Azure Sentinel integration

Citrix Analytics now enables users to export data analyzed for risky events from Citrix Analytics into their Microsoft Azure Sentinel environment. With this, you can collect, search, and analyze data from multiple data sources on a single platform. Using this data, you can monitor the events, troubleshoot, and automate mitigation actions.

Citrix Analytics does not send raw data to Azure Sentinel. Instead, it sends processed data. The processed data sent to Azure Sentinel includes:

  • User risk score – Current risk score of a user. Citrix Analytics sends this data to Azure Sentinel every 12 hours.

  • Risk score change – This is the change in a user’s risk score. When a user’s risk score increases at any rate or drops by more than 10% the change is sent to Azure Sentinel.

  • Risk indicator summary – All risk indicators associated with the user, when a new risk indicator is generated.

Benefits of Azure Sentinel integration

  • Greater visibility of security alerts in a centralized place.

  • Centralized approach to detect potential security threats for organizational risk analysis capabilities such as risk indicators, user profiles, and risk scores.

  • Ability to combine and correlate the Citrix Analytics risk intelligence information of a user account with external data sources, within Azure Sentinel.

Prerequisites

Turn on data processing for at least one data source. It helps Citrix Analytics to begin the Azure Sentinel integration process.

How to integrate Citrix Analytics with Azure Sentinel

Follow the guidelines mentioned to integrate Citrix Analytics with Azure Sentinel:

  • Data export. Citrix Analytics creates a channel and exports risk intelligence. Azure Sentinel retrieves this risk intelligence from the channel.

  • Get configuration on Citrix Analytics. Create an account with Citrix Analytics to authenticate the Azure Sentinel integration. Citrix Analytics uses the account to prepare a configuration file required for the integration. The configuration file is used to configure the Citrix Analytics Adapter for Azure Sentinel.

  • Download Citrix Analytics Adapter for Azure Sentinel. Download the Citrix Analytics Adapter for Azure Sentinel application from GitHub. The adapter is a Python program that consumes alerts from a tenant-specific Kafka topic that is hosted by Citrix Analytics. You can run the adapter on any physical or virtual machine with Python 2.7 or above. The consumed alerts are posted to Azure Sentinel using REST API.

  • Install Citrix Analytics Adapter for Azure Sentinel. Install the Citrix Analytics Adapter for Azure Sentinel application on a machine so that it can receive the Kafka data. The adapter contains placeholder variables for connecting to Azure Sentinel and the Kafka interface on Citrix Analytics. After installing the adapter, do the following:

    • Replace the placeholder variables related to the Kafka interface with the values obtained from the configuration file that Citrix Analytics has prepared.

    • Replace the Azure Sentinel related placeholder variables (for Workspace ID and API Key) with the respective values from your Azure account.

How to consume events in Azure Sentinel

After the adapter is installed and configured, do the following:

  1. Open your Azure Sentinel Workspace in the Azure portal.

  2. In the Configuration section, select Data connectors.

  3. Select Citrix Analytics Data Connector and select Open connector page. Follow the instructions to connect the events to Azure Sentinel.

  4. Select the Next steps tab and select the recommended Workbook to view the sample queries.

Note

  • Azure Sentinel integration with Citrix Analytics is currently not generally available. Therefore, information above is subject to change.

  • Contact CAS-PM-Ext@citrix.com to get access to the Citrix Analytics Adapter for Azure Sentinel and for assistance when onboarding your data to Azure Sentinel.