Skip to content

DET0550 Detecting Suspicious Access to CRM Data in SaaS Environments

Item Value
ID DET0550
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1213.004 (Customer Relationship Management Software)

Analytics

SaaS

AN1520

Anomalous high-volume access to customer records in CRM software by a non-CRM admin user account, especially following initial authentication from a rare location or device. Behavior includes abnormal access to PII fields or data exports within a short time window.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) saas:salesforce DataExport, RestAPI, Login, ReportExport
Logon Session Creation (DC0067) m365:signinlogs UserLoggedIn
Mutable Elements
Field Description
TimeWindow Duration over which bulk CRM queries occur (e.g., 1 minute, 5 minutes); varies by organization usage pattern
UserContext User’s CRM role, department, or job function (e.g., non-sales user accessing customer PII)
AnomalousExportThreshold Number of CRM objects (contacts, deals, logs) accessed or exported above normal
SourceLocation Rare or impossible geolocation/IP address for legitimate CRM user access