Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Device Integration: Epic Hyperspace

            Modified on Mon, 25 May at 8:19 PM


            TABLE OF CONTENTS


            Overview

            This document will guide you how to integrate Epic Hyperspace with ADR SIEM. Epic Hyperspace is a syslog-based integration in which we take logs in CEF format. This integration will help you with better visualization of threat events happening in your environment. 


            Prerequisite

            Row logs should be coming in CEF format at CCE server.


            Steps of Integration

            Log-in the Epic Hyperspace user interface, go to the Epic System Definitions > Security > Auditing Options > SIEM Syslog Settings > SIEM Syslog configuration. Then complete the following:

            1. Enter the CCE IP in the section SIEM Host Ip and username.
            2. Enter port as 514 in the SIEM port section.
            3.  Set Logging format to CEF.
            4. Set Syslog Ending Character to New Line “\n”
            5. Set Check Appliance Layer Response to Disabled.
            6. Keep send record to pointer as a Default.
            7. Return to the SIEM Syslog settings menu and set SIEM Syslog as enabled.


            Verification (MSSP Only)

            We can verify if the integration is successful or not in two ways.


            On ADR UI

            If the logs are coming on CCE then integration from Device to CCE is properly done, now we need to verify if the CCE is sending the logs to UI or not.


            Go to the ADR UI >> Logs Flow Collection Screen.

            In the Device IP column, check if you Hyperspace Device is showing up or not.


            On CCE server

            Run the below command on CCE server and check whether you started receiving logs or not.

            sudo tcpdump -i any port 514 and host <Hyperspace-ip> -AAA


            While running this command, you can try to perform some of the following activities at the Hyperspace UI to have better visibility of data if it is coming at live on our CCE or not.

            • Login success
            • Login Failed
            • Password Change
            • Switch User


            Note: CCE only sends the security log, so if you have done the fresh integration with CCE and not observing any data on UI, so try to perform above suggested activities so that we can have some security logs through which we can check.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0