Skip to main content
Skip table of contents

Retail Cyber Crime Deployment Guide – Configure the Module


Configure Lists

There are user-configurable lists included with the module. Use these lists to narrow the scope of AI Engine Rules and to filter events.

  1. Open the LogRhythm Console and click List Manager on the main toolbar.
  2. Use the Name or List ID column filter to find the list you want, either RCC: Back Office Payment Systems or RCC: POS Endpoints.
  3. To open the List Properties window, double-click the list.
  4. Click on the List Items tab, and then click Add Item.
  5. Use the Add Item dialogue to add items to the list individually by IP Address, IP Address Range, Hostname, or Known Host, or click Import to import a text file or clipboard contents.
  6. Click Apply and then click OK.

Enable AI Engine Rules

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the AI Engine tab.
  3. Filter in the Rule Group column for Network Threat Detection to find AI Engine rules tied to this module.
  4. Select the Action checkbox of each rule you want to configure.
  5. Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.

  6. If the Restart column displays “Needed” for a rule, you must restart the AI Engine service to load the new rules. Click Restart AI Engine Servers at the top of the window. (This action only restarts the necessary services, not the appliance itself.)

    You must select the AI Engine instance in the View field to see the Restart column.

Whitelist AI Engine Rule Learning

The Whitelist AI Engine rules require a learning period to take effect. During the learning period, observed metadata which fits the criteria will be added to the whitelist. The learning period should be set with known periodic traffic in mind such as weekly or bi-weekly system updates. A minimum of one week is recommended.

To set the learning period

  1. On the main toolbar of the Client Console, click the Deployment Manager tab.
  2. Click the AI Engine tab.

  3. Double-click each of the AI Engine rules listed in the following table.

    AI Engine Rule Name

    Rule ID

    RCC: POS New Process

    518

    RCC: POS Abnormal Auth Activity

    519

    RCC: POS Abnormal Network Comms

    520

    RCC: POS Abnormal CE

    521

    RCC: Back Office New Process

    525

    RCC: Back Office Abnormal Auth Activity

    526

    RCC: Back Office Abnormal Network Comms

    527

    RCC: Back Office Abnormal CE

    528

  4. Double-click the Profile rule block on the right.
  5. Click the Profile tab.
  6. Set the Start date to a date and time in the future and set the End date to the learning period you want.
  7. Click OK until you return to the AI Engine Rule Manager.
    The rule is automatically enabled after the learning period is complete.

After the learning period is complete, review the whitelist data in the Profile tab and remove any items which should not be whitelisted. If the whitelist is not sufficient, additional items can be added individually or the rules can be put back into learning mode.

Enable AI Engine Rule Alarming

By default, alarming is initially turned off for all AI Engine Rules. Even without alarms, events are generated when the rule is enabled and its criteria are satisfied. These events are displayed in the Web Console Dashboard and they can be seen by running an Investigation or Tail against the Platform Manager.

Before enabling Alarming, review these events and tune rules as necessary to meet an acceptable level of false positives. Refer to the Retail Cyber Crime Module User Guide for information about tuning individual AI Engine Rules. When finished tuning, enable alarming on the rules to bring events to the alarm layer, providing visibility to the monitoring team and allowing for notification and SmartResponse.

  1. Open the LogRhythm Console and click Deployment Manager.
  2. Click the AI Engine tab.
  3. Filter in the Rule Group column for Network Threat Detection to find AI Engine rules tied to this module.
    The value in the Alarm Status column indicates whether the alarm is enabled for a rule.
  4. Select the Action checkbox of each rule you want to configure.

  5. Right-click the grid, click Actions, click Batch Enable Alarms, and then click Enable Alarms.

    Alarm settings are located on the Settings tab in each AI Engine Rule’s Properties.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close