Epic Hyperspace App Deployment Guide – Install the Package

General Deployment Requirements

The deployment of this Module assumes the following:

1. Epic Hyperspace EHR is fully operational and able to send logs to LogRhythm.
2. The overall LogRhythm deployment is in a fully-developed state and is healthy.
3. Minimum software version 7.2.x is deployed.

Configure Epic Logging

All Epic Hyperspace events must be enabled for dashboards and module content to function. For more information, see the LogRhythm Epic Hyperspace Device Configuration Guide.

Configure VPN Logging

For correlation of VPN and Epic Hyperspace Logins, a VPN must be present and logging enabled.

Configure IDS/IPS Logging

For correlation of reconnaissance activity followed by a logon to Epic, an IDS or IPS must be in place for reconassiance activity to be logged.

Configure Entity Structure

Several AI Engine Rules in this App depend on two entities: one for Epic Servers and another for Endpoints authorized to access Epic.

Example Entity Structure

Information to Gather Before Deploying the App

The following information should be gathered prior to implementing the Epic Hyperspace App. This information will be required when populating lists and configuring individual AI Engine Rules.

• Epic Server(s)
• Endpoints used to access Epic

Install and Enable the Compliance Module

Part of the Epic Hyperspace App is provided as a module within the LogRhythm Knowledge Base (KB). Updating the KB automatically creates the proper Reports and AI Engine Rules. Make sure the Epic Hyperspace App module content is imported and enabled, as described in this section.

1. Download the latest Knowledge Base, available under Documentation & Downloads on the LogRhythm Community.
2. Open the LogRhythm Console.

3. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.

   

   To open the Knowledge Base Manager, the Deployment Manager must be closed.

4. On the File menu, click Import Knowledge Base File.
5. Select the newly downloaded Knowledge Base file, and then click Next to unpack and validate it.
   This step takes a few minutes as the system unpacks the new Knowledge Base.
   When the import is complete, you may have the option to preview common event changes.
   You should now be on step 4, “Import Knowledge Base.”
6. To import the Knowledge Base, click Next.
   Upon completion, the Import Progress Import Completed message appears.
7. Click OK.
   The Knowledge Base Updated message appears.
8. Click OK.
9. On the Knowledge Base Import Wizard, click Close.
10. In the Knowledge Base Modules grid, scroll down, search for App : Epic Hyperspace.
11. Locate the Enabled column in the grid for the module. If the box is checked, the Module is already enabled and available to users in the SIEM deployment. If the Enabled box is not checked, enable the Module by selecting its Action check box, right-clicking the Module name, then clicking Actions, and clicking Enable Module.
12. Click Next to import the Knowledge Base.
    You will receive confirmation that the import was successful.
13. Click Next to review common event changes, or close the Knowledge Base import dialog box.

Verify the Installation

After you install the Knowledge Base, the Epic Hyperspace App should be ready to configure. This section shows how you can verify that the Epic Hyperspace App has been installed properly.

Check AIE Rules

Verify eight (8) AI Engine Rules are contained in the Advanced Intelligence (AI) Engine Rule Manager found in the Deployment Manager.

Check Log Processing Policies

Verify one (1) Log Processing Policy with fifty-three (53) MPE Rules are contained in the LogRhythm Client Console.

Check Reports

Verify four (4) Reports and one (1) Reporting Package are contained in the Reports tab of the Report Center.