Xero

Communication and Collaboration

Xero - Cloud-based accounting software for small businesses.

Detection Rules for Xero
These detection rules will focus on various aspects of Xero such as cloud-based accounting software for small businesses.

Provider: Xero

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized Access Attempts Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Use login activity APIs to review failed login attempts.
Fetch user account status via user management APIs.
Incident Creation Criteria Create an incident if there are multiple failed logins from the same account within a short time frame.
Suspicious Invoice Generation Execution T1059: Command and Scripting Interpreter High
Investigation Actions (APIs) Query invoice creation APIs for recently created invoices.
Analyze user roles via user management APIs.
Incident Creation Criteria Create an incident if invoices are generated without proper approval or if they exceed typical amounts for the user.
Alteration of Payroll Information Privilege Escalation T1068: Execution with Unprivileged Software High
Investigation Actions (APIs) Use payroll APIs to check for recent changes.
Fetch user permissions to determine access levels.
Incident Creation Criteria Create an incident if payroll information is altered outside normal hours or by users without the appropriate permissions.
Unusual Expense Claims Exfiltration T1001: Data Obfuscation Medium
Investigation Actions (APIs) Query expense claim APIs for recent submissions.
Analyze claim patterns with user activity APIs.
Incident Creation Criteria Create an incident if expense claims significantly deviate from historical patterns or exceed thresholds.
Multiple Login Attempts from Different Locations Initial Access T1078: Valid Accounts High
Investigation Actions (APIs) Use geolocation APIs to analyze login locations.
Query user login activity APIs for patterns.
Incident Creation Criteria Create an incident if logins are detected from multiple unusual locations within a short time span.
Unapproved Data Exports Command and Control T1071: Application Layer Protocol Medium
Investigation Actions (APIs) Monitor data export APIs for recent activities.
Use audit trail APIs to check for unauthorized exports.
Incident Creation Criteria Create an incident if data exports occur from users without the necessary permissions or if data is exported unusually frequently.
Suspicious User Account Changes Persistence T1136: Create Account Medium
Investigation Actions (APIs) Query user management APIs to track account modifications.
Review role assignment APIs for unauthorized changes.
Incident Creation Criteria Create an incident if changes to user accounts are made without proper authorization or if multiple accounts are altered at once.
Malicious Software Installation Execution T1195: Supply Chain Compromise High
Investigation Actions (APIs) Use software inventory APIs to check for new installations.
Query installation logs via admin APIs.
Incident Creation Criteria Create an incident if unauthorized software installations are detected or if installations occur outside business hours.
Increased Volume of Transactions Execution T1203: Exploitation for Client Execution High
Investigation Actions (APIs) Use transaction monitoring APIs to analyze volume spikes.
Query user activity logs to correlate transactions.
Incident Creation Criteria Create an incident if transaction volumes exceed historical averages for a user or department without explanation.
Anomalies in Reconciliation Processes Impact T1481: Data Manipulation High
Investigation Actions (APIs) Query reconciliation APIs for discrepancies.
Use audit logs to track changes in reconciliation processes.
Incident Creation Criteria Create an incident if significant discrepancies are found in reconciliations or if multiple reconciliations fail unexpectedly.

APIs and Their Scopes

App: Xero API Required Scope Required Usage
Unauthorized Access Attempts Login Activity API com.xero.loginactivity.read To monitor and retrieve user login attempts and status.
Suspicious Invoice Generation Invoice API com.xero.invoice.read To fetch recently created or modified invoices for review.
Alteration of Payroll Information Payroll API com.xero.payroll.readwrite To check for changes in payroll information and validate permissions.
Unusual Expense Claims Expense Claims API com.xero.expenseclaims.readwrite To retrieve and analyze expense claims for anomalies.
Multiple Login Attempts from Different Locations Login Activity API com.xero.loginactivity.read To analyze login locations and detect unusual patterns.
Unapproved Data Exports Data Export API com.xero.dataexport.read To monitor and retrieve records of data exports.
Suspicious User Account Changes User Management API com.xero.usermanagement.readwrite To track modifications to user accounts and permissions.
Malicious Software Installation Software Inventory API com.xero.softwareinventory.read To check installed applications and verify their legitimacy.
Increased Volume of Transactions Transaction Monitoring API com.xero.transactionmonitoring.read To analyze transaction volumes for unusual activity.
Anomalies in Reconciliation Processes Reconciliation API com.xero.reconciliation.readwrite To monitor and validate reconciliation processes for discrepancies.

Reports and Widgets for CISO

Report Name Widgets Description
User Access and Activity Report Total Logins Overview of user logins, access levels, and activity patterns.

Unique Users

Failed Login Attempts

Last Access Timestamp
Invoice Generation and Approval Report Total Invoices Created Track invoice creation, modifications, and approvals.

Invoices Pending Approval

High-Value Invoices

Recent Modifications
Expense Claims Overview Total Claims Submitted Summary of all expense claims submitted and their statuses.

Claims by Category

Pending Approvals

Anomalies Detected
Payroll Changes Report Total Changes Overview of changes made to payroll information.

Users Who Made Changes

Changes by Time Period

Alerts for Unusual Modifications
Data Export Activity Report Total Exports Monitor data export activities and compliance.

Exports by User

Recent Export Actions

Unapproved Exports
User Account Modifications Report Total Modifications Details of changes made to user accounts and permissions.

Users with Changed Permissions

Recent Additions/Deletions

Alerts for Unauthorized Changes
Transaction Volume Report Total Transactions Analyze transaction volumes and identify anomalies.

Transactions by Category

Anomalies Detected

Comparison with Historical Data
Software Installation and Compliance Report Total Software Installed Overview of installed applications and compliance status.

Recent Installations

Compliance Status of Applications

Alerts for Unauthorized Software
Reconciliation Status Report Total Reconciliations Monitor the status of reconciliation processes and discrepancies.

Reconciliations by Status

Discrepancies Detected

Alerts for Unusual Patterns
Risk Assessment and Incident Summary Report Total Incidents Logged Summary of identified risks and incidents related to Xero usage.

Risks Identified

Incident Severity Levels

Recent Alerts