Example Sigma Signatures for Security Insights
This page contains example queries to help administrators achieve meaningful outcomes using Citrix Security Analytics.
These examples cover risks under the following categories:
- Compromised endpoints
- Insider threats
- Data exfiltration
How to use these examples
To view the data source, click Settings > Data Sources > Security in the Citrix Analytics GUI. The Apps and Desktops- Workspace app site card appears on the Data Sources page. Click Turn On Data Processing to allow Citrix Analytics to begin processing data for this data source.
Citrix Analytics for Security sends the following two types of risk insights data to your SIEM service:
- Risk insights events (Default exports)
- Data Source events (Optional exports)
As part of your SIEM environment, the risk insight event data sources are available and always turned on by default. For more information, see Data events exported from Citrix Analytics for Security to your SIEM service.
You can use either CAS or Sigma signatures to verify any particular user events within your data sources. CAS queries are accessible through the Self-Service Search page on your Citrix Analytics GUI. The Sigma signatures are written in a simple or user-friendly format, making them compatible with various SIEM environments.
You can use the CAS query under the Self-Service Search page to find and filter user events received from various data sources. Click Search from your Citrix Analytics GUI and enter the query in the search box. For more details, see How to use self-service search.
You can also create custom risk indicators with the existing templates. To create a custom risk indicator, navigate to Security > Custom Risk Indicators > Create Indicator. For more details, see Creating a Custom Risk Indicator.
Sigma is a user-friendly, open signature format for creating text-based queries that analysts can use to describe log events, making detections easier to write. There are a few different ways to convert a Sigma signature to your SIEM tool’s query language.
You can use the CLI tools and Python SDKs offered by Sigma. For more information on Sigma signature, see Rule Usage.
You can use public tools such as uncoder.io’s Sigma Translation Engine which offers a free tier.
Refer to the following different Custom Indicator use cases for the different risk insights:
- Unsanctioned browser
- Unsanctioned operating system
- Unsanctioned Workspace App Versions
- Unauthorized operating systems outside allow list
- Unauthorized IP address or subnets
- Unauthorized virtual apps
- Unusual desktop names
- Monitor specific application
- Printing from SaaS apps
- Clipboard usage on SaaS apps