QuickBooks

Accounting and Finance

QuickBooks - Accounting software for invoicing, payroll, and expense tracking.

Detection Rules for QuickBooks
These detection rules will focus on various aspects of QuickBooks such as accounting software for invoicing,payroll,& expense tracking.

Provider: QuickBooks

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized Access Attempts Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Use API to retrieve failed login attempts and check user account status.
Perform GeoIP lookup for login locations.
Incident Creation Criteria Create an incident if multiple failed login attempts from the same user occur, especially from suspicious locations.
Suspicious Invoice Generation Execution T1203: Exploitation for Client Execution High
Investigation Actions (APIs) Query API for recent invoice data.
Verify the source of the invoices and flag any unauthorized users.
Incident Creation Criteria Create an incident if an invoice is generated from an unauthorized account or exceeds a specified threshold amount.
Alteration of Payroll Information Privilege Escalation T1068: Exploitation of Elevation of Privilege Critical
Investigation Actions (APIs) Retrieve payroll history through API.
Monitor changes to employee compensation and roles.
Incident Creation Criteria Create an incident if unauthorized changes to payroll are detected or if changes are made outside of normal business hours.
Unusual Expense Claims Exfiltration T1071: Application Layer Protocol Medium
Investigation Actions (APIs) Query expense claims using API for unusual patterns.
Validate against historical claims for discrepancies.
Incident Creation Criteria Create an incident if an expense claim exceeds predefined limits or is associated with unusual vendor patterns.
Multiple Login Attempts from Different Locations Initial Access T1083: File and Directory Discovery High
Investigation Actions (APIs) Use API to analyze login history for anomalies.
Cross-check IP addresses against known user locations.
Incident Creation Criteria Create an incident if multiple logins from different locations occur within a short time frame for the same account.
Unapproved Data Exports Exfiltration T1041: Exfiltration Over Command and Control Channel High
Investigation Actions (APIs) Monitor API calls for data exports.
Validate user permissions for data export actions.
Incident Creation Criteria Create an incident if unauthorized users export sensitive financial data or if the export volume exceeds normal levels.
Suspicious User Account Changes Privilege Escalation T1136: Create Account Medium
Investigation Actions (APIs) Retrieve user account change logs via API.
Validate any role changes against organizational policies.
Incident Creation Criteria Create an incident if account roles are changed without appropriate approvals or if suspicious accounts are created.
Malicious Software Installation Execution T1203: Exploitation for Client Execution Critical
Investigation Actions (APIs) Check installed applications through API.
Identify any recent software installations not aligned with approved lists.
Incident Creation Criteria Create an incident if unapproved software installations are detected, especially if they coincide with other suspicious activity.
Increased Volume of Transactions Exfiltration T1074: Data Staged Medium
Investigation Actions (APIs) Monitor transaction volumes through API.
Analyze transaction patterns for unusual spikes.
Incident Creation Criteria Create an incident if transaction volume exceeds normal thresholds for specific users or accounts over a defined period.

APIs and Their Scopes

App: QuickBooks API Required Scope Required Usage
Unauthorized Access Attempts QuickBooks Online API - Login Audit Logs com.intuit.quickbooks.accounting To retrieve failed login attempts and account status.
Suspicious Invoice Generation QuickBooks Online API - Invoices com.intuit.quickbooks.accounting To monitor recent invoices for any unauthorized generation.
Alteration of Payroll Information QuickBooks Online API - Payroll com.intuit.quickbooks.payroll To track changes to employee compensation and payroll settings.
Unusual Expense Claims QuickBooks Online API - Expenses com.intuit.quickbooks.accounting To analyze expense claims for unusual patterns or amounts.
Multiple Login Attempts from Different Locations QuickBooks Online API - Login Audit Logs com.intuit.quickbooks.accounting To analyze login history for anomalies and unusual access patterns.
Unapproved Data Exports QuickBooks Online API - Reports com.intuit.quickbooks.accounting To monitor and validate data export actions and permissions.
Suspicious User Account Changes ZQuickBooks Online API - Users com.intuit.quickbooks.accounting To retrieve user account changes and monitor role modifications.
Malicious Software Installation QuickBooks Online API - App Integrations com.intuit.quickbooks.accounting To check for unapproved software installations and integrations.
Increased Volume of Transactions QuickBooks Online API - Transactions com.intuit.quickbooks.accounting To monitor transaction volumes and identify unusual spikes.

Reports and Widgets for CISO

Report Name Widgets Description
Unauthorized Access Report Failed Login Attempts: Count of failed logins. Provides an overview of failed login attempts and suspicious activities.

Login Location Map: GeoIP map of login locations.

User Activity Timeline: Time series of login attempts per user.

Invoice Generation Report Recent Invoices List: Display of last 10 invoices. Summarizes newly generated invoices and highlights any anomalies.

Anomalous Invoice Chart: Bar chart of invoices exceeding typical thresholds.

User Activity Widget: List of users who generated invoices.

Payroll Alterations Report Change History Timeline: Timeline of payroll changes. Tracks changes made to payroll information, highlighting unauthorized modifications.

Unauthorized Changes List: Table of modifications with details.

User Role Change Widget: List of users whose roles were altered.

Expense Claims Report Expense Claims by Category: Pie chart of claims by type. Provides insights into recent expense claims and identifies unusual patterns.

Unusual Claims Alert: List of claims above average thresholds.

Trend Analysis Widget: Line graph showing claim trends over time.

User Login Activity Report Login Attempt Overview: Table of login attempts by user. Details login attempts by users, focusing on multiple logins from different locations.

GeoIP Analysis Widget: Map displaying login locations.

Alerts Dashboard: Notifications for suspicious logins.

Data Export Monitoring Report Export Activity Log: List of recent data exports. Tracks data export activities to ensure compliance and identify unauthorized actions.

User Permissions Overview: Chart of user permissions for data export.

Compliance Alert Widget: Notifications for unauthorized exports.

Software Installation Report Installed Applications List: Table of recent installations. Monitors installed applications to detect any unauthorized software.

Approval Status Widget: Chart of approved vs. unauthorized applications.

Change Alert Dashboard: Notifications for unapproved installations.

Transaction Volume Report Transaction Volume Trend: Line graph showing transaction trends. Provides insights into transaction volumes to detect anomalies.

Anomalous Transaction Alert: List of transactions exceeding typical volumes.

User Activity Overview: Summary of user transaction activities.

Reconciliation Discrepancy Report Discrepancy Overview: Summary of reconciled vs. unreconciled items. Highlights discrepancies in reconciliation processes to identify issues.

Trend Analysis Widget: Graph of discrepancies over time.

Alert Dashboard: Notifications for significant discrepancies.