Troubleshooting Data Exports
The Data Exports for Security view includes a Summary tab to help administrators troubleshoot their SIEM integration with Citrix Analytics. The Summary dashboard provides visibility into the health and flow of data by taking them through the checkpoints that aid the troubleshooting process.
The Summary tab forms the foundation of the self-service troubleshooting workflow in the Data Exports view. It describes your SIEM setup by using these three cards:
- Available Data in Citrix Analytics: This card shows the state of your data source configurations.
- Available Events for SIEM Consumption: This card displays the number of events that are ready to be consumed by your SIEM environment.
- Data Consumption by SIEM: This card displays the state of data flow in your SIEM environment.
The Available Data in Citrix Analytics card shows the number of data sources that can eventually contribute to SIEM insights that have been onboarded to Citrix Analytics for Security. There are four data sources which are supported for data exports currently– Apps and Desktops, Content Collaboration, Gateway, and Secure Private Access. Even if these data sources have been onboarded, data export will not function for the data sources that have their data processing turned off. An appropriate warning message such as the one depicted in the image above is shown when such data sources are detected.
The View events of the last 7 days button will redirect the administrator to the Self-Service Search view, through which administrators can verify that events have flowed into Citrix Analytics for Security. The Onboard data sources button redirects to the Data Sources view where you can be walked through the onboarding process in depth.
If there are no onboarded data sources, an appropriate warning message is displayed as shown in the following scrennshot:
The Available Events for SIEM Consumption card displays the number of Insight and Data source events along with their individual breakdown that are expected to flow into your SIEM environment. Upon expanding, a further breakdown of each type of data event for export is also available.
The Data Consumption by SIEM card depicts the health of the flow of data prepared by Citrix Analytics into your SIEM environment. The data consumption status is based on the offset movement within your Kafka topic. When available, the card also shows the timestamp of when successful data consumption was last detected. Both the data consumption status and the timestamp are refreshed every 10 minutes. Click here to learn more about Kafka consumer group/offset management.
The data consumption status can take on the following states:
No history of data export: This state is represented by an orange dot to indicate that no data prepared by Citrix Analytics has ever flown successfully into your SIEM environment.
This can be due to -
Incorrect/Incomplete data source configuration. The Available Data in Citrix Analytics card can be used to verify if there are enough data sources, and if they have their data processing turned on to allow for export.
Lack of user activity. The View events in the last 7 days button in the Available Data in Citrix Analytics card can be used to verify the absence of user activity. Further, the Available Events for SIEM Consumption card can be used to verify if there are any Insight or Data source events readied by Citrix Analytics to flow into your SIEM.
Incorrect/Incomplete SIEM setup. Verify that the Account Setup stage in the Configuration tab has been completed successfully. A green tick mark is visible in the Account Setup stage if the setup is complete.
If the state does not change even after a successful account setup, troubleshoot further by checking for:
No active consumption detected: This state indicates that at least in the past 10 minutes, data has not flown successfully into your SIEM environment. The card will also display the timestamp of the last successful movement of data. As with No history of data export, this can be troubleshoot by using the Available Data in Citrix Analytics and Available Events for SIEM Consumption cards. If there is sufficient user activity along with the available events count increasing, it would be a good idea to focus on the last successful timestamp to check if any firewall changes or password rotations happened after the said timestamp.
Exported over 7 days ago: This state indicates that active consumption on your SIEM was last detected over a week ago. Similar to the above two states, use the Available Data in Citrix Analytics and Available Events for SIEM Consumption cards to troubleshoot your SIEM setup if this is the detected data consumption state.
Kafka Retention Policy: Citrix Analytics Kafka topics retain events for a maximum of 7 days only. To avoid or prevent potential data loss, it is recommended to set up a data poll interval that does not exceed 7 days.
In case of inactive consumption, you will be provided the following warning messages to help you navigate through the troubleshooting process.
As highlighted in the No history of Data Export case, if the SIEM setup is not completed, no data ever flows into the SIEM Environment. Hence, the user is redirected to the Configuration tab to complete the account setup, as depicted in the following screenshot:
If the SIEM setup is completed, it can still be the case that data is not actively flowing as depicted in the No Active Consumption Detected or Exported over 7 days ago state. Hence, the user is urged to go to the Test Event Generation section to test the SIEM connection as highlighted in the following warning message.
Active consumption detected: This state indicates that active consumption has been detected on your SIEM.
Data Export Quick Guide
The Summary tab is supplemented with the Data Export Quick Guide blade to ease the deployment, management, and troubleshooting of your SIEM setups. In addition to providing a comprehensive guide to the Data Export for Security view, the Quick Guide also includes useful tips on how to set up and manage your SIEM environment by providing links to pertinent documentation.
There is also a Test SIEM Connection section in the Quick Guide Blade that redirects the user to the Test SIEM Connection stage within the SIEM Environment setup stage. This enables the user to investigate if the SIEM Integration is itself broken, thereby ruling out the possibility of problems with Citrix Analytics for Security processing the events. The user can then fix the SIEM connection to enable data flow.
The Configuration tab, while guiding through deployment setup, also helps administrators with useful tips, warning messages, common pitfalls while they set up their SIEM. Appropriate warnings are shown when:
Citrix Analytics detects that no data sources have been onboarded. It is recommended that Apps and Desktops be onboarded to collect telemetry based on user activity. In the absence of the onboarded data source, no data flow is observed, even though your SIEM setup might have been done successfully.
As illustrated by the following image, the SIEM Environment Setup and Data Events for Export stages will be disabled until the account setup is completed successfully.
Data Exports have been turned off. The warning on the Data Events for Export stage serves as a reminder to enable Data Exports to effectuate any changes.
On Data Events for Export stage, if data export for a particular data source is disabled, then no Data source events will flow to SIEM. You must enable this by configuring and selecting the desired Data source events’ types. Furthermore, make sure that Data processing for the respective data source is enabled to make sure data reaches Citrix Analytics.
Test Event Generation
Test Event Generation is provided as a part of the SIEM Environment Setup stage to enhance the troubleshooting experience. Once a user completes the SIEM setup, Test Event generation provides a way to quickly test the SIEM connection by sending a test event directly into the customer’s SIEM data export Kafka topic.
It also enables new users to quickly test their SIEM Integration with Citrix Analytics without having to explicitly onboard a new data source and subsequently generate user activity.
To test this functionality, the user needs to click the Send Test Data button. This will generate a dummy test event and send it to the customer’s SIEM data export Kafka topic. This test event generation process might take up to 1 minute as shown in the following screenshot:
If the test event data is successfully written in the customer Kafka topic, a success message is displayed, indicating that the SIEM Connection is successful. Depending on your chosen environment (Splunk and Sentinel), admins can copy the query and check their SIEM environments for the test event.
For Elasticsearch and other environments, the following success message is displayed.
Once a test event is generated, the Send test data button is disabled for the next 24 hours, and the users see the following popup on hovering over the button. After 24 hours from the latest success timestamp, the button is enabled for the users to test the functionality again.
If the test event data is not successfully written in the customer Kafka topic, a failure message is shown as depicted in the following screenshot. User has the option to send the data again to test the connection.
SIEM Email Alert
Citrix Analytics sends email alerts to notify the administrators about scenarios that might lead to disruption of data flow to their SIEM environment. It contains situational information about activities that might lead to temporary/permanent security postured data loss. It also helps in navigating through the self-service troubleshooting journey for SIEM data export.
Some important properties of this set of email alerts to help locate the same in your inbox:
The email gets distributed among Citrix Cloud admins, Security full admins, Security read only admins and Security and Performance read only admins.
The sender is Citrix Cloud email@example.com.
The subject line is:
- SIEM Data Export Alert - Password was reset for Password reset email alerts.
- SIEM Data Export Alert - Data Flow Stopped for Data Flow disruption email alerts.
If you are a Citrix Cloud administrator with full access permissions, by default, the email notifications are disabled for your Citrix Cloud account. To receive email notifications from Citrix Analytics, enable it on your Citrix Cloud account. For more information, see Receive emailed notifications.
If you are a Citrix Cloud administrator with custom access permissions (Security Full Admin, Security Read Only Admin, Security and Performance Read Only) to manage Security Analytics, the email notifications are always enabled for your Citrix Cloud account.
SIEM Password Reset Email Alert
SIEM password reset alert email is received when the account password is reset via the Data Exports page. Resetting the SIEM password on Citrix Analytics UI alone can lead to password mismatch with the one configured on your SIEM. This leads to data flow disruption. This email alert contains the time at which the password was reset. If data flow stops, you can go to the Summary tab, check if the “last exported at” timestamp lies close to the password reset timestamp and hence relay the necessary password changes. This shortens the debugging process and helps you get back to successful data flow into your SIEM environment in no time.
Data Flow Disruption for 24 hours Email Alert
This email alert is sent when data flow from Citrix Analytics service into your SIEM environment is disrupted for more than 24 hours. The email includes the time at which the last event was exported along with helpful troubleshooting quick tips that can be performed to bring back the data flow. This would be the correct time to quickly reinstate the data flow to not lose out on any security postured data.
Data Flow Disruption for 7 days Email Alert
This email alert is sent when data flow from Citrix Analytics service into your SIEM environment is disrupted for more than 7 days. Since the retention period of the customer’s Kafka topic is 7 days, it is critical to follow troubleshooting tips and take help of the quick guide available on the Data Exports page to not lose any further data as this email warns of a situation of permanent loss of security postured information.
Data Flow Disruption for 30 days Email Alert
This email alert is sent when data flow from Citrix Analytics service into your SIEM environment is disrupted for more than 30 days. By now, the customer has lost security postured data and it’s imperative to use the troubleshooting capabilities to reinstate the flow as soon as possible.