<

Zoho CRM

Communication and Collaboration

Zoho - CRM platform with marketing, sales, and customer service tools.

Detection Rules for Zoho CRM
These detection rules will focus on various aspects of Zoho such as cost-effective CRM solution for small to medium sized businesses.

Provider: Zoho CRM

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized Access Attempts Credential Access T1078 - Valid Accounts High
Investigation Actions (APIs) Query login logs via BambooHR API
Use IP reputation APIs
Incident Creation Criteria Create if multiple failed attempts from different locations.
Suspicious Login Activity Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Use GeoIP lookup APIs to check login locations.
Query IP reputation databases.
Incident Creation Criteria Create an incident if the IP address is flagged as malicious or if multiple logins are detected from the same user within a short time.
Data Export Anomalies Exfiltration T1041: Exfiltration Over Web Service High
Investigation Actions (APIs) Audit export logs for large data downloads.
Use data loss prevention (DLP) tools to analyze exports.
Incident Creation Criteria Create an incident if data is exported unexpectedly by a user without proper justification or if the volume exceeds defined thresholds.
Unapproved Integration Usage Command and Control T1071.001: Application Layer Protocol Medium
Investigation Actions (APIs) Review installed integrations regularly.
Check access permissions of third-party applications.
Incident Creation Criteria Create an incident if a newly installed app has access to sensitive data or if it connects to untrusted external services.
Unauthorized API Access Command and Control T1071.003: Web Protocols High
Investigation Actions (APIs) Analyze API call logs for unusual activity.
Review API key usage and permissions.
Incident Creation Criteria Create an incident if an API key shows abnormal usage patterns or if it accesses sensitive data unexpectedly.
CRM Data Manipulation Impact T1066: Indicator Removal on Host High
Investigation Actions (APIs) Audit modification logs for sensitive records.
Monitor user activity for unusual modification patterns.
Incident Creation Criteria Create an incident if there are multiple modifications made to sensitive records by a single user within a short time frame without approval.
Suspicious Email Campaigns Command and Control T1071.004: Email Protocols Medium
Investigation Actions (APIs) Review email campaign logs for volume spikes.
Analyze reported phishing attempts from recipients.
Incident Creation Criteria Create an incident if multiple recipients report phishing or if an email campaign is sent without proper authorization.
Unusual Account Activity Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Analyze login patterns and failed attempts.
Use user behavior analytics to detect anomalies.
Incident Creation Criteria Create an incident if multiple failed login attempts are detected from the same account or if logins occur during non-business hours.
Privilege Escalation Attempts Privilege Escalation T1068: Execution with Unprivileged Privileges High
Investigation Actions (APIs) Monitor user role changes and permission grants.
Review admin activities for unusual role escalations.
Incident Creation Criteria Create an incident if an admin role is granted to a user without proper process or if a user escalates privileges without authorization.
Sensitive Data Access Exfiltration T1074: Data Staged High
Investigation Actions (APIs) Review access logs for sensitive fields.
Analyze user behavior patterns around sensitive data access.
Incident Creation Criteria Create an incident if there are repeated accesses to sensitive data fields by unauthorized users or if sensitive data is accessed outside of normal business hours.
Phishing Attempts via CRM Initial Access T1566: Phishing High
Investigation Actions (APIs) Review reports of phishing attempts related to CRM emails.
Analyze email content for malicious links or attachments.
Incident Creation Criteria Create an incident if multiple phishing reports are received about emails sent from the CRM, especially if they involve sensitive information or known malicious domains.

APIs and Their Scopes

App: Zoho API Required Scope Required Usage
Suspicious Login Activity Zoho CRM Users API users.READ Retrieve user login activity logs to monitor suspicious login attempts from unusual locations.
Data Export Anomalies Zoho CRM Reports API reports.READ Access export logs to analyze data exports and detect any unauthorized or large-scale exports.
Unapproved Integration Usage Zoho CRM Integrations API integrations.READ List all installed integrations and their permissions to identify any unauthorized apps connected to Zoho CRM.
Unauthorized API Access Zoho CRM API Usage Monitoring api.READ Monitor API calls made to Zoho CRM to detect any abnormal patterns or unauthorized usage of APIs.
CRM Data Manipulation Zoho CRM Audit Log API audit.READ Review audit logs to track changes made to sensitive CRM records and detect any unauthorized modifications.
Suspicious Email Campaigns Zoho Campaigns API campaigns.READ Access email campaign logs to review suspicious or unauthorized email activities originating from Zoho CRM.
Unusual Account Activity Zoho CRM Users API users.READ Monitor user account activities, including logins and failed attempts, to identify unusual behavior patterns.
Privilege Escalation Attempts Zoho CRM Role Management API roles.READ Access role and permission changes to detect unauthorized privilege escalations.
Sensitive Data Access Zoho CRM Fields API fields.READ Monitor access logs for sensitive data fields to detect potential data breaches or unauthorized access attempts.
Phishing Attempts via CRM Zoho Mail API mail.READ Review email logs to identify any phishing attempts that may have been initiated through Zoho CRM emails.

Reports and Widgets for CISO

Report Name Widgets Description
User Login Activity Report Login Attempts Graph: Displays successful vs. failed logins over time. Provides insights into user login attempts, including successes and failures, to identify potential unauthorized access.
Geo-Location Map: Shows user login locations.
Data Export Summary Report Export Volume Chart: Shows the amount of data exported per user. Details the volume and frequency of data exports, highlighting any anomalies or unauthorized exports.
Unauthorized Export Alerts: Lists exports flagged for review.
Integration Usage Report Integration Activity Log: Lists active integrations with usage stats. Monitors installed integrations, their usage frequency, and any unauthorized apps.
Unauthorized Apps Alert: Notifies of unapproved integrations.
API Access Report API Call Frequency Chart: Displays the number of API calls by service. Analyzes API usage patterns to detect any unusual or unauthorized access attempts.
Anomalous API Access Alerts: Flags unusual API usage.
Audit Trail Report Change Log Table: Lists all modifications with timestamps and user details. Provides a comprehensive view of all changes made within the CRM, focusing on sensitive data modifications.
Sensitive Data Change Alerts: Highlights changes to critical records.
Account Activity Report User Activity Dashboard: Visualizes activities per user, including logins and modifications. Summarizes user activity within the CRM, highlighting any unusual patterns or potential insider threats.
Anomalous Activity Alerts: Flags unusual account behaviors.
Sensitive Data Access Report Data Access Log: Lists all accesses to sensitive data fields. Monitors access to sensitive data fields to identify potential breaches or unauthorized access.
Access Anomaly Alerts: Flags unusual access patterns to sensitive data.
Phishing Attempt Report Phishing Attempt Dashboard: Displays the number of reported phishing emails. Aggregates reports of phishing attempts made through CRM emails, focusing on user reports and trends.
Phishing Trend Analysis: Shows trends over time in phishing reports.