ADP (Automatic Data Processing)
Communication and Collaboration
ADP - Payroll and HR management service for businesses.
Detection Rules for ADP
These detection rules will focus on critical aspects of ADP, such as securing payroll and HR data, preventing unauthorized access, and monitoring suspicious activities across employee management processes. With a focus on data integrity and compliance, these rules aim to safeguard sensitive employee information and detect potential threats in real time.
Provider: ADP
| Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Unauthorized Payroll Changes | Privilege Escalation | T1068 - Exploitation for Privilege Escalation | Critical | ||||||
|
|||||||||
| Suspicious User Access | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
| Abnormal Login Patterns | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
| Changes to Direct Deposit Info | Credential Access | T1569 - System Services | High | ||||||
|
|||||||||
| Large Volume of Payroll Transactions | Exfiltration | T1074 - Data Staged | Medium | ||||||
|
|||||||||
| Multiple Failed Login Attempts | Credential Access | T1110 - Brute Force | High | ||||||
|
|||||||||
| Anomalous Role Assignment | Privilege Escalation | T1069 - Permission Groups | High | ||||||
|
|||||||||
| Access to Sensitive Employee Data | Credential Access | T1065 - Unmanaged Credentials | Critical | ||||||
|
|||||||||
| Unusual Time Entry Patterns | Discovery | T1087 - Account Discovery | Medium | ||||||
|
|||||||||
| Suspicious API Activity | Initial Access | T1071.001 - Application Layer Protocol: Web Protocols | Medium | ||||||
|
|||||||||
APIs and Their Scopes
| Detection Rule | API Required | Scope Required | Usage |
|---|---|---|---|
| Unauthorized Payroll Changes | ADP Payroll API | payroll.read, payroll.write | Access to read and modify payroll information. |
| Suspicious User Access | ADP User Management API | user.read, user.write | Access to read user access logs and make modifications. |
| Abnormal Login Patterns | ADP Login Audit API | audit.read | Access to read audit logs for user login attempts. |
| Changes to Direct Deposit Info | ADP Direct Deposit API | directDeposit.read, directDeposit.write | Access to read and modify direct deposit information. |
| Large Volume of Payroll Transactions | ADP Payroll Transaction API | transaction.read | Access to monitor and analyze payroll transactions. |
| Multiple Failed Login Attempts | ADP Login API | login.read | Access to read logs for tracking failed login attempts. |
| Anomalous Role Assignment | ADP Role Management API | role.read, role.write | Access to read and modify user roles and permissions. |
| Access to Sensitive Employee Data | ADP Employee Data API | employee.read | Access to read sensitive employee data. |
| Unusual Time Entry Patterns | ADP Time Entry API | timeEntry.read | Access to read time entry records for analysis. |
| Suspicious API Activity | ADP API Usage Monitoring API | apiUsage.read | Access to monitor API usage logs for suspicious activity. |
Reports and Widgets for CISO
| Report Name | Widgets | Description |
|---|---|---|
| Unauthorized Changes Report | Bar Chart: Count of unauthorized changes by user. | Summarizes any unauthorized changes made to payroll data. |
| Table: List of changes with details (user, timestamp, change type). | ||
| User Access Review Report | Pie Chart: Distribution of user roles accessing sensitive data. | Highlights users with access to sensitive data and their activity. |
| Table: User activity log with timestamps and actions performed. | ||
| Failed Login Attempts Report | Line Graph: Trend of failed login attempts over time. | Monitors and summarizes failed login attempts across the organization. |
| Table: List of users with multiple failed attempts, including IP addresses and timestamps. | ||
| Payroll Transaction Volume Report | Line Chart: Daily payroll transaction volumes. | Analyzes transaction volumes for payroll processing. |
| Table: Summary of transactions by department or user. | ||
| Direct Deposit Changes Report | Bar Chart: Number of changes made to direct deposit information. | Provides insights into any changes made to direct deposit information. |
| Table: Details of changes, including user, old value, and new value. | ||
| Role Assignment Changes Report | Line Chart: Changes in user roles over time. | Tracks changes in user roles and permissions. |
| Table: List of role assignments with details (user, old role, new role). | ||
| Sensitive Data Access Report | Heat Map: User access frequency to sensitive data. | Details access to sensitive employee information. |
| Table: List of users accessing sensitive data, with timestamps. | ||
| Time Entry Anomalies Report | Bar Chart: Count of anomalies detected by type (e.g., outlier hours). | Identifies unusual patterns in employee time entries. |
| Table: List of time entries flagged as anomalies with user details. | ||
| API Usage Monitoring Report | Line Graph: API calls over time. | Summarizes API usage patterns and identifies potential misuse. |
| Table: List of API endpoints with usage statistics. | ||
| Overall Security Health Report | Dashboard: High-level overview of security incidents (critical, high, medium). | Provides a summary of security incidents and alerts related to ADP. |
| Pie Chart: Incident types (e.g., unauthorized access, anomalies). |