Epic¶
About¶
Epic is the leading healthcare software company in the US with the most widely used and comprehensive health records system. Clinicians around the world use Epic to exchange information needed to support patient care.
Product Details¶
Vendor URL: Epic
Product Type: EMR/EHR System
Product Tier: Tier III
Integration Method: SYSLOG
Parser Details¶
Log Format: LEEF + Syslog
Expected Normalization Rate: Near 100%
Data Label: EPIC
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
additional.fields | api |
additional.fields | application_id |
additional.fields | cvg |
additional.fields | encrypt |
additional.fields | login_device |
additional.fields | login_reval |
additional.fields | login_source |
additional.fields | masked_mode |
additional.fields | nsc |
additional.fields | service_category |
additional.fields | service_id |
additional.fields | service_user_type |
additional.fields | success_yes_no |
additional.fields | time_out |
extensions.auth.type | SSO, AUTHTYPE_UNSPECIFIED |
intermediary.hostname | INSTANCEURN |
intermediary.ip | inter_ip |
metadata.description | CTXT, LOGIN_CONTEXT, PWREASON |
metadata.event_type | GENERIC_EVENT, RESOURCE_READ, USER_LOGIN, USER_CHANGE_PASSWORD, USER_UNCATEGORIZED, USER_RESOURCE_ACCESS, USER_RESOURCE_UPDATE_CONTENT |
metadata.product_event_type | event_id |
metadata.product_name | Epic Systems |
metadata.product_version | HKUAPVER |
metadata.vendor_name | EPIC |
network.ip_protocol | EIGRP, ESP, ETHERIP, GRE, ICMP, IGMP, IP6IN4, PIM, TCP, UDP, UNKNOWN_IP_PROTOCOL, VRRP |
network.session_id | AUDIT SESSION, CSISESS_TOKEN, E3MID |
principal.asset_id | Device ID: |
principal.hostname | CLIENTNAME |
principal.platform_version | HKUOSVER |
principal.platform | LINUX, MAC, UNKNOWN_PLATFORM, WINDOWS |
principal.resource.attribute.labels | prev_user |
principal.resource.type | DEVICE |
principal.user.attribute.roles | user_role |
principal.user.department | PREVDEPARTMENT:-PREVDEPARTMENT, NEWDEPARTMENT:-NEWDEPARTMENT; PREVDEPARTMENT:-NONE, NEWDEPARTMENT:NEWDEPARTMENT; PREVDEPARTMENT:PREVDEPARTMENT, NEWDEPARTMENT:-NONE |
principal.user.user_display_name | usrName |
principal.user.userid | UID, LOGIN_LDAP_ID, usrName, MYCACCT |
sec_result.action | BLOCK |
sec_result.description | BTGEXPLANATION, flag |
sec_result.severity | CRITICAL, HIGH, LOW |
sec_result.summary | BTGNOACCESSREAS, BTGREASON, ERRMSG, LOGIN_REASON, LOGINERROR |
target_user | OSUSR, PATIENT, SERVICE_USER |
target.application | APP, BCAPCS, BCAWEB_NAME, WEBLGAPP |
target.file.full_path | FILENAME |
target.hostname | resource |
target.ip | ip, IP, ip1 |
target.resource.attribute.labels | Workstation ID/Type shost |
target.resource.name | SERVICENAME |
target.resource.type | SERVICETYPE |
target.user.userid | target_user |
Product Event Types¶
Event | UDM Event Classification |
---|---|
All | GENERIC_EVENT |
event_id is "IC_SERVICE_AUDIT", "AC_BREAK_THE_GLASS_FAILED_ACCESS", "AC_BREAK_THE_GLASS_INAPPROPRIATE_ATTEMPT", "AC_BREAK_THE_GLASS_ACCESS", "MCMEMEDISA" | RESOURCE_READ |
event_id is "FAILEDLOGIN", "LOGIN", "ROVER_FAILED_LOGIN", "SWITCHUSER", "AUTHENTICATION", "EW_LOGIN", "ROVER_LOGIN", "CTO_FAILED_LOGIN", "CTO_LOGIN", "HKU_FAILED_LOGIN", "HKU_LOGIN", "WPSEC_SEC_AUTH_OPT_OUT", "WPSEC_SEC_AUTH_OPT_IN", "BCA_LOGIN_FAILURE", "BCA_LOGIN_SUCCESS", "BCA_USER_LOCKED", "WPSEC_LOGIN_FAIL", "WPSEC_LOGIN_SUCCESS" | USER_LOGIN |
event_id is "E_ADMINPASSWORDCHANGE", "E_FAILEDPASSWORDCHANGE", "E_SELFPASSWORDCHANGE", "WPSEC_USER_PASSWORD_CHANGE_FAIL", "WPSEC_USER_PASSWORD_CHANGE" | USER_CHANGE_PASSWORD |
event_id is "CONTEXTCHANGE" | USER_UNCATEGORIZED |
event_id is "SECURE", "UNSECURE", "MASKED_DATA_DISPLAY", "MASKED_DATA_PRINTING" | USER_RESOURCE_ACCESS |
event_id is "PHI_CLIENT_FILE" | USER_RESOURCE_UPDATE_CONTENT |
Log Sample¶
Nov 28 23:51:10 10.1.123.123 LEEF:1.0|Epic|Security-SIEM|10.2.0|IC_SERVICE_AUDIT|eventCnt=1 usrName=USERNAME shost=prd resource= action=Query devTime=Nov 28 2022 14:42:18 devTimeFormat=MMM dd yyyy HH:mm:ss flag=Access History-- proto=6 sev=4 APIID=000000000REDACTEDEBA786EF APPLICATIONID=56336b07-REDACTED-4a897 CLIENTNAME=HOSTNAME INSTANCEURN=urn:REDACTED:PRD.FXXR IP=Unknown IP SERVICECATEGORY=FXXR SERVICEID=031700000-f56f-423c-REDACTED3420 SERVICENAME=urn:epic-com:FXXR.2017.Services.ABC3.v2017_ABCObservationSearch SERVICETYPE=REST-WebAPI
Sample Parsing¶
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "EPIC"
metadata.product_name = "Epic Systems"
additional.Service Category = "FXXR"
additional.Application Id = "56336b07-REDACTED-4a897"
additional.API ID = "000000000REDACTEDEBA786EF"
additional.Service Id = "031700000-f56f-423c-REDACTED3420"
principal.hostname = "HOSTNAME"
principal.user.userid = "USERNAME"
principal.asset.hostname = "HOSTNAME"
target.resource.type = "REST-WebAPI"
target.resource.name = "urn:epic-com:FXXR.2017.Services.ABC3.v2017_ABCObservationSearch"
target.resource.attribute.labels.key = "Workstation ID/Type"
target.resource.attribute.labels.value = "prd"
intermediary.hostname = "urn:REDACTED:PRD.FXXR"
intermediary.ip = "10.1.123.123"
security_result.description = "Access History"
security_result.severity = "LOW"
network.ip_protocol = "TCP"
Parser Alerting¶
This product currently does not have any parser-based alerting