Citrix Analytics data exports format for SIEM 编辑

Citrix Analytics for Security allows you to integrate with your Security Information and Event Management (SIEM) services. This integration enables Citrix Analytics for Security to send data to your SIEM services and helps you to gain insight into your organization’s security risk posture.

Currently, you can integrate Citrix Analytics for Security with the following SIEM services:

The Data Exports option is now globally available under Settings. To view the Data source events, navigate to Settings > Data Exports > Data source events.

Data export

The risk insights data sent by Citrix Analytics for Security to your SIEM service are of two types:

  • Risk insights events (Default exports)
  • Data Source events (Optional exports)

    Data exports

Risk insights data for SIEM

Once you have completed the account configuration and SIEM set up, default data (risk insights events) start flowing to your SIEM deployment. Risk insights data contains user risk score, user profile, and risk indicator alerts. These are generated by Citrix Analytics machine learning algorithm, user behavior analysis, and based on user events.

The risk insights data of a user includes the following:

  • Risk score change - The difference between the current risk score and the previous risk score of a user. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
  • Risk indicator summary - The details of the risk indicator associated with a user.
  • Risk indicator event details - The details of the user events associated with a risk indicator. Citrix Analytics sends a maximum of 1000 event details for each risk indicator occurrence to your SIEM service. These events are sent in the chronological order of occurrence, where the first 1000 risk indicator event details are sent.
  • User risk score – The current risk score of a user. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
  • User profile - The user profile data can be categorized into:

    • User apps - The applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to SIEM service every 12 hours.
    • User data usage – The data uploaded and downloaded by a user through Citrix Content Collaboration. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
    • User device - The devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to SIEM service every 12 hours.
    • User location - The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Content Collaboration. Citrix Analytics for Security sends this information to your SIEM service every 12 hours.

If you are only able to view but unable to configure, then you do not have all the access permission and the account is disabled for you. In the following example, the Save Changes button is disabled. You can however get the detailed information that there are set of default events goes out to the SIEM environment and Risk Insights. The risk insight events are enabled by default.

Risk insights data

Schema details of the risk insights events

The following section describes the schema of the processed data generated by Citrix Analytics for Security.

Note

The field values shown in the following schema samples are only for representational purpose. The actual field values vary based on the user profile, user events, and the risk indicator.

The following table describes the field names that are common across the schema for all user profile data, user risk score, and risk score change.

Field nameDescription
entity_idThe identity associated with the entity. In this case, the entity is the user.
entity_typeThe entity at risk. In this case, the entity is the user.
event_typeThe type of data sent to your SIEM service. For example: user’s location, user’s data usage, or user’s device access information.
tenant_idThe unique identity of the customer.
timestampThe date and time of the recent user activity.
versionThe schema version of the processed data. The current schema version is 2.

User profile data schema

User location schema


{"tenant_id": "demo_tenant", "entity_id": "demo_user", "entity_type": "user", "timestamp": "2021-02-10T15:00:00Z", "event_type": "userProfileLocation", "country": "India", "city": "Bengaluru", "cnt": 4, "version": 2}

<!--NeedCopy-->

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:46 次

字数:7061

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文