Example Sigma Signatures for Security Insights

October 31, 2023

Contributed by:

This page contains example queries to help administrators achieve meaningful outcomes using Citrix Security Analytics.

These examples cover risks under the following categories:

Compromised endpoints
Insider threats
Data exfiltration

How to use these examples

View the data source and turn on the data processing

To view the data source, click Settings > Data Sources > Security in the Citrix Analytics GUI. The Apps and Desktops- Workspace app site card appears on the Data Sources page. Click Turn On Data Processing to allow Citrix Analytics to begin processing data for this data source.

Citrix Analytics for Security sends the following two types of risk insights data to your SIEM service:

Risk insights events (Default exports)
Data Source events (Optional exports)

As part of your SIEM environment, the risk insight event data sources are available and always turned on by default. For more information, see Data events exported from Citrix Analytics for Security to your SIEM service.

You can use either CAS or Sigma signatures to verify any particular user events within your data sources. CAS queries are accessible through the Self-Service Search page on your Citrix Analytics GUI. The Sigma signatures are written in a simple or user-friendly format, making them compatible with various SIEM environments.

Using CAS queries

You can use the CAS query under the Self-Service Search page to find and filter user events received from various data sources. Click Search from your Citrix Analytics GUI and enter the query in the search box. For more details, see How to use self-service search.

You can also create custom risk indicators with the existing templates. To create a custom risk indicator, navigate to Security > Custom Risk Indicators > Create Indicator. For more details, see Creating a Custom Risk Indicator.

Using Sigma signatures

Sigma is a user-friendly, open signature format for creating text-based queries that analysts can use to describe log events, making detections easier to write. There are a few different ways to convert a Sigma signature to your SIEM tool’s query language.

You can use the CLI tools and Python SDKs offered by Sigma. For more information on Sigma signature, see Rule Usage.
You can use public tools such as uncoder.io’s Sigma Translation Engine which offers a free tier.

Refer to the following different Custom Indicator use cases for the different risk insights:

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Example Sigma Signatures for Security Insights

October 31, 2023

Contributed by:

October 31, 2023

Contributed by:

Example Sigma Signatures for Security Insights

How to use these examples

View the data source and turn on the data processing

Using CAS queries

Using Sigma signatures

In this article