Retail Cyber Crime – AI Engine Rules
AI Engine Rule Name | Rule Description | Rule ID | Minimum Data Requirement | Recommended Data Requirement |
---|---|---|---|---|
RCC: POS New Process | This rule will watch a "Gold Standard" POS system for process activity and build a whitelist profile of processes running on the "Gold Standard," comparing all other POS endpoints with the "Gold Standard" process list. | 518 | POS Host Logs | System Monitor on POS |
RCC: POS Abnormal Auth Activity | This rule will build a whitelist profile of the authentication activity to and from POS endpoints. If a new Origin Login is seen, or new hosts are involved in the authentication activity, the rule will fire. | 519 | POS Host Logs | System Monitor on POS |
RCC: POS Abnormal Network Comms | This rule will build a whitelist profile of all end-to-end network communications where one side is a POS system. If a connection is seen to/from a new IP, the rule will fire. | 520 | Firewall Logs from POS Network | LogRhythm Network Monitor on POS Network |
RCC: POS Abnormal CE | This rule will build a whitelist of Common Events being generated on each POS endpoint. If a new Common Event is noticed, the rule will fire. | 521 | POS Host Logs | System Monitor on POS |
RCC: POS Abnormal File Access | This rule will build a profile of file access on a POS file system. If new access activity is identified, the rule will fire. | 522 | File System Logs | LogRhythm File Integrity Monitoring |
RCC: POS DLD Event | This rule will look for any LogRhythm Data Loss Defender events on a POS endpoint and fire if any are observed. | 523 | LogRhythm Data Loss Defender |
|
RCC: POS File System Modified | This rule will look for any file system changes on a POS endpoint and fire if changes are identified. | 524 | File System Logs | LogRhythm File Integrity Monitoring |
RCC: Back Office New Process | This rule will watch a "Gold Standard" back-office payment system for process activity and build a whitelist profile of processes running on the "Gold Standard," comparing all other "like" systems with the "Gold Standard" process list. | 525 | Payment System Host Logs | System Monitor on Payment System Host |
RCC: Back Office Abnormal Auth Activity | This rule will build a whitelist profile of the authentication activity to and from back-office payment systems. If a new Origin Login is seen, or new hosts are involved in the authentication activity, the rule will fire. | 526 | Payment System Host Logs | System Monitor on Payment System Host |
RCC: Back Office Abnormal Network Comms | This rule will build a whitelist profile of all end-to-end network communications where one side is a back-office payment system. If a connection is seen to/from a new IP, the rule will fire. | 527 | Firewall Logs from Payment System Network | LogRhythm Network Monitor on Payment System Network |
RCC: Back Office Abnormal CE | This rule will build a whitelist of Common Events being generated on each back office payment system. If a new Common Event is noticed, the rule will fire. | 528 | Payment System Host Logs | System Monitor on Payment System Host |
RCC: Back Office Abnormal File Access | This rule will build a profile of file access on a back office payment system. If new access activity is identified, the rule will fire. | 529 | File System Logs | LogRhythm File Integrity Monitoring |
RCC: Back Office DLD Event | This rule will look for any LogRhythm Data Loss Defender events on a back office payment system and fire if any are observed. | 530 | LogRhythm Data Loss Defender |
|
RCC: Back Office File System Modified | This rule will look for any file system changes on a back office payment system and fire if changes are identified. | 531 | File System Logs | LogRhythm File Integrity Monitoring |