Skip to content

Epic

Epic

About

Epic is the leading healthcare software company in the US with the most widely used and comprehensive health records system. Clinicians around the world use Epic to exchange information needed to support patient care.

Product Details

Vendor URL: Epic

Product Type: EMR/EHR System

Product Tier: Tier III

Integration Method: SYSLOG

Parser Details

Log Format: LEEF + Syslog

Expected Normalization Rate: Near 100%

Data Label: EPIC

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
additional.fields api
additional.fields application_id
additional.fields cvg
additional.fields encrypt
additional.fields login_device
additional.fields login_reval
additional.fields login_source
additional.fields masked_mode
additional.fields nsc
additional.fields service_category
additional.fields service_id
additional.fields service_user_type
additional.fields success_yes_no
additional.fields time_out
extensions.auth.type SSO, AUTHTYPE_UNSPECIFIED
intermediary.hostname INSTANCEURN
intermediary.ip inter_ip
metadata.description CTXT, LOGIN_CONTEXT, PWREASON
metadata.event_type GENERIC_EVENT, RESOURCE_READ, USER_LOGIN, USER_CHANGE_PASSWORD, USER_UNCATEGORIZED, USER_RESOURCE_ACCESS, USER_RESOURCE_UPDATE_CONTENT
metadata.product_event_type event_id
metadata.product_name Epic Systems
metadata.product_version HKUAPVER
metadata.vendor_name EPIC
network.ip_protocol EIGRP, ESP, ETHERIP, GRE, ICMP, IGMP, IP6IN4, PIM, TCP, UDP, UNKNOWN_IP_PROTOCOL, VRRP
network.session_id AUDIT SESSION, CSISESS_TOKEN, E3MID
principal.asset_id Device ID:
principal.hostname CLIENTNAME
principal.platform_version HKUOSVER
principal.platform LINUX, MAC, UNKNOWN_PLATFORM, WINDOWS
principal.resource.attribute.labels prev_user
principal.resource.type DEVICE
principal.user.attribute.roles user_role
principal.user.department PREVDEPARTMENT:-PREVDEPARTMENT, NEWDEPARTMENT:-NEWDEPARTMENT; PREVDEPARTMENT:-NONE, NEWDEPARTMENT:NEWDEPARTMENT; PREVDEPARTMENT:PREVDEPARTMENT, NEWDEPARTMENT:-NONE
principal.user.user_display_name usrName
principal.user.userid UID, LOGIN_LDAP_ID, usrName, MYCACCT
sec_result.action BLOCK
sec_result.description BTGEXPLANATION, flag
sec_result.severity CRITICAL, HIGH, LOW
sec_result.summary BTGNOACCESSREAS, BTGREASON, ERRMSG, LOGIN_REASON, LOGINERROR
target_user OSUSR, PATIENT, SERVICE_USER
target.application APP, BCAPCS, BCAWEB_NAME, WEBLGAPP
target.file.full_path FILENAME
target.hostname resource
target.ip ip, IP, ip1
target.resource.attribute.labels Workstation ID/Type shost
target.resource.name SERVICENAME
target.resource.type SERVICETYPE
target.user.userid target_user

Product Event Types

Event UDM Event Classification
All GENERIC_EVENT
event_id is "IC_SERVICE_AUDIT", "AC_BREAK_THE_GLASS_FAILED_ACCESS", "AC_BREAK_THE_GLASS_INAPPROPRIATE_ATTEMPT", "AC_BREAK_THE_GLASS_ACCESS", "MCMEMEDISA" RESOURCE_READ
event_id is "FAILEDLOGIN", "LOGIN", "ROVER_FAILED_LOGIN", "SWITCHUSER", "AUTHENTICATION", "EW_LOGIN", "ROVER_LOGIN", "CTO_FAILED_LOGIN", "CTO_LOGIN", "HKU_FAILED_LOGIN", "HKU_LOGIN", "WPSEC_SEC_AUTH_OPT_OUT", "WPSEC_SEC_AUTH_OPT_IN", "BCA_LOGIN_FAILURE", "BCA_LOGIN_SUCCESS", "BCA_USER_LOCKED", "WPSEC_LOGIN_FAIL", "WPSEC_LOGIN_SUCCESS" USER_LOGIN
event_id is "E_ADMINPASSWORDCHANGE", "E_FAILEDPASSWORDCHANGE", "E_SELFPASSWORDCHANGE", "WPSEC_USER_PASSWORD_CHANGE_FAIL", "WPSEC_USER_PASSWORD_CHANGE" USER_CHANGE_PASSWORD
event_id is "CONTEXTCHANGE" USER_UNCATEGORIZED
event_id is "SECURE", "UNSECURE", "MASKED_DATA_DISPLAY", "MASKED_DATA_PRINTING" USER_RESOURCE_ACCESS
event_id is "PHI_CLIENT_FILE" USER_RESOURCE_UPDATE_CONTENT

Log Sample

Nov 28 23:51:10 10.1.123.123 LEEF:1.0|Epic|Security-SIEM|10.2.0|IC_SERVICE_AUDIT|eventCnt=1 usrName=USERNAME shost=prd resource= action=Query devTime=Nov 28 2022 14:42:18 devTimeFormat=MMM dd yyyy HH:mm:ss flag=Access History-- proto=6 sev=4 APIID=000000000REDACTEDEBA786EF APPLICATIONID=56336b07-REDACTED-4a897 CLIENTNAME=HOSTNAME INSTANCEURN=urn:REDACTED:PRD.FXXR IP=Unknown IP SERVICECATEGORY=FXXR SERVICEID=031700000-f56f-423c-REDACTED3420 SERVICENAME=urn:epic-com:FXXR.2017.Services.ABC3.v2017_ABCObservationSearch SERVICETYPE=REST-WebAPI

Sample Parsing

metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "EPIC"
metadata.product_name = "Epic Systems"
additional.Service Category = "FXXR"
additional.Application Id = "56336b07-REDACTED-4a897"
additional.API ID = "000000000REDACTEDEBA786EF"
additional.Service Id = "031700000-f56f-423c-REDACTED3420"
principal.hostname = "HOSTNAME"
principal.user.userid = "USERNAME"
principal.asset.hostname = "HOSTNAME"
target.resource.type = "REST-WebAPI"
target.resource.name = "urn:epic-com:FXXR.2017.Services.ABC3.v2017_ABCObservationSearch"
target.resource.attribute.labels.key = "Workstation ID/Type"
target.resource.attribute.labels.value = "prd"
intermediary.hostname = "urn:REDACTED:PRD.FXXR"
intermediary.ip = "10.1.123.123"
security_result.description = "Access History"
security_result.severity = "LOW"
network.ip_protocol = "TCP"

Parser Alerting

This product currently does not have any parser-based alerting