HubSpot CRM

Customer Relationship Management (CRM) :

HubSpot - CRM platform with marketing, sales, and customer service tools.

Detection Rules for HubSpot CRM
These detection rules will focus on various aspects of HubSpot such as marketing,sales,& customer service tools.

Provider: HubSpot

App: HubSpot MITRE Tactic MITRE Technique Criticality
Suspicious Login Activity (Abnormal Geolocation/IP) Initial Access, Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Use GeoIP lookup APIs (e.g., MaxMind, IPstack) to determine unusual login locations.
Query IP reputation databases (AbuseIPDB, IPvoid).
Incident Creation Criteria Create an incident if the login is from a high-risk region, or if the IP is flagged as malicious.
Unauthorized Data Export Exfiltration T1537: Transfer Data to Cloud Account High
Investigation Actions (APIs) Check audit logs for data export events.
Query file-sharing or cloud storage APIs to validate transfer destinations.
Incident Creation Criteria Create an incident if the export exceeds normal thresholds or targets unusual cloud locations.
Suspicious API Access Credential Access, Discovery T1078: Valid Accounts, T1087: Account Discovery High
Investigation Actions (APIs) Check HubSpot API logs for access patterns.
Query API gateways to identify abnormal token use or access points.
Incident Creation Criteria Create an incident if access includes sensitive data, or if unauthorized API tokens are detected.
Creation of Suspicious Workflows/Automation Rules Privilege Escalation T1546.003: Event Triggered Execution Medium
Investigation Actions (APIs) Audit workflow creation logs via HubSpot APIs.
Cross-check with role-based access logs for authorization checks.
Incident Creation Criteria Create an incident if workflows trigger mass emails or unauthorized actions (e.g., mass deletions).
Suspicious Modification of CRM Records Impact T1485: Data Destruction Medium
Investigation Actions (APIs) Check CRM record modification logs.
Query audit logs for unauthorized access or role escalation.
Incident Creation Criteria Create an incident if critical records are modified by unauthorized users or if large-scale data changes are detected.
Email Campaign Phishing Attempts Initial Access T1566.001: Spearphishing Attachment High
Investigation Actions (APIs) Use email scanning APIs (e.g., VirusTotal, PhishTank) to check email content.
Query DNS for blacklisted domains.
Incident Creation Criteria Create an incident if suspicious attachments or URLs are flagged as malicious in email campaigns.
Excessive API Token Generation Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Query API logs to track token creation events.
Check audit logs for unusual role or permission escalations.
Incident Creation Criteria Create an incident if excessive tokens are generated, or if they are used to access sensitive data or services.
Suspicious Email Bounce Rate Initial Access T1566.002: Spearphishing Link Medium
Investigation Actions (APIs) Query bounce rate statistics via HubSpot API.
Analyze email campaign lists for invalid or suspicious recipients.
Incident Creation Criteria Create an incident if the bounce rate is unusually high, or if multiple phishing links are found in email campaigns.
Mass Export of CRM Data Exfiltration T1020: Automated Exfiltration High
Investigation Actions (APIs) Audit data export events via CRM API.
Cross-check user roles and permissions for unauthorized export rights.
Incident Creation Criteria Create an incident if mass data exports are performed by users without proper authorization or if the data is sensitive.
Account Takeover Attempts Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Monitor failed logins via HubSpot login API.
Use GeoIP or IP reputation APIs to detect malicious sources.
Incident Creation Criteria Create an incident if multiple failed logins followed by a successful login from a suspicious IP are detected.
Suspicious Access to Customer Information by Unusual Users Collection T1056.001: Keylogging Medium
Investigation Actions (APIs) Audit access logs for customer data.
Use role-based access APIs to verify if the user has legitimate access.
Incident Creation Criteria Create an incident if users outside of their roles or permissions access sensitive customer data.
Login from Known Malicious IP Addresses Credential Access T1071: Application Layer Protocol High
Investigation Actions (APIs) Query known malicious IP addresses from IP reputation services (AbuseIPDB, AlienVault OTX).
Incident Creation Criteria Create an incident if successful logins originate from flagged IPs or if multiple IPs are involved in login attempts.
Unauthorized Role/Permission Changes Privilege Escalation T1069: Permission Groups Discovery High
Investigation Actions (APIs) Check role change logs via HubSpot API.
Use account privilege analysis APIs to audit permission changes.
Incident Creation Criteria Create an incident if users gain higher privileges or permissions without proper authorization or role change events occur.
Suspicious Use of API Keys by Third-Party Integrations Credential Access, Persistence T1098: Account Manipulation High
Investigation Actions (APIs) Monitor third-party integration logs.
Query API logs for abnormal access patterns or sensitive data retrieval.
Incident Creation Criteria Create an incident if unauthorized API keys are used by third-party integrations to access sensitive CRM data.
Multiple Failed Login Attempts (Brute Force) Credential Access T1110.001: Password Guessing Medium
Investigation Actions (APIs) Monitor failed login attempts via login API.
Query GeoIP and IP reputation databases for attack patterns.
Incident Creation Criteria Create an incident if repeated failed login attempts from a single IP or multiple IPs are detected, signaling a brute-force attempt.
OAuth Abuse via Suspicious Third-Party Apps Persistence T1098: Account Manipulation High
Investigation Actions (APIs) Audit OAuth token usage by third-party apps.
Query API usage patterns for suspicious third-party access.
Incident Creation Criteria Create an incident if suspicious third-party OAuth tokens are used to maintain unauthorized access or manipulate CRM data.

APIs and Their Scopes

App: HubSpot API Required Scope Required Usage
Suspicious Login Activity (Abnormal Geolocation/IP) HubSpot Audit Logs API crm.audit.read Retrieve login attempts and user activity logs for analysis of geolocation and IP addresses.
Unauthorized Data Export HubSpot CRM API crm.objects.contacts.read Check for export events and verify whether data exports are authorized.
Suspicious API Access HubSpot API Logs API api.logs.read Access API usage logs to detect unusual patterns of access to sensitive data.
Creation of Suspicious Workflows/Automation Rules HubSpot Workflows API automation.workflows.read Audit workflow creation logs and analyze user permissions related to workflow modifications.
Suspicious Modification of CRM Records HubSpot CRM API crm.objects.contacts.read Retrieve modification logs to analyze unauthorized changes to CRM records.
Email Campaign Phishing Attempts HubSpot Email API email.read Analyze email campaign statistics and content for phishing attempts.
Mass Email Deletion Microsoft Graph API Account Takeover Attempts HubSpot Login API
Account Takeover Attempts HubSpot Login API users.read Monitor failed login attempts and analyze successful logins for suspicious behavior.
Mass Export of CRM Data HubSpot CRM API crm.objects.contacts.read Monitor data export activities and assess user permissions related to data access.
Unauthorized Role/Permission Changes HubSpot User Management API users.read Retrieve logs of role changes and permissions for user accounts.
Multiple Failed Login Attempts (Brute Force) HubSpot CRM API users.read Track failed login attempts to detect patterns indicating brute force attacks.
OAuth Abuse via Suspicious Third-Party Apps HubSpot OAuth API oauth.tokens.read Monitor OAuth token usage and check for unauthorized third-party access.

Reports and Widgets for CISO

Report Name Widgets Description
User Access and Authentication Logs Successful Logins Overview of user login attempts, including successes and failures, to identify suspicious activities.

Failed Login Attempts

Geolocation of Logins
Data Export Activity Report Total Data Exports Summary of all data exports, including user details and time stamps to monitor unauthorized access.

Exports by User

Export Attempts by Date
Workflow Change Audit Recent Workflow Changes Log of all modifications to automation workflows to detect unauthorized changes.

Users Making Changes

Workflows Affected
API Usage and Access Report API Call Volume Analysis of API calls to identify unusual access patterns or excessive use of certain endpoints.

Top API Consumers

Unusual API Access Attempts
Email Campaign Security Report Email Opens Review of email campaigns sent, including open rates and bounces to spot potential phishing attempts.

Bounced Emails

Phishing Alerts
User Permission Changes Recent Permission Changes Log of role and permission changes for users to ensure compliance with access controls.

Users Affected

Changes by Date
Account Takeover Attempts Failed Login Attempts Summary of potential account takeover attempts based on failed logins and location changes.

Geolocation Analysis

Users Affected
Role & Permission Changes Changes in User Roles Monitors any role or permission changes, especially focusing on elevated permissions granted.

Permissions Granted to External Users

Elevated Permissions Changes
CRM Anomalies Report Unusual Customer Data Changes Identifies unusual CRM activity, including sudden data deletions or duplicate record creation anomalies.

CRM Record Deletion Spike

Duplicate Records Creation