Citrix Analytics for Security

Security Information and Event Management (SIEM) integration

Note

Contact CAS-PM-Ext@citrix.com to request assistance for the SIEM integration, exporting data to SIEM, and provide feedback.

Integrate Citrix Analytics for Security with your SIEM services and export the users’ data from the Citrix IT environment to your SIEM. Correlate the exported data with the data available in your SIEM to get deeper insights into your organization’s security posture.

This integration enhances the value of both your Citrix Analytics for Security and your SIEM.

Benefits

  • Enables your Security Operations teams to correlate, analyze, and search data from disparate logs.

  • Helps your Security Operations teams to identify and quickly remediate the security risks.

  • Visibility of security alerts in a centralized place.

  • Centralized approach to detect potential security threats for organizational risk analysis capabilities such as risk indicators, user profiles, and risk scores.

  • Ability to combine and correlate the Citrix Analytics risk intelligence information of a user account with the external data sources connected within your SIEM.

Supported SIEMs

You can integrate Citrix Analytics for Security with the following services:

Processed data from Citrix Analytics for Security to your SIEM service

Citrix Analytics for Security processes the users’ data from multiple products in your Citrix IT environment. Citrix Analytics for Security does not send raw data to your SIEM. Instead, it sends processed data, which includes:

  • Risk score change – The change in a user’s risk score. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.

  • Risk indicator summary – All risk indicators associated with a user.

  • User risk score – Current risk score of a user. Citrix Analytics for Security sends this data to your SIEM every 12 hours.

  • User apps – Applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Desktops or Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) and sends it to your SIEM every 12 hours.

  • User device – Devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Desktops, Citrix DaaS (formerly Citrix Virtual Apps and Desktops service), and Citrix Endpoint Management and sends it to your SIEM every 12 hours.

  • User location – The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Content Collaboration. This data is sent to your SIEM every 12 hours.

  • Data usage– Data uploaded and downloaded by a user through Citrix Content Collaboration. Citrix Analytics for Security sends this data to your SIEM every 12 hours.

Processed data schema

For information on the schema of the processed data, see Citrix Analytics data format for SIEM.

Security Information and Event Management (SIEM) integration