Zoho CRM
Communication and Collaboration
Zoho - CRM platform with marketing, sales, and customer service tools.
Detection Rules for Zoho CRM
These detection rules will focus on various aspects of Zoho such as cost-effective CRM solution for small to medium sized businesses.
Provider: Zoho CRM
Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||
---|---|---|---|---|---|---|---|---|---|
Unauthorized Access Attempts | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
Suspicious Login Activity | Initial Access | T1078: Valid Accounts | High | ||||||
|
|||||||||
Data Export Anomalies | Exfiltration | T1041: Exfiltration Over Web Service | High | ||||||
|
|||||||||
Unapproved Integration Usage | Command and Control | T1071.001: Application Layer Protocol | Medium | ||||||
|
|||||||||
Unauthorized API Access | Command and Control | T1071.003: Web Protocols | High | ||||||
|
|||||||||
CRM Data Manipulation | Impact | T1066: Indicator Removal on Host | High | ||||||
|
|||||||||
Suspicious Email Campaigns | Command and Control | T1071.004: Email Protocols | Medium | ||||||
|
|||||||||
Unusual Account Activity | Initial Access | T1078: Valid Accounts | High | ||||||
|
|||||||||
Privilege Escalation Attempts | Privilege Escalation | T1068: Execution with Unprivileged Privileges | High | ||||||
|
|||||||||
Sensitive Data Access | Exfiltration | T1074: Data Staged | High | ||||||
|
|||||||||
Phishing Attempts via CRM | Initial Access | T1566: Phishing | High | ||||||
|
APIs and Their Scopes
App: Zoho | API Required | Scope Required | Usage |
---|---|---|---|
Suspicious Login Activity | Zoho CRM Users API | users.READ | Retrieve user login activity logs to monitor suspicious login attempts from unusual locations. |
Data Export Anomalies | Zoho CRM Reports API | reports.READ | Access export logs to analyze data exports and detect any unauthorized or large-scale exports. |
Unapproved Integration Usage | Zoho CRM Integrations API | integrations.READ | List all installed integrations and their permissions to identify any unauthorized apps connected to Zoho CRM. |
Unauthorized API Access | Zoho CRM API Usage Monitoring | api.READ | Monitor API calls made to Zoho CRM to detect any abnormal patterns or unauthorized usage of APIs. |
CRM Data Manipulation | Zoho CRM Audit Log API | audit.READ | Review audit logs to track changes made to sensitive CRM records and detect any unauthorized modifications. |
Suspicious Email Campaigns | Zoho Campaigns API | campaigns.READ | Access email campaign logs to review suspicious or unauthorized email activities originating from Zoho CRM. |
Unusual Account Activity | Zoho CRM Users API | users.READ | Monitor user account activities, including logins and failed attempts, to identify unusual behavior patterns. |
Privilege Escalation Attempts | Zoho CRM Role Management API | roles.READ | Access role and permission changes to detect unauthorized privilege escalations. |
Sensitive Data Access | Zoho CRM Fields API | fields.READ | Monitor access logs for sensitive data fields to detect potential data breaches or unauthorized access attempts. |
Phishing Attempts via CRM | Zoho Mail API | mail.READ | Review email logs to identify any phishing attempts that may have been initiated through Zoho CRM emails. |
Reports and Widgets for CISO
Report Name | Widgets | Description |
---|---|---|
User Login Activity Report | Login Attempts Graph: Displays successful vs. failed logins over time. | Provides insights into user login attempts, including successes and failures, to identify potential unauthorized access. |
Geo-Location Map: Shows user login locations. | ||
Data Export Summary Report | Export Volume Chart: Shows the amount of data exported per user. | Details the volume and frequency of data exports, highlighting any anomalies or unauthorized exports. |
Unauthorized Export Alerts: Lists exports flagged for review. | ||
Integration Usage Report | Integration Activity Log: Lists active integrations with usage stats. | Monitors installed integrations, their usage frequency, and any unauthorized apps. |
Unauthorized Apps Alert: Notifies of unapproved integrations. | ||
API Access Report | API Call Frequency Chart: Displays the number of API calls by service. | Analyzes API usage patterns to detect any unusual or unauthorized access attempts. |
Anomalous API Access Alerts: Flags unusual API usage. | ||
Audit Trail Report | Change Log Table: Lists all modifications with timestamps and user details. | Provides a comprehensive view of all changes made within the CRM, focusing on sensitive data modifications. |
Sensitive Data Change Alerts: Highlights changes to critical records. | ||
Account Activity Report | User Activity Dashboard: Visualizes activities per user, including logins and modifications. | Summarizes user activity within the CRM, highlighting any unusual patterns or potential insider threats. |
Anomalous Activity Alerts: Flags unusual account behaviors. | ||
Sensitive Data Access Report | Data Access Log: Lists all accesses to sensitive data fields. | Monitors access to sensitive data fields to identify potential breaches or unauthorized access. |
Access Anomaly Alerts: Flags unusual access patterns to sensitive data. | ||
Phishing Attempt Report | Phishing Attempt Dashboard: Displays the number of reported phishing emails. | Aggregates reports of phishing attempts made through CRM emails, focusing on user reports and trends. |
Phishing Trend Analysis: Shows trends over time in phishing reports. |