Are you responsible for securing your company’s datacenters, networks, and data?

There is no doubt that cyber attacks and cyber espionage incidents are on the rise. PewResearch reports that most security professionals believe the following:

“By 2025, a major cyber attack will have caused widespread harm to a nation’s security and capacity to defend itself and its people (By “widespread harm,” we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.)”

Here are a couple of additional security facts:

Great news! Citrix Octoblu can automate workflows involving both Splunk and Citrix NetScaler. At SplunkConf 2015, Splunk announced that their new Action Alert framework now supports Octoblu triggers. (read more…)

Splunk has a premium solution called Enterprise Security (ES) which has many built in detections. @JasonConger from Splunk provided us with several common ES use cases below:

  • Superman use case – this use case detects when a login happens at 2 or more geographically dispersed places within a short amount of time. For example, if a user is logging in from both Arizona and Hong Kong within 5 minutes, that is physically impossible unless you are Superman. Granted, you could technically have a legit proxy login from both places, but that is still suspicious. If you know that this user normally logs in from Arizona (based on past usage or profile data), Splunk could kick off an Octoblu workflow automation to block the Hong Kong IP address on a Citrix Netscaler.
  • Edward Snowden use case – this one detects when a user starts downloading/exporting a lot of data out of the norm. This one could be tied to ShareFile as well. Let’s say a user normally views and/or downloads 100 documents per week. All of a sudden, this user is viewing and/or downloading 800 documents this week. That is suspicious and Splunk could kick off another Octoblu workflow automation to manipulate his ShareFile account.
  • Brute force use case – this one detects a high number of failed logins in a short amount of time. Once again, Splunk could kickoff an Octoblu workflow automation to disable this account in Active Directory or Citrix Storefront.

Using the techniques above, Splunk detects a cyber threat on your network in realtime and kicks off an Octoblu workflow automation that takes the following actions:

  • block a port or IP address on your NetScaler(s)
  • send an SMS notification to your SOC (Security Operations Center) team
  • turn on a siren for 30 seconds in your datacenter to get attention
  • open a trouble ticket for further analysis
  • chromecast the information about the attack to monitors in your SOC and datacenter

What if we told you that you could automate these processes in three easy steps without programming? With Citrix Octoblu, you can today and we’ll show you how!

Step 1: Follow Splunk’s examples to detect a cyber attack using Enterprise Security or your own saved queries.



Step 2: Add a Splunk Action Alert setting to “trigger” an Octoblu flow when saved query results are met.



Step 3: Create an Octoblu workflow automation that updates NetScaler, ticketing systems, chromecasts, sends SMS messages, and starts/stops a siren plugged into a Belkin Wemo smart outlet.

Screen Shot 2015-11-18 at 4.15.58 PM

Citrix and Splunk are helping you take cyber attack detection, prevention, and reaction to an all new level!

Stay tuned for more posts demonstrating how Citrix Octoblu can automate more workflows involving XenApp, XenDesktop, XenMobile, ShareFile and NetScaler! In the mean time, please feel free to signup for Octoblu services and start automating your business processes today!