Citrix Analytics data exports format for SIEM 编辑
Citrix Analytics for Security allows you to integrate with your Security Information and Event Management (SIEM) services. This integration enables Citrix Analytics for Security to send data to your SIEM services and helps you to gain insight into your organization’s security risk posture.
Currently, you can integrate Citrix Analytics for Security with the following SIEM services:
The Data Exports option is now globally available under Settings. To view the Data source events, navigate to Settings > Data Exports > Data source events.
The risk insights data sent by Citrix Analytics for Security to your SIEM service are of two types:
- Risk insights events (Default exports)
Data Source events (Optional exports)
Risk insights data for SIEM
Once you have completed the account configuration and SIEM set up, default data (risk insights events) start flowing to your SIEM deployment. Risk insights data contains user risk score, user profile, and risk indicator alerts. These are generated by Citrix Analytics machine learning algorithm, user behavior analysis, and based on user events.
The risk insights data of a user includes the following:
- Risk score change - The difference between the current risk score and the previous risk score of a user. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
- Risk indicator summary - The details of the risk indicator associated with a user.
- Risk indicator event details - The details of the user events associated with a risk indicator. Citrix Analytics sends a maximum of 1000 event details for each risk indicator occurrence to your SIEM service. These events are sent in the chronological order of occurrence, where the first 1000 risk indicator event details are sent.
- User risk score – The current risk score of a user. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
User profile - The user profile data can be categorized into:
- User apps - The applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to SIEM service every 12 hours.
- User data usage – The data uploaded and downloaded by a user through Citrix Content Collaboration. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
- User device - The devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to SIEM service every 12 hours.
- User location - The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Content Collaboration. Citrix Analytics for Security sends this information to your SIEM service every 12 hours.
If you are only able to view but unable to configure, then you do not have all the access permission and the account is disabled for you. In the following example, the Save Changes button is disabled. You can however get the detailed information that there are set of default events goes out to the SIEM environment and Risk Insights. The risk insight events are enabled by default.
Schema details of the risk insights events
The following section describes the schema of the processed data generated by Citrix Analytics for Security.
Note
The field values shown in the following schema samples are only for representational purpose. The actual field values vary based on the user profile, user events, and the risk indicator.
The following table describes the field names that are common across the schema for all user profile data, user risk score, and risk score change.
Field name | Description |
---|---|
entity_id | The identity associated with the entity. In this case, the entity is the user. |
entity_type | The entity at risk. In this case, the entity is the user. |
event_type | The type of data sent to your SIEM service. For example: user’s location, user’s data usage, or user’s device access information. |
tenant_id | The unique identity of the customer. |
timestamp | The date and time of the recent user activity. |
version | The schema version of the processed data. The current schema version is 2. |
User profile data schema
User location schema
{"tenant_id": "demo_tenant", "entity_id": "demo_user", "entity_type": "user", "timestamp": "2021-02-10T15:00:00Z", "event_type": "userProfileLocation", "country": "India", "city": "Bengaluru", "cnt": 4, "version": 2}
<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论