第三方 SIEM 集成
概述
Session Recording 提供了在录制的会话中捕获各种事件的功能。 可以将选定的一组事件数据上载到 Session Recording 服务,并将其转发到第三方安全信息和事件管理 (SIEM) 系统进行进一步分析。 目前,Session Recording 服务支持与 Splunk(Splunk Cloud 和 Splunk Enterprise)和 Microsoft Sentinel 集成。
与第三方 SIEM 平台集成可利用高级分析和关联功能更有效地检测和应对潜在的威胁,从而增强贵组织的安全态势。
配置
-
启用 SIEM 集成。
-
从 Session Recording 服务的左侧导航中选择配置 > SIEM 集成。
-
根据需要启用 Microsoft Sentinel、Splunk 或两者。 然后,单击切换按钮旁边的配置图标以配置目标和数据源。
要将数据发送到 Microsoft Sentinel,请提供 Microsoft Sentinel 目标的工作区 ID 和密钥,并选择目标站点作为要发送的数据源。 仅包含 Session Recording 版本 2411 及更高版本的站点才支持 SIEM 集成。
要将数据发送到 Splunk,请在 Splunk 中设置 HTTP 事件收集器。 有关说明,请参阅 Splunk 文档:Set up and use HTTP Event Collector in Splunk Web(在 Splunk Web 中设置和使用 HTTP 事件收集器)。 Session Recording 服务同时支持 Splunk Cloud 和 Splunk Enterprise。 如果您使用的是 Splunk Enterprise,请确保已配置从 Session Recording 服务(当前托管在 Microsoft Azure 上)到 Splunk Enterprise 的入站连接。
提供 URL、令牌值,并指定除了源类型和源之外的希望用于存储数据的索引。 然后,与 Microsoft Sentinel 类似,请选择目标站点作为要发送的数据源。 仅包含 Session Recording 版本 2411 及更高版本的站点才支持 SIEM 集成。
-
-
指定要转发的事件。
必须指定要上载到 Session Recording 服务并转发到您之前指定的 SIEM 平台的事件类型。 为此,请完成以下步骤:
-
转到您之前选择作为数据源的每个站点的站点设置。 例如:
-
选择 Upload event data to the Session Recording service(将事件数据上载到 Session Recording 服务),然后选择 Enable data export to SIEM platforms(允许数据导出到 SIEM 平台)。 在 Scope(作用域)部分中,指定要转发的事件类型。 例如:
-
-
测试集成。
配置集成后,进行测试以确保事件正确转发到指定的 SIEM 平台。
-
监视并调整。
持续监视集成以确保其按预期运行。 根据需要调整配置以微调事件转发并提高警报的准确性。
-
可视化事件数据。
可以在 Microsoft Sentinel 和 Splunk 中可视化事件数据。 下面是示例视图:
要可视化 Microsoft Sentinel 中的事件数据,请联系 Citrix 技术支持。
要在 Splunk 中快速导入和可视化事件数据,请通过自定义搜索查询(例如
、和 ``)和可视化效果使用以下控制板模板匹配您的数据:<form version="1.1" theme="light"> <label>Session Recording Events Analysis</label> <fieldset submitButton="false"> <input type="time" token="time_field"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="Server"> <label>Server</label> <default>*</default> <initialValue>*</initialValue> <fieldForValue>Server</fieldForValue> <search> <query>index= sourcetype= source= | table dvc | rename dvc as Server | dedup Server | sort Server</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> </search> </input> <input type="dropdown" token="Site"> <label>Site</label> <default>*</default> <initialValue>*</initialValue> <fieldForValue>Site</fieldForValue> <search> <query>index="" sourcetype= source= | table tenant.srSiteId | rename tenant.srSiteId as Site | dedup Site | sort Site</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> </search> </input> <input type="dropdown" token="VDA"> <label>VDA</label> <default>*</default> <initialValue>*</initialValue> <fieldForValue>VDA</fieldForValue> <search> <query>index= sourcetype= source= | table payload.deviceId | rename payload.deviceId as VDA | dedup VDA | sort VDA</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> </search> </input> <input type="dropdown" token="User"> <label>User</label> <default>*</default> <initialValue>*</initialValue> <fieldForValue>User</fieldForValue> <search> <query>index= sourcetype= source= | table payload.user | rename payload.user as User | dedup User | sort User</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> </search> </input> </fieldset> <row> <panel> <table> <title>Web Browsing - Top visisted Websites</title> <search> <query>index= sourcetype= source= | search type=Citrix.EventMonitor.WebBrowsing | spath payload.ExtEventData1 | stats count by payload.ExtEventData1 | sort count desc | rename payload.ExtEventData1 as WebSites</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> <panel> <chart> <title>Web Browsing - Browsers Distribution</title> <search> <query>index= sourcetype= source= | search type=Citrix.EventMonitor.WebBrowsing | spath payload.ExtEventData3 | stats count by payload.ExtEventData3|sort count desc</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <table> <title>Screen Time (mins)</title> <search> <query>index= sourcetype= source= | spath "payload.type" | search "payload.type"="Citrix.EventMonitor.TopMost" | rename payload.ExtEventData1 as AppName, payload.deviceId as DeviceId | eval time=strptime(st, "%Y-%m-%dT%H:%M:%S.%7N") | sort DeviceId time | streamstats current=f window=1 last(time) as last_time by DeviceId | eval time_diff = if(isnull(last_time), null(), time - last_time) | table time, DeviceId, AppName, time_diff |eval time_diff = time_diff/60 | stats sum(time_diff) by AppName |sort by sum(time_diff) desc |rename sum(time_diff) as ScreenTime</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> </row> <row> <panel> <table> <title>Application - Top started Application</title> <search> <query>index= sourcetype= source= | search type=Citrix.EventMonitor.AppStart | spath payload.ExtEventData2 | stats count by payload.ExtEventData2 | sort count desc | rename payload.ExtEventData2 as AppName</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> <panel> <table> <title>Application - Top unexpceted exit application</title> <search> <query>index= sourcetype= source= | search type=Citrix.EventMonitor.UnexpectedAppExit | spath payload.ExtEventData2 | stats count by payload.ExtEventData2 | sort count desc | rename payload.ExtEventData2 as AppPath | eval AppNameSplit = split(AppPath, "\\") | eval AppName = mvindex(AppNameSplit, -1) | table AppName|stats count by AppName</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> <panel> <table> <title>Application - Top no responding application</title> <search> <query>index= sourcetype= source= | search type=Citrix.EventMonitor.AppNotResponding | spath payload.ExtEventData2 | stats count by payload.ExtEventData2 | sort count desc | rename payload.ExtEventData2 as AppPath | eval AppNameSplit = split(AppPath, "\\") | eval AppName = mvindex(AppNameSplit, -1) | table AppName|stats count by AppName</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> </row> <row> <panel> <table> <title>File Transfer - Top transfered in file count</title> <search> <query>index= sourcetype= source=type="Citrix.EventMonitor.FileTransfer" | spath payload.ExtEventData3 | search payload.ExtEventData3 = "Host:*" | rename payload.ExtEventData3 as filePath | eval fileSplit = split(filePath, "\\") | eval FileName = mvindex(fileSplit, -1) | table FileName | stats count by FileName | sort bv count desc</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> <panel> <table> <title>File Transfer - Top transfered in file size by user</title> <search> <query>index= sourcetype= source=type="Citrix.EventMonitor.FileTransfer" | spath payload.ExtEventData3 | search payload.ExtEventData3 = "Host:*" | rename payload.ExtEventData4 as filesize | eval filesize_mb = case( like(filesize, "% B"), tonumber(replace(filesize, " B", "")) / 1024 /1024, like(filesize, "% KB"), tonumber(replace(filesize, " KB", "")) / 1024, like(filesize, "% MB"), tonumber(replace(filesize, " MB", "")), like(filesize, "% GB"), tonumber(replace(filesize, " GB", "")) * 1024, like(filesize, "% TB"), tonumber(replace(filesize, " TB", "")) * 1024 * 1024 ) | table payload.user, filesize_mb | stats sum by payload.user |rename sum(filesize_mb) as FileSize(MB), payload.user as User</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> <panel> <table> <title>File Transfer - Top transfered out file count by user</title> <search> <query>index= sourcetype= source=type="Citrix.EventMonitor.FileTransfer" | spath payload.ExtEventData2 | search payload.ExtEventData2 = "Host:*" | table payload.user, payload.ExtEventData2 | stats count by payload.user | rename payload.user as User</query> <earliest>$time_field.earliest$</earliest> <latest>$time_field.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="FunctionFailed"> <colorPalette type="list">[#118832,#D41F1F]</colorPalette> <scale type="threshold">1</scale> </format> </table> </panel> </row> </form>
第三方 SIEM 集成
已复制!
失败!