Detect Customer Relationship Management Software in Splunk
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.004 Customer Relationship Management Software
- Canonical reference
- https://attack.mitre.org/techniques/T1213/004/
SPL Detection Query
index=salesforce (sourcetype="salesforce:logfile:Report" OR sourcetype="salesforce:logfile:BulkApi" OR sourcetype="salesforce:logfile:ApiTotalUsage" OR sourcetype="salesforce:logfile:ListView")
| eval action_category=case(
sourcetype="salesforce:logfile:Report", "report_execution",
sourcetype="salesforce:logfile:BulkApi", "bulk_api",
sourcetype="salesforce:logfile:ListView", "list_view",
1=1, "api_usage")
| eval user=coalesce(USER_ID_DERIVED, USER_ID, "unknown")
| eval source_ip=coalesce(CLIENT_IP, SOURCE_IP, "unknown")
| bin _time span=1h
| stats
count as event_count,
dc(ENTITY_NAME) as unique_object_types,
sum(ROWS_PROCESSED) as total_records,
values(action_category) as action_categories,
values(ENTITY_NAME) as objects_accessed,
values(source_ip) as source_ips,
earliest(_time) as first_seen,
latest(_time) as last_seen
by user, _time
| eval session_duration_min=round((last_seen - first_seen) / 60, 1)
| eval rate_per_min=round(event_count / if(session_duration_min < 1, 1, session_duration_min), 2)
| eval risk_score=case(
total_records >= 5000, 4,
event_count >= 200 OR total_records >= 1000, 3,
mvfind(action_categories, "bulk_api") >= 0 AND event_count >= 10, 2,
event_count >= 50, 1,
1=1, 0)
| where risk_score >= 1
| eval risk_label=case(
risk_score >= 4, "Critical - Mass CRM data extraction",
risk_score == 3, "High - Bulk CRM data export or volumetric access",
risk_score == 2, "Medium - Elevated Bulk API usage",
1=1, "Low - Above-baseline CRM activity")
| table first_seen, last_seen, user, action_categories, objects_accessed, source_ips, event_count, unique_object_types, total_records, session_duration_min, rate_per_min, risk_score, risk_label
| sort - risk_score event_countDetects bulk data access and export operations in Salesforce CRM using the Splunk Add-on for Salesforce Event Monitoring logs. Monitors Report execution, Bulk API operations, API total usage, and List View events, aggregating per user into 1-hour windows. Assigns a risk score (0-4) based on event count, ROWS_PROCESSED volume, and action types. Requires Salesforce Event Monitoring to be enabled (Enterprise/Unlimited/Performance edition) and the Splunk Add-on for Salesforce deployed with Event Log File collection configured.
Data Sources
Required Sourcetypes
False Positives & Tuning
- CRM data migration or integration projects performing scheduled bulk exports via dedicated service accounts
- Sales operations teams running legitimate pipeline analysis reports or territory management exports, typically during business hours
- Marketing automation platforms (Pardot, Marketing Cloud, Marketo) syncing contact data via authorized Salesforce integrations with scheduled batch jobs
- Data backup tools (OwnBackup, Spanning) performing authorized daily Salesforce snapshots using dedicated backup user accounts
- Customer success or RevOps teams exporting data for QBR preparation or authorized bulk email campaigns using Salesforce Data Loader
Other platforms for T1213.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Salesforce Bulk Contact Export via REST API (Python simple-salesforce)
Expected signal: Salesforce Event Monitoring ApiTotalUsage log entry: USER_ID_DERIVED=[user], CLIENT_IP=[test IP], ENTITY_NAME=Contact, ROWS_PROCESSED=500. If Event Monitoring BulkApi type is enabled: additional BulkApi log entry. Salesforce Login History: API login event with LOGIN_TYPE=API and source IP. CloudAppEvents (if MDCA App Connector configured): AppName=Salesforce, ActionType reflecting query activity, AccountDisplayName=[user].
- Test 2Microsoft Dynamics 365 Bulk Contact Retrieve via Dataverse Web API
Expected signal: Azure AD Sign-In Logs (SigninLogs): service principal authentication event for the registered app, ResourceDisplayName=Dynamics CRM or Dataverse, with ClientAppUsed=None (service-to-service). AAD Audit Logs: no separate entry per API call, but token issuance is logged. Microsoft 365 Unified Audit Log: OfficeActivity table, RecordType=DynamicsCRM, Operation=RetrieveMultipleRecords. CloudAppEvents (MDCA): AppName=Microsoft Dynamics CRM with read/query ActionType.
- Test 3Salesforce Report-Based Customer Data Extraction via Reports REST API
Expected signal: Salesforce Event Monitoring Report log entry (salesforce:logfile:Report): USER_ID_DERIVED=[user], CLIENT_IP=[IP], REPORT_ID=[id], ROWS_PROCESSED=[n], RENDER_FORMAT=API. The RENDER_FORMAT=API value specifically distinguishes programmatic report execution from browser-based access, which is a key adversary indicator. Salesforce Login History: API login event correlated by timestamp.
- Test 4Zendesk Bulk Customer User and Ticket Export via REST API
Expected signal: Zendesk Admin Security Log: API access entries with endpoint /api/v2/users.json and /api/v2/tickets.json, authenticated admin email, source IP, and timestamp. Zendesk Audit Events API (/api/v2/audit_logs.json): entries with resource_type=user, action=view for each record accessed, plus ticket view events. CloudAppEvents (if MDCA App Connector for Zendesk is configured): AppName=Zendesk with ActionType reflecting read/list operations and high EventCount.
References (11)
- https://attack.mitre.org/techniques/T1213/004/
- https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
- https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
- https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_what_is_rest_api.htm
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm
- https://learn.microsoft.com/en-us/power-apps/developer/data-platform/webapi/overview
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-salesforce
- https://developer.zendesk.com/api-reference/ticketing/ticket-management/audit_logs/
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity
Unlock Pro Content
Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.