AI Engine Rule Name

Rule Description

Rule ID

Minimum Data RequirementRecommended Data Requirement

RCC: POS New Process

This rule will watch a "Gold Standard" POS system for process activity and build a whitelist profile of processes running on the "Gold Standard," comparing all other POS endpoints with the "Gold Standard" process list.

518

POS Host Logs

System Monitor on POS

RCC: POS Abnormal Auth Activity

This rule will build a whitelist profile of the authentication activity to and from POS endpoints. If a new Origin Login is seen, or new hosts are involved in the authentication activity, the rule will fire.

519

POS Host Logs

System Monitor on POS

RCC: POS Abnormal Network Comms

This rule will build a whitelist profile of all end-to-end network communications where one side is a POS system. If a connection is seen to/from a new IP, the rule will fire.

520

Firewall Logs from POS Network

LogRhythm Network Monitor on POS Network

RCC: POS Abnormal CE

This rule will build a whitelist of Common Events being generated on each POS endpoint. If a new Common Event is noticed, the rule will fire.

521

POS Host Logs

System Monitor on POS

RCC: POS Abnormal File Access

This rule will build a profile of file access on a POS file system. If new access activity is identified, the rule will fire.

522

File System Logs

LogRhythm File Integrity Monitoring

RCC: POS DLD Event

This rule will look for any LogRhythm Data Loss Defender events on a POS endpoint and fire if any are observed.

523

LogRhythm Data Loss Defender

 

RCC: POS File System Modified

This rule will look for any file system changes on a POS endpoint and fire if changes are identified.

524

File System Logs

LogRhythm File Integrity Monitoring

RCC: Back Office New Process

This rule will watch a "Gold Standard" back-office payment system for process activity and build a whitelist profile of processes running on the "Gold Standard," comparing all other "like" systems with the "Gold Standard" process list.

525

Payment System Host Logs

System Monitor on Payment System Host

RCC: Back Office Abnormal Auth Activity

This rule will build a whitelist profile of the authentication activity to and from back-office payment systems. If a new Origin Login is seen, or new hosts are involved in the authentication activity, the rule will fire.

526

Payment System Host Logs

System Monitor on Payment System Host

RCC: Back Office Abnormal Network Comms

This rule will build a whitelist profile of all end-to-end network communications where one side is a back-office payment system. If a connection is seen to/from a new IP, the rule will fire.

527

Firewall Logs from Payment System Network

LogRhythm Network Monitor on Payment System Network

RCC: Back Office Abnormal CE

This rule will build a whitelist of Common Events being generated on each back office payment system. If a new Common Event is noticed, the rule will fire.

528

Payment System Host Logs

System Monitor on Payment System Host

RCC: Back Office Abnormal File Access

This rule will build a profile of file access on a back office payment system. If new access activity is identified, the rule will fire.

529

File System Logs

LogRhythm File Integrity Monitoring

RCC: Back Office DLD Event

This rule will look for any LogRhythm Data Loss Defender events on a back office payment system and fire if any are observed.

530

LogRhythm Data Loss Defender

 

RCC: Back Office File System Modified

This rule will look for any file system changes on a back office payment system and fire if changes are identified.

531

File System Logs

LogRhythm File Integrity Monitoring