BambooHR

Communication and Collaboration

BambooHR - CRM platform with marketing, sales, and customer service tools.

Detection Rules for BambooHR CRM
These detection rules target BambooHR’s cloud-based HR software, designed to monitor unauthorized access, data manipulation, and irregular activities in employee management. They ensure protection of sensitive employee data, track suspicious behavior, and help prevent insider and external threats to HR operations.

Provider: BambooHR

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized Access Attempts Credential Access T1078 - Valid Accounts High
Investigation Actions (APIs) Query login logs via BambooHR API
Use IP reputation APIs
Incident Creation Criteria Create if multiple failed attempts from different locations.
Data Exfiltration via API Exfiltration T1041 - Exfiltration Over Command and Control Channel Critical
Investigation Actions (APIs) Monitor API access logs
Use data access APIs to review changes.
Incident Creation Criteria Create if large volumes of data are downloaded within a short period.
Anomalous User Activity Discovery T1087 - Account Discovery Medium
Investigation Actions (APIs) Review user activity logs via BambooHR API.
Use behavioral analytics
Incident Creation Criteria Create if unusual patterns are detected (e.g., time of access).
Changes to Sensitive Employee Data Impact T1491 - Defensible Data Deletion High
Investigation Actions (APIs) Access logs for data changes via BambooHR API
Review audit trails
Incident Creation Criteria Create if unauthorized changes are made to sensitive employee data.
Suspicious Login Locations Credential Access T1078 - Valid Accounts High
Investigation Actions (APIs) Check login location via BambooHR API.
Compare against user profile.
Incident Creation Criteria Create if logins are detected from known bad IPs or locations.
Large Volume of Data Downloads Exfiltration T1041 - Exfiltration Over Command and Control Channe High
Investigation Actions (APIs) Monitor API access logs for download activities
Incident Creation Criteria Create if data downloads exceed normal usage patterns.
Failed Login Attempts Credential Access T1078 - Valid Accounts Medium
Investigation Actions (APIs) Query failed login attempts using BambooHR API.
Review IP addresses.
Incident Creation Criteria Create if the failed login count exceeds a predefined threshold.
API Abuse for Unauthorized Actions Impact T1098 - Account Manipulation Critical
Investigation Actions (APIs) Review API call logs
Monitor for abnormal access patterns
Incident Creation Criteria Create if unauthorized actions are taken against user accounts.
Malicious File Uploads Execution T1203 - Exploitation for Client Execution Critical
Investigation Actions (APIs) Check uploaded files via BambooHR API
Scan files with threat detection APIs
Incident Creation Criteria Create if uploaded files are flagged as malicious.
User Account Changes Discovery T1087 - Account Discovery Medium
Investigation Actions (APIs) Review user account changes via BambooHR API
Use audit logs
Incident Creation Criteria Create if changes are made outside normal operational hours.

APIs and Their Scopes

App: HubSpot API Required Scope Required Usage
Unauthorized Access Attempts BambooHR API employees:read, auditLogs:read Access to employee data and audit logs for monitoring logins.
Data Exfiltration via API BambooHR API employee.read, data.download Access to employee data and API access logs.
Anomalous User Activity BambooHR API employee.read, audit.read Access to user activity logs and audit trails.
Changes to Sensitive Employee Data BambooHR API employee.read, employee.update Access to employee records and update logs.
Suspicious Login Locations BambooHR API employee.read Access to read login location data for employees.
Large Volume of Data Downloads BambooHR API data.download Access to monitor and log data download activities.
Failed Login Attempts BambooHR API employee.read Access to read failed login attempts and security logs.
API Abuse for Unauthorized Actions BambooHR API employee.read, audit.read Access to audit logs for monitoring API calls and user actions.
Malicious File Uploads BambooHR API employee.read, file.upload Access to read uploaded file data and perform scans.
User Account Changes BambooHR API employee.read, employee.update Access to changes made to employee accounts and profiles.

Reports and Widgets for CISO

Report Name Widgets Description
Unauthorized Access Attempts Line chart of failed login attempts over time Overview of failed login attempts and suspicious access.

List of top 10 IPs with failed attempts

Pie chart of access attempts by user role

Data Exfiltration Alerts Bar chart of data download volume per user Summary of data downloads and potential exfiltration activities

Heatmap of data download activities by time of day

List of flagged files downloaded

Anomalous User Activity Scatter plot of user logins by time and location Insights into unusual user behaviors and patterns

User activity timeline

List of users exhibiting unusual access patterns

Sensitive Data Changes Table of recent changes to sensitive data Log of modifications made to sensitive employee data

Line chart of changes over time

Bar chart of changes by user role

Login Location Analysis Map visualizing login locations Overview of login locations and patterns

List of recent logins from suspicious locations

Bar chart of logins by region

Data Download Volume Line chart showing total download volume over time Analysis of download activity within the system

Top 10 files downloaded

User download activity breakdown

Failed Login Reports Bar chart of failed login attempts per user Summary of failed login attempts to track potential breaches

Line chart of failed attempts over time

List of IPs with highest failed attempts

API Usage Statistics Bar chart of API calls by endpoint Monitoring of API calls and potential abuse

Line chart of API usage over time

Table of unusual API access patterns

Malicious File Uploads List of flagged uploads with details Tracking and reporting of uploaded files flagged as malicious

Bar chart of uploads by user

Timeline of malicious file uploads

Account Changes Overview Table of recent account changes Summary of changes to user accounts within BambooHR

Bar chart of changes by user role

Pie chart of changes by department