Skip to main content
Skip table of contents

Epic Hyperspace App User Guide – AI Engine Rules

Epic : Login Via VPN

AIE Rule ID: 1244

Rule Description

This rule is intended to detect a VPN login followed within 1 hour by a successful login to Epic Hyperspace

Minimum Log Sources

Epic Hyperspace VPN

Common Event

AIE : Epic : Login Via VPN

Classification

Security : Suspicious

Suppression Period

N/A

Alarm on Event Occurrence

Yes

Environmental Dependence Factor

 2

False Positive Probability

2

Actions

This rule will fire when a user connects via a VPN and logs into Epic within 1 hour. This may indiciate inappropriate access to EHR.

Use Case

An attacker has compromised user credentials and attempts to remotely access Electronic Healthcare Records.

Epic : Unusual Successful Break-The-Glass Events

AIE Rule ID: 1313

Rule Description

Rule is designed to baseline normal BTG event frequency and alert when there is unusual activity

Minimum Log Sources

Epic Hyperspace

Common Event:

AIE : Epic : Unusual Successful BTG Events

Classification:

Security : Suspicious

Suppression Period

N/A

Alarm on Event Occurrence:

Yes

Environmental Dependence Factor:

1

False Positive Probability:

5

Actions

Rule observes regular Break The Glass activity and alarms if BTG activity exceeds the baseline.

Use Case

A sudden spike in BTG activity may indicate abuse of emergency access to electronic healthcare records.


Epic : Unusual Unsuccessful Break-The-Glass Events

AIE Rule ID: 1314

Rule Description

Rule is designed to baseline normal BTG failure event frequency and alert when there is unusual activity

Minimum Log Sources

Epic Hyperspace

Common Event:

AIE : Epic : Unusual Unsuccessful BTG Events

Classification:

Security : Suspicious

Suppression Period:

N/A

Alarm on Event Occurrence:

Yes

Environmental Dependence Factor:

1

False Positive Probability:

5

Actions

Rule observes regular Unsuccessful Break The Glass activity and alarms if BTG activity exceeds the baseline.

Use Case

A sudden spike in Unsuccessful BTG activity may indicate attempted abuse of emergency access to electronic healthcare records.


Epic : Reconnaissance Activity Followed By Logon Attempt

AIE Rule ID: 1315

Rule Description

Rule looks for reconnaissance activity on the network followed by a logon attempt (successful or unsuccessful) to Epic

Minimum Log Sources

Epic Hyperspace IDS/IPS

Common Event:

AIE : Epic : Recon Activity Followed By Logon Attempt

Classification:

Security : Suspicious

Suppression Period:

N/A

Alarm on Event Occurrence:

Yes

Environmental Dependence Factor:

2

False Positive Probability:

5

Actions

Rule watches for reconnaissance activity followed shortly after by a logon attempt to Epic

Use Case

A malicious actor has compromised the network and is searching for credentials on a host. A subsequent logon from said host to Epic may indicate a successful credential compromise.


Epic : Unusual Patient Record Accesses

AIE Rule ID: 1317

Rule Description

Rule looks for sharp increases from baseline masked/unmasked patient data either displayed or printed.

Minimum Log Sources

Epic Hyperspace

Common Event:

AIE : Epic : Unusual Patient Record Accesses

Classification:

Security : Suspicious

Suppression Period:

N/A

Alarm on Event Occurrence:

Yes

Environmental Dependence Factor:

1

False Positive Probability:

5

Actions

Rule observes regular sensitive data unmasking activity and alarms if unmasking activity exceeds the baseline.

Use Case

A sudden spike in sensitive data unmasking activity may indicate attempted abuse of access to electronic healthcare records.


Epic : Unusual Login Activity

AIE Rule ID: 1318

Rule Description

Rule looks for login activity out of the baseline

Minimum Log Sources

Epic Hyperspace

Common Event:

AIE : Epic : Unusual Login Activity

Classification:

Security : Suspicious

Suppression Period:

12

Alarm on Event Occurrence:

Yes

Environmental Dependence Factor:

2

False Positive Probability:

5

Actions

Rule baselines normal login activity for a given user and alarms if there is a 1.5x change from the norm.

Use Case

A sudden spike in login activity outside of the norm may indicate a malicious actor has gained access to electronic healthcare records.

Epic : Unauthorized Host Logon

AIE Rule ID: 1319

Rule Description

Rule is designed to alarm on logins to Epic Hyperspace from systems not in a defined authorized entity

Minimum Log Sources

Epic Hyperspace

Common Event:

AIE : Epic : Unauthorized Host Logon

Classification:

Security : Suspicious

Suppression Period:

N/A

Alarm on Event Occurrence:

Yes

Environmental Dependence Factor:

2

False Positive Probability:

8

Actions

Watches for logins from a host not in an entity authorized to access Epic.

Use Case

Access to Epic from a host that is not authorized may indicate malicious intent and should be investigated.

Epic : Unusual Password Change Activity

AIE Rule ID: 1320

Rule Description

Rule is designed to observe a single users password changes within several days.

Minimum Log Sources

Epic Hyperspace

Common Event:

AIE : Epic : Unusual Password Change Activity

Classification:

Security : Suspicious

Suppression Period:

3 Days

Alarm on Event Occurrence:

Yes

Environmental Dependence Factor:

2

False Positive Probability:

5

Actions

Watch for multiple password changes within a several day span

Use Case

Multiple password changes in a short period of time could indicate multiple users using a single account.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close