Financial Fraud Detection Module User Guide
Debit/Credit Card Activated; Online Banking Password Modified; Online Banking Device Registered; ACH Transfer Scheduled; Dormant Account Used; Payee and Payment Added; At-Risk Account Logged In; Contact Email Change; Checking Account Created; Mailing Address Change
This set of AI Engine rules identifies certain Common Events generated by online banking and financial log data. These rules generate AIE Events which feed back into AIE for further correlation. These events will appear anywhere that Event data is used, such as Web Console dashboards.
Requirements
The Common Events listed in the Financial Fraud Detection Module Deployment Guide must be assigned to MPE rules identifying specific types of activity in order for these AI Engine rules to be triggered.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Debit/Credit Card Activated | 899 |
AIE Rule | FFD: Online Banking Password Modified | 900 |
AIE Rule | FFD: Online Banking Device Registered | 901 |
AIE Rule | FFD: ACH Transfer Scheduled | 902 |
AIE Rule | FFD: Dormant Account Used | 903 |
AIE Rule | FFD: Payee and Payment Added | 904 |
AIE Rule | FFD: At-Risk Account Logged In | 905 |
AIE Rule | FFD: Contact Email Change | 906 |
AIE Rule | FFD: Checking Account Created | 907 |
AIE Rule | FFD: Mailing Address Change | 908 |
What to Do When This Rule Fires
These AI Engine rules are not designed to alarm individually, though they may be configured to do so if they identify particularly unusual events.
Suspicious Account Activity (Unique); Suspicious Account Activity (Threshold)
This pair of AI Engine rules uses the previous set of AI Engine Events to detect anomalous behavior.
Each of the events listed above is not suspicious on its own, but if an unusual number of them come from one account in a short amount of time it may indicate a compromised account.
Requirements
- As many of the Common Events listed in the Financial Fraud Detection Module Deployment Guide as possible assigned to specific logs in MPE rules.
- The above AI Engine rules must be enabled in order for AIE Feedback to trigger these two rules.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Suspicious Account Activity (Unique) | 909 |
AIE Rule | FFD: Suspicious Account Activity (Threshold) | 910 |
What to Do When This Rule Fires
These AI Engine rules firing indicates an account with a suspicious number of unusual events in a short amount of time. You should investigate the account within the LogRhythm Web Console or account management system to look for signs of a compromised account, such as unusual login activity or transactions.
Login From Suspicious Host
This AI Engine rule detects Online Banking login activity from suspicious or low-reputation hosts. If available it will use the LogRhythm Third Party Threat Lists as a data source, but other lists can be created for each organization.
Requirements
The Online Banking log source MPE rules must be configured to assign a User Logon Common Event.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Login From Suspicious Host | 911 |
What to Do When This Rule Fires
This rule indicates login activity from a suspicious host. Review context around the login such as location and compare it to normal authentication activity for the account. Investigate account activity after the login for any suspicious account modifications or transactions.
Failed Login followed by New ACH Payee
This AI Engine rule uses correlated rule blocks to identify an account with authentication failure activity followed by the creation of a new ACH Payee.
Requirements
The Online Banking log source MPE rules must be configured to assign User Logon Failure and New ACH Payee Common Events.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Failed Login followed by New ACH Payee | 912 |
What to Do When This Rule Fires
This rule will fire when an authentication failure and creation of a new ACH payee are seen within a short time window. This could be indicative of an account takeover and an attempt to transfer funds from an account.
Investigate the account identified in the alarm properties as well as the recipient account, and examine the context of the authentication to determine if this is legitimate activity.
Password Modified followed by New ACH Payee
This AI Engine rule uses correlated rule blocks to identify an account with password modification activity followed by the creation of a new ACH Payee.
Requirements
The Online Banking log source MPE rules must be configured to assign Password Modified and New ACH Payee Common Events.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Password Modified followed by New ACH Payee | 913 |
What to Do When This Rule Fires
This rule will fire when an account generates a password modification event followed by the creation of a new ACH payee. This may indicate that an account has been compromised and there is an attempt to remove funds from the account. Examine any additional account activity including login activity for signs of suspicious behavior.
Foreign IP Account Probe
This AI Engine rule is triggered when a foreign host attempts to log into multiple online banking accounts. By default the rule looks for hosts outside of the United States and Canada, but you may use additional exclude filters to whitelist more countries or clone the rule and modify the primary criteria to whitelist different locations.
Requirements
The Online Banking log source MPE rules must be configured to assign User Logon and User Logon Failure Common Events.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Foreign IP Account Probe | 914 |
What to Do When This Rule Fires
This rule will alarm when a single external IP address attempts to log into multiple online banking accounts. This may be triggered by a single NAT IP address with multiple hosts behind it, such as a hotel or coffee shop. When triggered, investigate the accounts listed – especially if any of the authentication activity was successful.
Changed Address Followed by Card Activation
This rule detects a physical card compromise after an account takeover. It alarms when a debit/credit card is activated after the mailing address has been changed on an account. Be aware that the threshold for this alarm is especially long since these events may be several days apart.
Requirements
The Online Banking log source MPE rules must be configured to assign Mailing Address Change and Credit/Debit Card Activated Common Events.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Changed Address Followed by Card Activation | 915 |
What to Do When This Rule Fires
This alarm would indicate that a compromised card exists. Examine other card transactions on this account, as well as other online banking activity for signs of suspicious behavior.
Email Change and New Payee
This AI Engine rule looks for an attempt to mask an invalid transaction by changing the notification email address on an account, then adding a new ACH payee.
Requirements
The Online Banking log source MPE rules must be configured to assign Contact Address Change and New ACH Payee Common Events.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: Email Change and New Payee | 916 |
What to Do When This Rule Fires
When this alarm fires it is an indication that the account has been compromised and there is an attempt to prevent the account owner from discovering the theft by changing the notification email address. An analyst should run additional investigations against the account to look for other suspicious activity such as unusual login activity.
New Payee then $750.00 Transfer
This AI Engine rule will fire when a new payee is created in an online banking account followed by a transfer of at least $750. This can be a sign of the illegitimate withdrawal of funds after an account compromise.
Requirements
The Online Banking log source MPE rules must be configured to assign New ACH Payee and New ACH Transfer Common Events.
KB Content
Object Type | Name | ID |
|---|---|---|
AIE Rule | FFD: New Payee then $750.00 Transfer | 917 |
What to Do When This Rule Fires
When this alarm fires it is an indication that the account has been compromised and there is an attempt to withdraw funds. Investigation should involve researching additional account activity for other suspicious behavior such as unusual login activity. Because of the nature of this rule some tuning may be required to minimize noise – such as adjusting the dollar amount and time thresholds.