Security Information and Event Management (SIEM) integration 编辑

October 26, 2022 Contributed by:  C R M

Security Information and Event Management (SIEM) integration

Note

Contact CAS-PM-Ext@citrix.com
to request assistance for the SIEM integration, exporting data to SIEM, and provide feedback.

Integrate Citrix Analytics for Security with your SIEM services and export the users’ data from the Citrix IT environment to your SIEM. Correlate the exported data with the data available in your SIEM to get deeper insights into your organization’s security posture.

This integration enhances the value of both your Citrix Analytics for Security and your SIEM.


Benefits

  • Enables your Security Operations teams to correlate, analyze, and search data from disparate logs.

  • Helps your Security Operations teams to identify and quickly remediate the security risks.

  • Visibility of security alerts in a centralized place.

  • Centralized approach to detect potential security threats for organizational risk analysis capabilities such as risk indicators, user profiles, and risk scores.

  • Ability to combine and correlate the Citrix Analytics risk intelligence information of a user account with the external data sources connected within your SIEM.


SIEM integration architecture

Your SIEM Integration connects with the north-bound kafka deployed on Citrix Analytics for Security cloud. This can be achieved in the following two ways:

  • Kafka endpoints: If your SIEM supports Kafka endpoints, use the parameters provided in the Logstash config file and the certificate details in the JKS file or the PEM file to integrate your SIEM with Citrix Analytics for Security. Using the kafka endpoints, you can connect and pull the data to the SIEM of choice.

  • Logstash engine: If your SIEM does not support Kafka endpoints, then you can use the Logstash data collection engine. You can send the risk insights data from Citrix Analytics for Security to one of the output plug-ins
    that are supported by Logstash.

Refer the following SIEM solution architecture diagram to understand how data flows from Citrix Analytics for Security to your SIEM service:

SIEM solution architecture


Setting up SIEM environment

To export data to SIEM, you must perform the following actions:

  • Set up your kafka account and authentication credentials
  • Download pre-populated configuration and set up the SIEM environment
  • Data Events for Export


SIEM export account setup

  1. For setting up your account, navigate to Settings > Data Exports > expand Account set up. Create an account by specifying the user name and a password. Once you set up your account, your kafka details are generated. These details are automatically embedded while generating the configuration file.

    Account set up

  2. Click Configure to generate the configuration file. The configuration file contains details such as, kafka endpoints, your specific subscription topics, and group IDs. Additionally, it pre-configures kafka and SSL attributes which are required for completing authentication and data flow.


SIEM configuration and environment setup

Choose the SIEM environment as per your need. You can integrate Citrix Analytics for Security with the following services. Refer the following links to get detailed information and SIEM specific configurations:

SIEM environment


Data events exported from Citrix Analytics for Security to your SIEM service

As part of SIEM exports, there are two types of data sets:

  1. Risk insights events (Default exports) – Once you have completed the account configuration and SIEM setup, default data (risk insights events) start flowing to your SIEM deployment. Risk insights data contains user risk score, user profile, and risk indicator alerts. These are generated by Citrix Analytics machine learning algorithm, user behavior analysis, and based on user events. For information on the event types, metadata, and schema available, see Risk insights data for SIEM
    .

  2. Data Source events (Optional exports) - Additionally, you can configure the Data exports feature to export user events from your Citrix Analytics for Security enabled products data sources. When you perform any activity in the Citrix environment, the data source events are generated. The exported events are unprocessed real time user and product usage data as available in self-service view. The meta data contained in these events can further be used for deeper threat analysis, creating new dashboards, and co related with other non-Citrix data source events across your security and IT infra.

    Currently, Citrix Analytics for Security sends user events to your SIEM for the following data sources:

    • Citrix Content Collaboration

    • Citrix Virtual Apps and Desktops

    For information on the event types, metadata, and schema available, see Data source events
    .

    Note

    Customers who are using Logstash data broker, it is recommended that the latest configuration file is downloaded from Citrix Analytics for Security
    portal, and updated on the Logstash service deployment. This ensures that the correct data source event tables are created and the events are now available in SIEM indexes.

    Data exports

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:78 次

字数:7903

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文