Detect Customer Relationship Management Software in Sumo Logic CSE
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data including personally identifiable information (PII) such as full names, emails, phone numbers, addresses, purchase histories, and IT support interactions. Once adversaries gain access to a victim organization — through credential theft, insider threat, or compromised integrations — they may systematically extract CRM data to enable downstream attacks including targeted phishing, SIM swapping, and further organizational compromise. CRM platforms targeted include Salesforce, Microsoft Dynamics 365, Zoho, Zendesk, and HubSpot. Real-world incidents include the 2022 US Cellular breach (threat actors accessed CRM billing system to export customer records), the 2021 Mint Mobile breach (unauthorized CRM access enabled SIM swapping), and a 2020 customer-owned bank breach exposing account balances and PII for 100,000 customers.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.004 Customer Relationship Management Software
- Canonical reference
- https://attack.mitre.org/techniques/T1213/004/
Sumo Detection Query
(_sourceCategory=salesforce OR _sourceCategory=dynamics365 OR _sourceCategory=zendesk OR _sourceCategory=hubspot OR _sourceCategory=zoho_crm OR _sourceCategory=servicenow)
| where action matches /(?i)export|bulk|download|report|mass/
| timeslice 1h
| stats
count as event_count,
dcount(action) as unique_actions,
sum(rows_processed) as total_records,
values(action) as action_list,
first(src_ip) as source_ip,
min(_messagetime) as first_seen_ms,
max(_messagetime) as last_seen_ms
by user, _timeslice, app_name
| where event_count >= 50 or total_records >= 1000
| eval session_duration_min = (last_seen_ms - first_seen_ms) / 60000
| eval rate_per_min = if(session_duration_min < 1, tolong(event_count), event_count / session_duration_min)
| eval risk_label = if(total_records >= 5000, "Critical - Mass CRM data extraction",
if(event_count >= 200 or total_records >= 1000, "High - Bulk CRM data export or volumetric access",
if(event_count >= 50, "Medium - Elevated CRM access volume", "Low - Above-baseline CRM activity")))
| fields _timeslice, user, app_name, source_ip, action_list, event_count, unique_actions, total_records, session_duration_min, rate_per_min, risk_label
| sort by -event_countSumo Logic search query aggregating CRM audit log events by user and application in 1-hour time buckets. Detects data mining activity by triggering on 50+ events or 1,000+ records accessed within an hour. Computes session duration and event rate, and applies tiered risk classification. Requires CRM log sources onboarded with normalized `user`, `action`, `app_name`, `src_ip`, and `rows_processed` fields. Maps to T1213.004.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled ETL pipelines or data integration services using service accounts that perform bulk CRM data extractions to populate data lakes or cloud warehouses on a nightly or weekly basis — identifiable by recurring time patterns and consistent source IPs.
- Marketing operations teams generating segmented contact lists, campaign audience exports, or enrichment data pulls as part of normal demand generation workflows during product launch periods.
- CRM data migration projects when consolidating CRM instances or switching vendors, requiring large-scale record exports over an extended period.
- Customer success platforms (Gainsight, Totango, ChurnZero) synchronizing CRM contact and account records at elevated volume for health scoring and renewal pipeline tracking.
Other platforms for T1213.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Salesforce Bulk Contact Export via REST API (Python simple-salesforce)
Expected signal: Salesforce Event Monitoring ApiTotalUsage log entry: USER_ID_DERIVED=[user], CLIENT_IP=[test IP], ENTITY_NAME=Contact, ROWS_PROCESSED=500. If Event Monitoring BulkApi type is enabled: additional BulkApi log entry. Salesforce Login History: API login event with LOGIN_TYPE=API and source IP. CloudAppEvents (if MDCA App Connector configured): AppName=Salesforce, ActionType reflecting query activity, AccountDisplayName=[user].
- Test 2Microsoft Dynamics 365 Bulk Contact Retrieve via Dataverse Web API
Expected signal: Azure AD Sign-In Logs (SigninLogs): service principal authentication event for the registered app, ResourceDisplayName=Dynamics CRM or Dataverse, with ClientAppUsed=None (service-to-service). AAD Audit Logs: no separate entry per API call, but token issuance is logged. Microsoft 365 Unified Audit Log: OfficeActivity table, RecordType=DynamicsCRM, Operation=RetrieveMultipleRecords. CloudAppEvents (MDCA): AppName=Microsoft Dynamics CRM with read/query ActionType.
- Test 3Salesforce Report-Based Customer Data Extraction via Reports REST API
Expected signal: Salesforce Event Monitoring Report log entry (salesforce:logfile:Report): USER_ID_DERIVED=[user], CLIENT_IP=[IP], REPORT_ID=[id], ROWS_PROCESSED=[n], RENDER_FORMAT=API. The RENDER_FORMAT=API value specifically distinguishes programmatic report execution from browser-based access, which is a key adversary indicator. Salesforce Login History: API login event correlated by timestamp.
- Test 4Zendesk Bulk Customer User and Ticket Export via REST API
Expected signal: Zendesk Admin Security Log: API access entries with endpoint /api/v2/users.json and /api/v2/tickets.json, authenticated admin email, source IP, and timestamp. Zendesk Audit Events API (/api/v2/audit_logs.json): entries with resource_type=user, action=view for each record accessed, plus ticket view events. CloudAppEvents (if MDCA App Connector for Zendesk is configured): AppName=Zendesk with ActionType reflecting read/list operations and high EventCount.
References (11)
- https://attack.mitre.org/techniques/T1213/004/
- https://www.bleepingcomputer.com/news/security/uscellular-discloses-data-breach-after-billing-system-hack/
- https://www.bleepingcomputer.com/news/security/mint-mobile-hit-by-a-data-breach-after-numbers-ported-data-accessed/
- https://www.bleepingcomputer.com/news/security/customer-owned-bank-informs-100k-of-breach-exposing-account-balance-pii/
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_what_is_rest_api.htm
- https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm
- https://learn.microsoft.com/en-us/power-apps/developer/data-platform/webapi/overview
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-salesforce
- https://developer.zendesk.com/api-reference/ticketing/ticket-management/audit_logs/
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity
Unlock Pro Content
Get the full detection package for T1213.004 including response playbook, investigation guide, and atomic red team tests.