Epic EMR/EHR System
Integration Points
Method | Information discovered | Metrics collected | LOGs collected | Used for |
Syslog | Host name, Reporting IP | None | Authentication Query, Client login Query | Security monitoring |
Event Types
In ADMIN > Device Support > Event, search for "Epic-SecuritySIEM" to see the event types associated with this device. There are two events that are parsed:
Epic-SecuritySIEM-AUTHENTICATION-Query
Epic-SecuritySIEM-LOGIN-Query
Rules
No specific rules are written for Epic-SecuritySIEM.
Reports
No specific reports are written for Epic-SecuritySIEM.
Configuration
Configure the Epic-SecuritySIEM system to send logs to FortiSIEM in the supported format (see Sample Events).
Settings for Access Credentials
None required.
Sample Events
Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|Security-SIEM|8.3.0|LOGIN|LOGIN|4|cnt=1
suser=3227^DOE, JOHN L^JOHN-DOE shost=PRD workstationID=WS7946 act=Query
end=Oct 19 00:30:00 flag=^^Workflow Logging CLIENTNAME=dom1/WS7946
DEP=100000010^RMC ICU MAIN IP=10.25.6.59/10.170.10.66 LOGINLDAPID=JOHN-DOE
LOGINREASON= OSUSR=WS7946 ROLE=MODEL IP NURSE SOURCE=1-Hyperspace
USERJOB=304401^RMC INPATIENT NURSE TEMPLATE#011
Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|Security-SIEM|8.3.0|AUTHENTICATION|AUTHENTICATION|4|cnt=1
suser=3055^DOE, JOHN^JOHN-DOE shost=PRD workstationID=WS7610 act=Query end=Oct 19 00:30:00
flag=Access History^^Workflow Logging LOGINCONTEXT=0-Login
LOGINDEVICE=10001-ImprivataAuthMultiApp LOGINLDAPID=JOHN-DOE LOGINREVAL= 011