FreshBooks

Accounting and Finance

FreshBooks - Accounting software designed for small businesses and freelancers.

Detection Rules for FreshBooks
These detection rules will focus on various aspects of FreshBooks such as accounting software designed for small businesses & freelancers.

Provider: FreshBooks

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized Login Attempts Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Use GeoIP lookup to analyze login locations.
Check failed login attempts.
Incident Creation Criteria Create an incident if login attempts come from known malicious IPs or if multiple failures are detected.
Invoice Tampering Impact T1485: Data Destruction High
Investigation Actions (APIs) Retrieve and review recent invoice modifications.
Compare invoice metadata.
Incident Creation Criteria Create an incident if invoice discrepancies or unauthorized changes are detected.
Suspicious Payroll Adjustments Impact T1480: Data Manipulation Medium
Investigation Actions (APIs) Check the history of payroll modifications.
Review user activity logs.
Incident Creation Criteria Create an incident if unauthorized payroll adjustments are made by non-admin users.
Unusual Expense Claims Collection T1074: Data Staged Medium
Investigation Actions (APIs) Analyze expense submission patterns.
Review claims exceeding normal thresholds.
Incident Creation Criteria Create an incident if expense anomalies indicate fraudulent activity.
Unapproved Data Export Exfiltration T1020: Automated Exfiltration High
Investigation Actions (APIs) Use file export monitoring APIs.
Check user roles and permissions.
Incident Creation Criteria Create an incident if sensitive data is exported without approval or by unauthorized users.
Account Modifications by Unapproved Users Persistence T1098: Account Manipulation High
Investigation Actions (APIs) Track recent user account changes.
Analyze permission changes.
Incident Creation Criteria Create an incident if non-admin users modify accounts or if there are privilege escalations.
Login from Suspicious IP Address Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Perform IP reputation check (AbuseIPDB).
Cross-check login timing.
Incident Creation Criteria Create an incident if the IP is flagged as malicious or login occurs outside regular hours.
Abnormal Transaction Volume Collection T1074: Data Staged Medium
Investigation Actions (APIs) Review transaction logs.
Compare current transaction volumes with historical data.
Incident Creation Criteria Create an incident if large, unusual volumes of transactions are detected in a short period.
Invoice Creation from Unusual Location Initial Access T1078: Valid Accounts Medium
Investigation Actions (APIs) GeoIP lookup for invoice generation location.
Verify invoice creation device.
Incident Creation Criteria Create an incident if invoices are generated from unusual geographic regions.
Unapproved Software Installation Persistence T1059: Command and Scripting Interpreter High
Investigation Actions (APIs) Check installed applications.
Verify recent installations and associated user.
Incident Creation Criteria Create an incident if unauthorized software or scripts are detected.

APIs and Their Scopes

Detections Name API Required Scope Required Usage
Unauthorized Login Attempts User Activity API com.freshbooks.loginactivity.read To monitor and retrieve login attempts and user status.
Invoice Tampering Invoice API com.freshbooks.invoices.readwrite To fetch and review invoice modifications and metadata.
Suspicious Payroll Adjustments Payroll API com.freshbooks.payroll.readwrite To access payroll records and check for unauthorized changes.
Unusual Expense Claims Expense Claims API com.freshbooks.expenseclaims.read To retrieve and analyze expense claims for anomalies.
Unapproved Data Export Data Export API com.freshbooks.dataexport.read To monitor and retrieve records of exported data.
Account Modifications by Unapproved Users User Management API com.freshbooks.usermanagement.readwrite To track user account changes and permission escalations.
Login from Suspicious IP Address User Activity API com.freshbooks.loginactivity.read To analyze login attempts, especially from new or suspicious IP addresses.
Abnormal Transaction Volume Transaction API com.freshbooks.transactions.readwrite To track transaction volumes and compare with historical data.
Invoice Creation from Unusual Location Invoice API com.freshbooks.invoices.readwrite To check the creation of invoices and correlate locations or devices.
Unapproved Software Installation Software Inventory API com.freshbooks.softwareinventory.readwrite To review the installation of new software and verify authorized users.

Reports and Widgets for CISO

Report Name Widgets Description
Login Activity Report GeoIP Login Map: Visual map showing user login locations. Tracks login attempts from various geographic regions to identify suspicious login activities.
Failed vs Successful Logins: Bar chart comparing failed and successful login attempts. Monitors the rate of login failures to identify potential unauthorized access attempts.
Suspicious IP Login Table: Table of logins from flagged IP addresses (based on reputation). Provides a list of suspicious IP addresses involved in login attempts.
Invoice Tampering Report Invoice Modification Timeline: Line chart showing invoice modification over time. Tracks changes made to invoices, highlighting anomalies such as unauthorized or out-of-pattern edits.
Modified Invoice Table: Table listing recent invoice changes with metadata (user, time). Lists all recent modifications made to invoices for auditing purposes.
Expense Anomaly Detection Report Unusual Expense Claim Chart: Pie chart of unusual vs usual expense claims. Identifies abnormal expense claims based on predefined thresholds or patterns.
Expense Pattern Heatmap: Heatmap of expenses by category and user. Provides a visual representation of spending patterns across various categories and users.
Payroll Adjustments Report Suspicious Payroll Modifications: Bar chart showing unusual payroll changes per user. Monitors payroll modifications to detect unauthorized adjustments.
Payroll Activity Timeline: Line chart of payroll activity over time. Shows all payroll adjustments made over a specific period to identify unusual patterns.
Data Export Monitoring Report Sensitive Data Export Graph: Bar chart of sensitive data exports by user. Tracks data export activity to detect unauthorized or unapproved exports of financial data.
Export Activity by Location: Map showing where data exports were initiated from. Monitors the geographical source of data exports for potential security breaches.
User Privilege Modification Report User Role Change Log: Table listing recent user role changes. Audits user account changes and identifies unauthorized privilege escalations.
Admin vs Non-Admin Changes: Pie chart of privilege changes by admin vs non-admin users. Visualizes the proportion of changes made by authorized (admin) vs unauthorized (non-admin) users.
Transaction Anomaly Report Unusual Transaction Volume: Line chart tracking abnormal transaction spikes. Highlights unusual spikes in transaction volumes that might indicate fraudulent activity.
Transaction Volume by User: Bar chart of transaction volume per user. Shows transaction activities by user to detect anomalies in spending behavior.
Invoice Generation Location Report GeoIP Invoice Map: Map showing the geographic location of invoice generation. Identifies locations from which invoices were generated to detect potential fraudulent invoice creation.
Audit Trail Compliance Report User Activity Log: Table of recent user activities (logins, modifications, etc.). Provides a comprehensive audit trail of all user actions to ensure compliance with accounting standards.
Compliance Health Indicator: Gauge widget showing overall compliance status. Monitors key compliance indicators to ensure that FreshBooks data is secure and compliant.