Citrix Analytics for Security

Microsoft Azure Sentinel integration


  • Azure Sentinel integration with Citrix Analytics for Security is currently not generally available. Therefore, the following information is subject to change.

  • Contact to get access to the Citrix Analytics Adapter for Azure Sentinel and for assistance when onboarding your data to Azure Sentinel.

Citrix Analytics for Security enables users to export the data analyzed for risky events into their Microsoft Azure Sentinel environment. With this, you can collect, search, and analyze data from multiple data sources on a single platform. Using this data, you can monitor the events, troubleshoot, and automate mitigation actions.

Citrix Analytics for Security does not send raw data to Azure Sentinel. Instead, it sends processed data. The processed data sent to Azure Sentinel includes:

  • User risk score – Current risk score of a user. Citrix Analytics for Security sends this data to Azure Sentinel every 12 hours.

  • Risk score change – This is the change in a user’s risk score. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.

  • Risk indicator summary – All risk indicators associated with a user.

For information on the schema of the processed data, see Citrix Analytics data format for SIEM.

Benefits of Azure Sentinel integration

  • Greater visibility of security alerts in a centralized place.

  • Centralized approach to detect potential security threats for organizational risk analysis capabilities such as risk indicators, user profiles, and risk scores.

  • Ability to combine and correlate the Citrix Analytics risk intelligence information of a user account with external data sources, within Azure Sentinel.


Turn on data processing for at least one data source. It helps Citrix Analytics for Security to begin the Azure Sentinel integration process.

How to integrate Citrix Analytics with Azure Sentinel

Follow the guidelines mentioned to integrate Citrix Analytics for Security with Azure Sentinel:

  • Data export. Citrix Analytics for Security creates a channel and exports risk intelligence. Azure Sentinel retrieves this risk intelligence from the channel.

  • Get configuration on Citrix Analytics for Security. Create an account with Citrix Analytics for Security to authenticate the Azure Sentinel integration. Citrix Analytics for Security uses the account to prepare a configuration file required for the integration. The configuration file is used to configure the Citrix Analytics Adapter for Azure Sentinel.

  • Download Citrix Analytics Adapter for Azure Sentinel. Download the Citrix Analytics Adapter for Azure Sentinel application from GitHub. The adapter is a Python program that consumes alerts from a tenant-specific Kafka topic that is hosted by Citrix Analytics. You can run the adapter on any physical or virtual machine with Python 2.7 or above. The consumed alerts are posted to Azure Sentinel using the REST API.

  • Install Citrix Analytics Adapter for Azure Sentinel. Install the Citrix Analytics Adapter for Azure Sentinel application on a machine so that it can receive the Kafka data. The adapter contains placeholder variables for connecting to Azure Sentinel and the Kafka interface on Citrix Analytics for Security. After installing the adapter, do the following:

    • Replace the placeholder variables related to the Kafka interface with the values obtained from the configuration file that Citrix Analytics for Security has prepared.

    • Replace the Azure Sentinel related placeholder variables (for Workspace ID and API Key) with the respective values from your Azure account.

How to consume events in Azure Sentinel

After the adapter is installed and configured, do the following:

  1. Open your Azure Sentinel Workspace in the Azure portal.

  2. In the Configuration section, select Data connectors.

  3. Select Citrix Analytics Data Connector and select Open connector page. Follow the instructions to connect the events to Azure Sentinel.

  4. Select the Next steps tab and select the recommended Workbook to view the sample queries.

Microsoft Azure Sentinel integration