Citrix Analytics for Security

Example Sigma Signatures for Security Insights

This page contains example queries to help administrators achieve meaningful outcomes using Citrix Security Analytics.

These examples cover risks under the following categories:

  • Compromised endpoints
  • Insider threats
  • Data exfiltration

How to use these examples

View the data source and turn on the data processing

To view the data source, click Settings > Data Sources > Security in the Citrix Analytics GUI. The Apps and Desktops- Workspace app site card appears on the Data Sources page. Click Turn On Data Processing to allow Citrix Analytics to begin processing data for this data source.

Citrix Analytics for Security sends the following two types of risk insights data to your SIEM service:

  • Risk insights events (Default exports)
  • Data Source events (Optional exports)

As part of your SIEM environment, the risk insight event data sources are available and always turned on by default. For more information, see Data events exported from Citrix Analytics for Security to your SIEM service.

You can use either CAS or Sigma signatures to verify any particular user events within your data sources. CAS queries are accessible through the Self-Service Search page on your Citrix Analytics GUI. The Sigma signatures are written in a simple or user-friendly format, making them compatible with various SIEM environments.

Using CAS queries

You can use the CAS query under the Self-Service Search page to find and filter user events received from various data sources. Click Search from your Citrix Analytics GUI and enter the query in the search box. For more details, see How to use self-service search.

You can also create custom risk indicators with the existing templates. To create a custom risk indicator, navigate to Security > Custom Risk Indicators > Create Indicator. For more details, see Creating a Custom Risk Indicator.

Using Sigma signatures

Sigma is a user-friendly, open signature format for creating text-based queries that analysts can use to describe log events, making detections easier to write. There are a few different ways to convert a Sigma signature to your SIEM tool’s query language.

  • You can use the CLI tools and Python SDKs offered by Sigma. For more information on Sigma signature, see Rule Usage.

  • You can use public tools such as’s Sigma Translation Engine which offers a free tier.

Refer to the following different Custom Indicator use cases for the different risk insights:

Example Sigma Signatures for Security Insights