Anomalous high-volume access to customer records in CRM software by a non-CRM admin user account, especially following initial authentication from a rare location or device. Behavior includes abnormal access to PII fields or data exports within a short time window.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:salesforce | DataExport, RestAPI, Login, ReportExport |
| Logon Session Creation (DC0067) | m365:signinlogs | UserLoggedIn |
| Field | Description |
|---|---|
| TimeWindow | Duration over which bulk CRM queries occur (e.g., 1 minute, 5 minutes); varies by organization usage pattern |
| UserContext | User's CRM role, department, or job function (e.g., non-sales user accessing customer PII) |
| AnomalousExportThreshold | Number of CRM objects (contacts, deals, logs) accessed or exported above normal |
| SourceLocation | Rare or impossible geolocation/IP address for legitimate CRM user access |