Abnormal Common Event

This pair of AI Engine rules works by building a whitelist of common events observed where the origin or impacted host is part of the payment system or POS environment. Any new activity such as an interactive vs. service login will raise an alarm.

Requirements

The Retail Cyber Crime POS Endpoints list must be populated with POS endpoint hosts and/or the Back Office Payment Systems list must be populated with payment systems.

KB Content

Object Type

Name

ID

AIE Rule

RCC: POS Abnormal CE

528

AIE Rule

RCC: Back Office Abnormal CE

521

What to Do When This Rule Fires

An alarm generated by one of these rules indicates that unusual activity has been observed on the indicated host. Based on the Common Event that triggered the alert, an analyst should be able to determine whether the activity is high risk or not – a new Operational Common Event may not be suspicious, but a User Logon Failure : Bad Password may indicate an attempt at unauthorized access.

Abnormal Network Communications

These AI Engine rules profile the pattern of network communications that happens in the POS endpoint and Payment Systems environments. They build a whitelist of unique pairs of hosts which are allowed to communicate and then alarm any time network traffic is seen passing between an unapproved pair of hosts.

Requirements

  • The Retail Cyber Crime POS Endpoints list must be populated with POS endpoint hosts and/or the Back Office Payment Systems list must be populated with payment systems.
  • Network traffic logs must be collected by LogRhythm and analyzed by AI Engine.

KB Content

Object Type

Name

ID

AIE Rule

RCC: Back Office Abnormal Network Comms

527

AIE Rule

RCC: POS Abnormal Network Comms

520

What to Do When This Rule Fires

One of these AI Engine rules alarming indicates that network traffic was seen between a POS or payment system and a previously unseen host. It is advised to determine the nature of the new host initially. If the host is new to the network it may be malicious. If it is an existing host it may have been compromised and repurposed for malicious activity. Run investigations against both hosts to examine for unusual authentication or process activity.

File System Modified

The AI Engine rules listed below alarm when unexpected file activity is observed on a POS endpoint or payment system host. Files being created or modified could indicate that a host was compromised and malicious processes are being set up to capture data. Attribute or permissions changes could indicate that someone is performing data exfiltration.

Requirements

  • The Retail Cyber Crime POS Endpoints list must be populated with POS endpoint hosts and/or the Back Office Payment Systems list must be populated with payment systems.
  • File Integrity Monitoring must be configured to monitor files on the POS endpoint and/or payment system.

KB Content

Object Type

Name

ID

AIE Rule

RCC: Back Office File System Modified

531

AIE Rule

RCC: POS File System Modified

524

What to Do When This Rule Fires

An alarm from one of these two rules may signal a compromised host. Investigate the host for unusual authentication or process activity. Check the listed user for other suspicious behavior.