Splunk integration

Integrate Citrix Analytics for Security with Splunk to export and correlate the users’ data from your Citrix IT environment and get deeper insights into your organization’s security posture. This integration enhances the value of both your Citrix Analytics for Security and Splunk deployments. It enables the Security Operations teams to correlate, analyze, and search data from disparate logs, helping them to identify and quickly remediate the security risks. Also, insightful dashboards that are unique to Citrix Analytics for Security can be viewed in your Splunk environment. You can create custom views based on your security requirements.

Citrix Analytics for Security processes the users’ data from multiple products in your Citrix IT environment. Citrix Analytics for Security does not send raw data to Splunk. Instead, it sends processed data, which includes:

• Risk score change – The change in a user’s risk score. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.

• Risk indicator summary – All risk indicators associated with a user.

• User risk score – Current risk score of a user. Citrix Analytics for Security sends this data to Splunk every 12 hours.

• User apps – Applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to Splunk every 12 hours.

• User device – Devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to Splunk every 12 hours.

• User location – The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Content Collaboration. This data is sent to Splunk every 12 hours.

• Data usage– Data uploaded and downloaded by a user through Citrix Content Collaboration. Citrix Analytics for Security sends this data to Splunk every 12 hours.

For information on the schema of the processed data, see Citrix Analytics data format for SIEM.

Benefits of Splunk integration

• Greater visibility of security alerts in a centralized place

• Centralized approach to detect potential security threats for organizational risk analysis capabilities such as risk indicators, user profiles, and risk scores.

• Ability to combine and correlate the Citrix Analytics risk intelligence information of a user account with external data sources, within Splunk.

Supported versions

Citrix Analytics for Security supports Splunk integration on the following operating systems:

• CentOS Linux 7 and later
• Debian GNU/Linux 10.0 and later
• Red Hat Enterprise Linux Server 7.0 and later
• Ubuntu 18.04 LTS and later

IMPORTANT

• Citrix recommends using the latest version of the preceding operating systems or the versions that are still under support from the respective vendors.

• For the Linux kernel (64-bit) operating systems, use a kernel version that is supported by Splunk. For more information, see Splunk documentation.

You can configure Splunk integration on the following Splunk versions:

• Splunk Cloud Inputs Data Manager (IDM)

• Splunk 7.3 (64-bit) and later

Prerequisites

• The Citrix Analytics add-on for Splunk connects to the following endpoints on Citrix Analytics for Security. Ensure that the endpoints are in the allow list in your network.

  Endpoint	US region	EU region
  Kafka brokers	casnb-0.citrix.com:9094	casnb-eu-0.citrix.com:9094
  	casnb-1.citrix.com:9094	casnb-eu-1.citrix.com:9094
  	casnb-2.citrix.com:9094	casnb-eu-2.citrix.com:9094

• Turn on data processing for at least one data source. It helps Citrix Analytics for Security to begin the Splunk integration process.

How to integrate Citrix Analytics for Security with Splunk

Follow the guidelines mentioned to integrate Citrix Analytics for Security with Splunk:

• Data export. Citrix Analytics for Security creates a channel and exports risk intelligence. Splunk retrieves this risk intelligence from the channel.

• Get configuration on Citrix Analytics. Create a password for your pre-defined account for authentication. Citrix Analytics for Security prepares a configuration file required for you to configure the Citrix Analytics add-on for Splunk.

• Download Citrix Analytics add-on for Splunk. Download the Citrix Analytics Add-on for Splunk (TA_CTXS_AS.tar.gz) app.

• Install Citrix Analytics add-on for Splunk. Upload the Citrix Analytics Add-on for Splunk application in Splunk and complete the installation process.

• Configure Citrix Analytics add-on for Splunk. Set up a data input by using the configuration details provided by Citrix Analytics for Security and configure the Citrix Analytics add-on for Splunk.

After the Citrix Analytics configuration file is prepared, see:

• Reset Citrix Analytics configuration password
• Turn on or off data transmission

After the Citrix Analytics add-on for Splunk is configured, see:

• How to consume events in Splunk
• How to configure Citrix Analytics App for Splunk

Data export

1. Go to Settings > Data Sources >Security > DATA EXPORTS.

2. On the Splunk site card, select Get Started. You get redirected to the Configure Splunk Integration page.

3. On the Configure Splunk Integration page, navigate to the Configuration on Citrix Analytics section.

Get configuration on Citrix Analytics for Security

1. Create a password for your pre-defined account by updating the PASSWORD and CONFIRM PASSWORD fields.

   Follow the password rules that are displayed.

2. Click Configure. Citrix Analytics for Security starts preparing a configuration file required for Splunk integration. You receive a notification when the file is prepared. Details such as user name, host, topic name, and group name are provided in the CONFIGURATION DETAILS section.

Download Citrix Analytics add-on for Splunk

1. Go to the Citrix Analytics Add-on for Splunk Download page (logon is required).

2. Click Download File.

3. On the End-User License Agreement screen, read the terms and conditions, and then select Yes, I accept. The download process is initiated.

4. On the Download Agreement screen, read the terms and conditions. To acknowledge, select the I have read and certify that I comply with the above Export Control Laws check-box.

5. Click Accept.

Install Citrix Analytics add-on for Splunk

1. Log on to your Splunk Forwarder or Splunk Standalone environment.

2. Navigate to Apps.

3. Click the Manage Apps icon that is displayed next to Apps.

4. On the Apps page, click Install app from file.

5. In the Upload an app section, select the TA_CTXS_AS.tar.gz app. If there is an app upgrade, click Upgrade app. Checking this will overwrite the app if it already exists.

6. Click Upload. You receive a notification message on the Apps page that the add-on is installed. The Citrix Analytics Add-on for Splunk app is displayed in the Apps list.

Configure Citrix Analytics add-on for Splunk

Configure the Citrix Analytics add-on for Splunk using the configuration details provided by Citrix Analytics for Security. After the add-on is successfully configured, Splunk starts consuming events from Citrix Analytics for Security.

1. On the Splunk home page, go to Settings > Data inputs.

2. In the Local inputs section, click Citrix Analytics Add-on.

3. Click New.

4. On the Add Data page, enter the details provided in the Citrix Analytics configuration file.

5. To customize your default settings, click More settings and set up the data input. You can define your own Splunk index, host name, and source type.

6. Click Next. Your Citrix Analytics data input is created and the Citrix Analytics add-on for Splunk is configured successfully.

Reset Citrix Analytics configuration password

If you want to reset your configuration password on Citrix Analytics for Security, do the following steps:

1. On the Configuration on Citrix Analytics page, click Reset Password.

2. On the Reset Password window, specify the updated password on the NEW PASSWORD and CONFIRM NEW PASSWORD fields. Follow the password rules that are displayed.

3. Click Reset. The configuration file preparation is initiated.

Note

After you reset the configuration password, ensure you update the new password when you set up the data input on the Add Data page of your Splunk environment. It helps Citrix Analytics for Security to continue transmitting data to Splunk.

Turn on or off data transmission

After the Citrix Analytics configuration file is prepared, data transmission is turned on for Splunk. Citrix Analytics for Security can transmit risk intelligence information to Splunk.

To stop transmitting data from Citrix Analytics for Security:

1. Go to Settings > Data Sources > Security > DATA EXPORTS.

2. On the Splunk site card, select the vertical ellipsis (⋮) and then click Turn off data transmission.

3. To confirm, click Turn off data transmission.

How to consume events in Splunk

After you configure the add-on, Splunk starts retrieving risk intelligence from Citrix Analytics for Security. You can start searching your organization’s events on the Splunk search head based on the configured data input.

The search results are displayed in the following format:

A sample output:

To search and debug issues with the add-on, use the following search query:

The results are displayed in the following format:

For more information about the data format, see Citrix Analytics data format for SIEM.

Citrix Analytics App for Splunk

Note

This app is in preview.

Citrix Analytics App for Splunk enables Splunk Enterprise administrators to view the user data collected from Citrix Analytics for Security in the form of insightful and actionable dashboards on Splunk. Using these dashboards, you get a detailed view of the users’ risky behavior in your organization and take timely actions to mitigate any insider threats. You can also correlate the data collected from Citrix Analytics for Security with other data sources configured on your Splunk. This correlation provides you visibility into the users’ risky activities from multiple sources and takes actions to protect your IT environment.

Supported Splunk version

The Citrix Analytics App for Splunk runs on the following Splunk versions:

• Splunk 8.2 64-bit

• Splunk 8.1 64-bit

• Splunk 8.0 64-bit

• Splunk 7.3 64-bit

Prerequisites for Citrix Analytics App for Splunk

• Install the Citrix Analytics add-on for Splunk.

• Ensure the prerequisites mentioned for the Citrix Analytics add-on for Splunk are already met.

• Ensure that the data is flowing from Citrix Analytics for Security to Splunk.

Installation and configuration

Where to install the app?

Splunk search head

How to install and configure the app?

You can install the Citrix Analytics App for Splunk by downloading it from Splunkbase or by installing it from within Splunk.

Install app from file

1. Go to Splunkbase.

2. Download the Citrix Analytics App for Splunk file.

3. On the Splunk Web home page, click the gear icon next to Apps.

4. Click Install app from file.

5. Locate the downloaded file and click Upload.

   Note

   If you have an older version of the app, select Upgrade app to overwrite it.

6. Verify that the app appears in the Apps list.

Install app from within Splunk

1. From the Splunk Web home page, click +Find More Apps.

2. On the Browse More Apps page, search Citrix Analytics App for Splunk.

3. Click Install next to the app.

Configure your index and source type to correlate data

1. After you install the app, click Set up now.

2. Enter the following queries:

   • Index and source type where the data from Citrix Analytics for Security are stored.

     Note

     These query values must be the same as specified in the Citrix Analytics add-on for Splunk. For more information, see Configure Citrix Analytics add-on for Splunk.

   • Index from which you want to correlate your data with Citrix Analytics for Security.

3. Click Finish App Setup to complete the configuration.

After you have configured and set up the Citrix Analytics App for Splunk, use the Citrix Analytics dashboards to view the user events on your Splunk.