![]() Use CaseĪccess to Epic from a host that is not authorized may indicate malicious intent and should be investigated. Watches for logins from a host not in an entity authorized to access Epic. Rule is designed to alarm on logins to Epic Hyperspace from systems not in a defined authorized entity Minimum Log SourcesĪIE : Epic : Unauthorized Host Logon Classification: Use CaseĪ sudden spike in login activity outside of the norm may indicate a malicious actor has gained access to electronic healthcare records. Rule baselines normal login activity for a given user and alarms if there is a 1.5x change from the norm. Rule looks for login activity out of the baseline Minimum Log SourcesĪIE : Epic : Unusual Login Activity Classification: Use CaseĪ sudden spike in sensitive data unmasking activity may indicate attempted abuse of access to electronic healthcare records. Rule observes regular sensitive data unmasking activity and alarms if unmasking activity exceeds the baseline. Minimum Log SourcesĪIE : Epic : Unusual Patient Record Accesses Classification: Rule looks for sharp increases from baseline masked/unmasked patient data either displayed or printed. ![]() A subsequent logon from said host to Epic may indicate a successful credential compromise. Rule watches for reconnaissance activity followed shortly after by a logon attempt to Epic Use CaseĪ malicious actor has compromised the network and is searching for credentials on a host. Rule looks for reconnaissance activity on the network followed by a logon attempt (successful or unsuccessful) to Epic Minimum Log SourcesĪIE : Epic : Recon Activity Followed By Logon Attempt Classification: Use CaseĪ sudden spike in Unsuccessful BTG activity may indicate attempted abuse of emergency access to electronic healthcare records.Įpic : Reconnaissance Activity Followed By Logon Attempt Rule observes regular Unsuccessful Break The Glass activity and alarms if BTG activity exceeds the baseline. Security : Suspicious Suppression Period: Rule is designed to baseline normal BTG failure event frequency and alert when there is unusual activity Minimum Log SourcesĪIE : Epic : Unusual Unsuccessful BTG Events Classification: Use CaseĪ sudden spike in BTG activity may indicate abuse of emergency access to electronic healthcare records.Įpic : Unusual Unsuccessful Break-The-Glass Events Rule observes regular Break The Glass activity and alarms if BTG activity exceeds the baseline. Rule is designed to baseline normal BTG event frequency and alert when there is unusual activity Minimum Log SourcesĪIE : Epic : Unusual Successful BTG Events Classification: Epic : Unusual Successful Break-The-Glass Events Use CaseĪn attacker has compromised user credentials and attempts to remotely access Electronic Healthcare Records. This may indiciate inappropriate access to EHR. This rule will fire when a user connects via a VPN and logs into Epic within 1 hour. This rule is intended to detect a VPN login followed within 1 hour by a successful login to Epic Hyperspace Minimum Log SourcesĪIE : Epic : Login Via VPN Classification
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |