Splunk integration
Previously, users were unable to correlate information about their organization’s security risk capabilities such as risk indicators, user profiles, and risk scores. Hence, users were unable to gain actionable insights to this information. To meet this requirement, Citrix Analytics allows users to integrate with Splunk.
Splunk integration helps you to export data analyzed for risky events from Citrix Analytics into your Splunk environment. You can search, collect, and analyze data from multiple data sources on a single platform. Using this data, you can troubleshoot and monitor the events.
Citrix Analytics does not send raw data to Splunk. Instead, it sends processed data. The processed data sent to Splunk includes:
-
Risk score change – This is the change in a user’s risk score. When a user’s risk score increases at any rate or drops by more than 10% the change is sent to Splunk.
-
Risk indicator summary – All risk indicators associated with the user, when a new risk indicator is generated.
-
User risk score – Current risk score of a user. Citrix Analytics sends this data to Splunk every 12 hours.
-
User apps – Application that the user has launched and used. Citrix Analytics retrieves this data from Citrix Virtual Apps and sends it to Splunk every 12 hours.
-
User device – Devices that the user is associated with. Citrix Analytics retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to Splunk every 12 hours.
-
User location – City that the user was last detected in. Citrix Analytics retrieves this data from Citrix Content Collaboration and sends it to Splunk every 12 hours.
-
Data usage– Data uploaded and downloaded by the user through Citrix Content Collaboration. Citrix Analytics sends this data to Splunk every 12 hours.
Benefits of Splunk integration
-
Greater visibility of security alerts in a centralized place
-
Centralized approach to detect potential security threats for organizational risk analysis capabilities such as risk indicators, user profiles, and risk scores.
-
Ability to combine and correlate the Citrix Analytics risk intelligence information of a user account with external data sources, within Splunk.
Prerequisites
Turn on data processing for at least one data source. It helps Citrix Analytics to begin the Splunk integration process.
How to integrate Citrix Analytics with Splunk
Follow the guidelines mentioned to integrate Citrix Analytics with Splunk:
-
Data export. Citrix Analytics creates a channel and exports risk intelligence. Splunk retrieves this risk intelligence from the channel.
-
Get configuration on Citrix Analytics. Create a password for your pre-defined account for authentication. Citrix Analytics prepares a configuration file required for you to configure the Citrix Analytics add-on for Splunk.
-
Download Citrix Analytics add-on for Splunk. Download the Citrix Analytics Add-on for Splunk (TA_CTXS_AS.tar.gz) app.
-
Install Citrix Analytics add-on for Splunk. Upload the Citrix Analytics Add-on for Splunk application in Splunk and complete the installation process.
-
Configure Citrix Analytics add-on for Splunk. Set up a data input by using the configuration details provided by Citrix Analytics and configure the Citrix Analytics add-on for Splunk.
After the Citrix Analytics configuration file is prepared, see:
After the Citrix Analytics add-on for Splunk is configured, see:
Data export
-
Go to Settings > Data Sources >Security > DATA EXPORTS.
-
On the Splunk site card, select Get Started. You get redirected to the Configure Splunk Integration page.
-
On the Configure Splunk Integration page, navigate to the Configuration on Citrix Analytics section.
Get configuration on Citrix Analytics
-
Create a password for your pre-defined account by updating the PASSWORD and CONFIRM PASSWORD fields.
Follow the password rules that are displayed.
-
Click Configure. Citrix Analytics starts preparing a configuration file required for Splunk integration. You receive a notification when the file is prepared. Details such as user name, host, topic name, and group name are provided in the CONFIGURATION DETAILS section.
Download Citrix Analytics add-on for Splunk
-
Go to the Citrix Analytics Add-on for Splunk Download page (logon is required).
-
Click Download File.
-
On the End-User License Agreement screen, read the terms and conditions, and then select Yes, I accept. The download process is initiated.
-
On the Download Agreement screen, read the terms and conditions. To acknowledge, select the I have read and certify that I comply with the above Export Control Laws check-box.
-
Click Accept.
Install Citrix Analytics add-on for Splunk
-
Log on to your Splunk Forwarder or Splunk Standalone environment.
-
Navigate to Apps.
-
Click the Manage Apps icon that is displayed next to Apps.
-
On the Apps page, click Install app from file.
-
In the Upload an app section, select the TA_CTXS_AS.tar.gz app. If there is an app upgrade, click Upgrade app. Checking this will overwrite the app if it already exists.
-
Click Upload. You receive a notification message on the Apps page that the add-on is installed. The Citrix Analytics Add-on for Splunk app is displayed in the Apps list.
Configure Citrix Analytics add-on for Splunk
Configure the Citrix Analytics add-on for Splunk using the configuration details provided by Citrix Analytics. After the add-on is successfully configured, Splunk starts consuming events from Citrix Analytics.
-
On the Splunk home page, go to Settings > Data inputs.
-
In the Local inputs section, click Citrix Analytics Add-on.
-
Click New.
-
On the Add Data page, enter the details provided in the Citrix Analytics configuration file.
-
To customize your default settings, click More settings and set up the data input. You can define your own Splunk index, host name, and source type.
-
Click Next. Your Citrix Analytics data input is created and the Citrix Analytics add-on for Splunk is configured successfully.
Reset Citrix Analytics configuration password
If you want to reset your configuration password on Citrix Analytics, follow the steps mentioned below:
-
On the Configuration on Citrix Analytics page, click Reset Password.
-
On the Reset Password window, specify the updated password on the NEW PASSWORD and CONFIRM NEW PASSWORD fields. Follow the password rules that are displayed.
-
Click Reset. The configuration file preparation is initiated.
Note
After you reset the configuration password, ensure you update the new password when you set up the data input on the Add Data page of your Splunk environment. It helps Citrix Analytics to continue transmitting data to Splunk.
Turn on or turn off data transmission
After the Citrix Analytics configuration file is prepared, data transmission is turned on for Splunk. Citrix Analytics can transmit risk intelligence information to Splunk.
To stop transmitting data from Citrix Analytics:
-
Go to Settings > Data Sources > Security > DATA EXPORTS.
-
On the Splunk site card, select the vertical ellipsis (⋮) and then click Turn off data transmission.
-
To confirm, click Turn off data transmission.
How to consume events in Splunk
After you configure the add-on, Splunk starts retrieving risk intelligence from Citrix Analytics. You can start searching your organization’s events on the Splunk search head based on the configured data input.
The search results are displayed in the following format:
A sample output is provided below:
To search and debug issues with the add-on, use the following search query:
The results are displayed in the following format:
Supported versions
Citrix Analytics supports Splunk integration on the Ubuntu 18.04.1, Red Hat Enterprise Linux Server 7.x, Debian GNU/Linux 9, CentOS Linux 7.x, and SUSE Linux Enterprise Server 12 operating systems.
You can configure Splunk integration on the following Splunk versions:
- Splunk 8.0 64-bit
- Splunk 7.3 64-bit
- Splunk 7.2 64-bit
- Splunk 7.1 64-bit
- Splunk 7.0 64-bit
- Splunk 6.6 64-bit
- Splunk 6.5 64-bit