QuickBooks
Accounting and Finance
QuickBooks - Accounting software for invoicing, payroll, and expense tracking.
Detection Rules for QuickBooks
These detection rules will focus on various aspects of QuickBooks such as accounting software for invoicing,payroll,& expense tracking.
Provider: QuickBooks
Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||
---|---|---|---|---|---|---|---|---|---|
Unauthorized Access Attempts | Initial Access | T1078: Valid Accounts | High | ||||||
|
|||||||||
Suspicious Invoice Generation | Execution | T1203: Exploitation for Client Execution | High | ||||||
|
|||||||||
Alteration of Payroll Information | Privilege Escalation | T1068: Exploitation of Elevation of Privilege | Critical | ||||||
|
|||||||||
Unusual Expense Claims | Exfiltration | T1071: Application Layer Protocol | Medium | ||||||
|
|||||||||
Multiple Login Attempts from Different Locations | Initial Access | T1083: File and Directory Discovery | High | ||||||
|
|||||||||
Unapproved Data Exports | Exfiltration | T1041: Exfiltration Over Command and Control Channel | High | ||||||
|
|||||||||
Suspicious User Account Changes | Privilege Escalation | T1136: Create Account | Medium | ||||||
|
|||||||||
Malicious Software Installation | Execution | T1203: Exploitation for Client Execution | Critical | ||||||
|
|||||||||
Increased Volume of Transactions | Exfiltration | T1074: Data Staged | Medium | ||||||
|
APIs and Their Scopes
App: QuickBooks | API Required | Scope Required | Usage |
---|---|---|---|
Unauthorized Access Attempts | QuickBooks Online API - Login Audit Logs | com.intuit.quickbooks.accounting | To retrieve failed login attempts and account status. |
Suspicious Invoice Generation | QuickBooks Online API - Invoices | com.intuit.quickbooks.accounting | To monitor recent invoices for any unauthorized generation. |
Alteration of Payroll Information | QuickBooks Online API - Payroll | com.intuit.quickbooks.payroll | To track changes to employee compensation and payroll settings. |
Unusual Expense Claims | QuickBooks Online API - Expenses | com.intuit.quickbooks.accounting | To analyze expense claims for unusual patterns or amounts. |
Multiple Login Attempts from Different Locations | QuickBooks Online API - Login Audit Logs | com.intuit.quickbooks.accounting | To analyze login history for anomalies and unusual access patterns. |
Unapproved Data Exports | QuickBooks Online API - Reports | com.intuit.quickbooks.accounting | To monitor and validate data export actions and permissions. |
Suspicious User Account Changes | ZQuickBooks Online API - Users | com.intuit.quickbooks.accounting | To retrieve user account changes and monitor role modifications. |
Malicious Software Installation | QuickBooks Online API - App Integrations | com.intuit.quickbooks.accounting | To check for unapproved software installations and integrations. |
Increased Volume of Transactions | QuickBooks Online API - Transactions | com.intuit.quickbooks.accounting | To monitor transaction volumes and identify unusual spikes. |
Reports and Widgets for CISO
Report Name | Widgets | Description |
---|---|---|
Unauthorized Access Report | Failed Login Attempts: Count of failed logins. | Provides an overview of failed login attempts and suspicious activities. |
Login Location Map: GeoIP map of login locations. User Activity Timeline: Time series of login attempts per user. |
||
Invoice Generation Report | Recent Invoices List: Display of last 10 invoices. | Summarizes newly generated invoices and highlights any anomalies. |
Anomalous Invoice Chart: Bar chart of invoices exceeding typical thresholds. User Activity Widget: List of users who generated invoices. |
||
Payroll Alterations Report | Change History Timeline: Timeline of payroll changes. | Tracks changes made to payroll information, highlighting unauthorized modifications. |
Unauthorized Changes List: Table of modifications with details. User Role Change Widget: List of users whose roles were altered. |
||
Expense Claims Report | Expense Claims by Category: Pie chart of claims by type. | Provides insights into recent expense claims and identifies unusual patterns. |
Unusual Claims Alert: List of claims above average thresholds. Trend Analysis Widget: Line graph showing claim trends over time. |
||
User Login Activity Report | Login Attempt Overview: Table of login attempts by user. | Details login attempts by users, focusing on multiple logins from different locations. |
GeoIP Analysis Widget: Map displaying login locations. Alerts Dashboard: Notifications for suspicious logins. |
||
Data Export Monitoring Report | Export Activity Log: List of recent data exports. | Tracks data export activities to ensure compliance and identify unauthorized actions. |
User Permissions Overview: Chart of user permissions for data export. Compliance Alert Widget: Notifications for unauthorized exports. |
||
Software Installation Report | Installed Applications List: Table of recent installations. | Monitors installed applications to detect any unauthorized software. |
Approval Status Widget: Chart of approved vs. unauthorized applications. Change Alert Dashboard: Notifications for unapproved installations. |
||
Transaction Volume Report | Transaction Volume Trend: Line graph showing transaction trends. | Provides insights into transaction volumes to detect anomalies. |
Anomalous Transaction Alert: List of transactions exceeding typical volumes. User Activity Overview: Summary of user transaction activities. |
||
Reconciliation Discrepancy Report | Discrepancy Overview: Summary of reconciled vs. unreconciled items. | Highlights discrepancies in reconciliation processes to identify issues. |
Trend Analysis Widget: Graph of discrepancies over time. Alert Dashboard: Notifications for significant discrepancies. |