Detect Customer Relationship Management Software in Microsoft Sentinel
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.004 Customer Relationship Management Software
- Canonical reference
- https://attack.mitre.org/techniques/T1213/004/
KQL Detection Query
let BulkThreshold = 50;
let ExportActionKeywords = dynamic(["Export", "BulkExport", "DataExport", "ReportDownload", "MassDownload", "Download", "ExportToFile", "ListViewExport", "BulkDownload"]);
let CRMApps = dynamic(["Salesforce", "Microsoft Dynamics CRM", "Zendesk", "HubSpot", "Zoho CRM", "ServiceNow"]);
CloudAppEvents
| where Timestamp > ago(24h)
| where AppName has_any (CRMApps)
| where ActionType has_any (ExportActionKeywords)
or tolower(ActionType) contains "export"
or tolower(ActionType) contains "bulk"
or tolower(ActionType) contains "download"
| summarize
TotalEvents = count(),
ExportCount = countif(ActionType has_any (ExportActionKeywords)),
ActionTypes = make_set(ActionType, 10),
FirstActivity = min(Timestamp),
LastActivity = max(Timestamp)
by AccountDisplayName, AccountObjectId, AppName, IPAddress, CountryCode, ISP, bin(Timestamp, 1h)
| where TotalEvents >= BulkThreshold or ExportCount >= 3
| extend SessionDurationMin = datetime_diff('minute', LastActivity, FirstActivity)
| extend RatePerMinute = round(toreal(TotalEvents) / toreal(max_of(SessionDurationMin, 1)), 2)
| extend SeverityIndicator = case(
ExportCount >= 5, "Critical - Repeated bulk exports detected",
TotalEvents >= 200, "High - Volumetric CRM record access",
ExportCount >= 1 and CountryCode !in ("US", "GB", "CA", "AU", "DE", "FR", "NL") and CountryCode != "", strcat("High - CRM export from unexpected country: ", CountryCode),
ExportCount >= 1, "Medium - CRM data export event",
"Medium - Elevated CRM access volume")
| project
FirstActivity, LastActivity, AccountDisplayName, AccountObjectId,
AppName, IPAddress, CountryCode, ISP,
TotalEvents, ExportCount, ActionTypes,
SessionDurationMin, RatePerMinute, SeverityIndicator
| sort by ExportCount desc, TotalEvents descDetects bulk data access and export operations against CRM platforms (Salesforce, Microsoft Dynamics 365, Zendesk, HubSpot, Zoho) using Microsoft Defender for Cloud Apps (MDCA) telemetry via the CloudAppEvents table in Microsoft 365 Defender / Microsoft Sentinel. Aggregates user activity into 1-hour windows and alerts on export actions or high-volume record access exceeding a configurable threshold. A SeverityIndicator field classifies each alert to support analyst triage prioritization. Requires MDCA App Connectors to be configured for each CRM platform in the Defender for Cloud Apps portal.
Data Sources
Required Tables
False Positives & Tuning
- CRM data migration or integration projects that perform scheduled bulk exports via service accounts — typically identifiable by consistent schedule and service account names
- Sales operations teams running legitimate pipeline reports, territory management exports, or executive dashboards — usually occur during business hours from corporate IP ranges
- Marketing automation platforms (Pardot, Marketing Cloud, Marketo) that sync contact data on scheduled intervals using authorized OAuth integrations
- Data backup and compliance tools (OwnBackup, Spanning, AvePoint) performing authorized CRM snapshots — identifiable by service account and consistent nightly schedule
- Customer success teams bulk-exporting contacts for QBR preparation or authorized email campaign lists via approved Salesforce Data Loader or similar tools
Other platforms for T1213.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Salesforce Bulk Contact Export via REST API (Python simple-salesforce)
Expected signal: Salesforce Event Monitoring ApiTotalUsage log entry: USER_ID_DERIVED=[user], CLIENT_IP=[test IP], ENTITY_NAME=Contact, ROWS_PROCESSED=500. If Event Monitoring BulkApi type is enabled: additional BulkApi log entry. Salesforce Login History: API login event with LOGIN_TYPE=API and source IP. CloudAppEvents (if MDCA App Connector configured): AppName=Salesforce, ActionType reflecting query activity, AccountDisplayName=[user].
- Test 2Microsoft Dynamics 365 Bulk Contact Retrieve via Dataverse Web API
Expected signal: Azure AD Sign-In Logs (SigninLogs): service principal authentication event for the registered app, ResourceDisplayName=Dynamics CRM or Dataverse, with ClientAppUsed=None (service-to-service). AAD Audit Logs: no separate entry per API call, but token issuance is logged. Microsoft 365 Unified Audit Log: OfficeActivity table, RecordType=DynamicsCRM, Operation=RetrieveMultipleRecords. CloudAppEvents (MDCA): AppName=Microsoft Dynamics CRM with read/query ActionType.
- Test 3Salesforce Report-Based Customer Data Extraction via Reports REST API
Expected signal: Salesforce Event Monitoring Report log entry (salesforce:logfile:Report): USER_ID_DERIVED=[user], CLIENT_IP=[IP], REPORT_ID=[id], ROWS_PROCESSED=[n], RENDER_FORMAT=API. The RENDER_FORMAT=API value specifically distinguishes programmatic report execution from browser-based access, which is a key adversary indicator. Salesforce Login History: API login event correlated by timestamp.
- Test 4Zendesk Bulk Customer User and Ticket Export via REST API
Expected signal: Zendesk Admin Security Log: API access entries with endpoint /api/v2/users.json and /api/v2/tickets.json, authenticated admin email, source IP, and timestamp. Zendesk Audit Events API (/api/v2/audit_logs.json): entries with resource_type=user, action=view for each record accessed, plus ticket view events. CloudAppEvents (if MDCA App Connector for Zendesk is configured): AppName=Zendesk with ActionType reflecting read/list operations and high EventCount.
References (11)
- https://attack.mitre.org/techniques/T1213/004/
- https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
- https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
- https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_what_is_rest_api.htm
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm
- https://learn.microsoft.com/en-us/power-apps/developer/data-platform/webapi/overview
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-salesforce
- https://developer.zendesk.com/api-reference/ticketing/ticket-management/audit_logs/
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity
Unlock Pro Content
Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.