship Management Software in IBM QRadar
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.004 Customer Relationship Management Software
- Canonical reference
- https://attack.mitre.org/techniques/T1213/004/
QRadar Detection Query
SELECT
USERNAME AS user,
SOURCEIP AS source_ip,
LOGSOURCENAME(logsourceid) AS crm_platform,
LOGSOURCETYPENAME(logsourceid) AS log_source_type,
COUNT(*) AS event_count,
COUNT(DISTINCT QIDNAME(qid)) AS unique_action_types,
SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) AS export_event_count,
SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%bulk%' THEN 1 ELSE 0 END) AS bulk_event_count,
DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS first_activity,
DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS last_activity,
(MAX(starttime) - MIN(starttime)) / 60 AS session_duration_min,
COUNT(*) / NULLIF((MAX(starttime) - MIN(starttime)) / 60, 0) AS events_per_min,
CASE
WHEN SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) >= 5
THEN 'Critical - Repeated bulk exports detected'
WHEN COUNT(*) >= 200
THEN 'High - Volumetric CRM record access'
WHEN SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) >= 1
THEN 'Medium - CRM data export event'
ELSE 'Medium - Elevated CRM access volume'
END AS severity_label
FROM events
WHERE
LOGSOURCETYPENAME(logsourceid) IN (
'Salesforce Security Audit Trail',
'Microsoft Dynamics 365',
'Zendesk',
'HubSpot CRM',
'Zoho CRM',
'ServiceNow'
)
AND (
LOWER(QIDNAME(qid)) LIKE '%export%'
OR LOWER(QIDNAME(qid)) LIKE '%bulk%'
OR LOWER(QIDNAME(qid)) LIKE '%download%'
OR LOWER(QIDNAME(qid)) LIKE '%report%'
OR LOWER(QIDNAME(qid)) LIKE '%mass%'
)
AND USERNAME IS NOT NULL
AND USERNAME != 'N/A'
GROUP BY
USERNAME,
SOURCEIP,
LOGSOURCENAME(logsourceid),
LOGSOURCETYPENAME(logsourceid),
TRUNCATE(starttime, 'HOUR')
HAVING
COUNT(*) >= 50
OR SUM(CASE WHEN LOWER(QIDNAME(qid)) LIKE '%export%' THEN 1 ELSE 0 END) >= 3
ORDER BY
export_event_count DESC, event_count DESC
LAST 24 HOURSAQL query against the QRadar event store aggregating CRM audit log events per user, source IP, and platform in hourly buckets. Detects bulk data mining behavior by triggering on 50+ total events or 3+ explicit export-type actions within a single hour. Calculates session duration and event rate, then applies tiered severity classification. Requires CRM platforms to be configured as QRadar log sources with appropriate DSMs. Maps to T1213.004.
Data Sources
Required Tables
False Positives & Tuning
- Automated nightly data warehouse sync jobs using dedicated service accounts that perform bulk CRM exports to feed BI platforms such as Tableau, Power BI, or Looker — these typically generate high event counts from static, known IPs.
- Third-party integration middleware platforms (MuleSoft, Boomi, Zapier) configured to poll CRM records at high frequency for downstream system synchronization; service account usernames are usually identifiable.
- CRM administrators performing annual data hygiene exercises, GDPR/CCPA compliance audits, or mass record deduplication campaigns requiring large-scale exports and re-imports.
- Revenue intelligence or forecasting tools (Clari, Gong, Chorus) accessing CRM APIs to pull deal and contact data for predictive modeling at elevated rates.
Other platforms for T1213.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Salesforce Bulk Contact Export via REST API (Python simple-salesforce)
Expected signal: Salesforce Event Monitoring ApiTotalUsage log entry: USER_ID_DERIVED=[user], CLIENT_IP=[test IP], ENTITY_NAME=Contact, ROWS_PROCESSED=500. If Event Monitoring BulkApi type is enabled: additional BulkApi log entry. Salesforce Login History: API login event with LOGIN_TYPE=API and source IP. CloudAppEvents (if MDCA App Connector configured): AppName=Salesforce, ActionType reflecting query activity, AccountDisplayName=[user].
- Test 2Microsoft Dynamics 365 Bulk Contact Retrieve via Dataverse Web API
Expected signal: Azure AD Sign-In Logs (SigninLogs): service principal authentication event for the registered app, ResourceDisplayName=Dynamics CRM or Dataverse, with ClientAppUsed=None (service-to-service). AAD Audit Logs: no separate entry per API call, but token issuance is logged. Microsoft 365 Unified Audit Log: OfficeActivity table, RecordType=DynamicsCRM, Operation=RetrieveMultipleRecords. CloudAppEvents (MDCA): AppName=Microsoft Dynamics CRM with read/query ActionType.
- Test 3Salesforce Report-Based Customer Data Extraction via Reports REST API
Expected signal: Salesforce Event Monitoring Report log entry (salesforce:logfile:Report): USER_ID_DERIVED=[user], CLIENT_IP=[IP], REPORT_ID=[id], ROWS_PROCESSED=[n], RENDER_FORMAT=API. The RENDER_FORMAT=API value specifically distinguishes programmatic report execution from browser-based access, which is a key adversary indicator. Salesforce Login History: API login event correlated by timestamp.
- Test 4Zendesk Bulk Customer User and Ticket Export via REST API
Expected signal: Zendesk Admin Security Log: API access entries with endpoint /api/v2/users.json and /api/v2/tickets.json, authenticated admin email, source IP, and timestamp. Zendesk Audit Events API (/api/v2/audit_logs.json): entries with resource_type=user, action=view for each record accessed, plus ticket view events. CloudAppEvents (if MDCA App Connector for Zendesk is configured): AppName=Zendesk with ActionType reflecting read/list operations and high EventCount.
References (11)
- https://attack.mitre.org/techniques/T1213/004/
- https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
- https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
- https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_what_is_rest_api.htm
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm
- https://learn.microsoft.com/en-us/power-apps/developer/data-platform/webapi/overview
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-salesforce
- https://developer.zendesk.com/api-reference/ticketing/ticket-management/audit_logs/
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity
Unlock Pro Content
Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.