This blog post was co-authored by Abhinava Sharma, Principal Product Manager at Citrix.

With the growth of remote work and cloud services, more employees, partners, and vendors than ever are accessing critical enterprise data and services across the globe from various endpoints (managed and unmanaged). That can expose organizations to risk from internal and external threats.

To secure critical infrastructure, organizations are deploying myriad solutions to protect, monitor, and gain deeper visibility into how data are accessed and to assess user behavior. Security operations (SecOps) teams are also deploying tools for information aggregation; correlation with artificial intelligence and machine learning (analytics); security information event management (SIEM); and orchestration and automation of remediation actions (SOAR).

With Citrix Analytics for Security, we focus on aggregating events for Citrix infrastructure and on generating risk insights. Through machine learning (ML) and artificial intelligence (AI), Citrix Analytics for Security learns how end users interact with apps, files, and devices. These tools help IT and SecOps teams detect risky behavior without requiring an endless review of log files by a member of the security team. In addition to visibility into risks, Citrix also offers policy automation for remediation.

Challenges for Security Operations

We identified two key pain points we needed to solve to help make managing security operations easier:

  • The “two-console challenge.” Threat analysts already leverage SIEMs such as Microsoft Sentinel for correlation and aggregation of company data across products. Citrix Analytics provides great value with AI/ML-based insights, but it becomes yet another tool teams must use to analyze the information.
  • SecOps admins must work to understand data from a variety of Citrix products and the various integration methods to get the data into Microsoft Sentinel.

To solve these challenges, we worked with Microsoft to develop a Citrix solution with risk insights workbooks and a data connector. This simplifies threat hunting and enables SecOps to correlate Citrix data with the broader infrastructure data flowing into Microsoft Sentinel.

Let’s look closer at how you can integrate Citrix Analytics with your Microsoft Sentinel instance.

Integrating Citrix Analytics for Security with Microsoft Sentinel: An Overview

Microsoft Sentinel Integration – High Level Architecture

The architecture for our SIEM integration is simple. We have a northbound Kafka cluster with topics that are accessible externally. We use SASL authentication with a username and password for customers to connect to their topic. The Kafka cluster is multi-tenanted with a tenant-specific topic. The LogStash server consumes the data from the topic and pushes it to the Microsoft Sentinel workspace.

Citrix Analytics Security Configuration User Experience

We enhanced our Citrix Analytics for Security configuration to enable users to select Microsoft Sentinel and download the custom configuration and trust (jks or pem) files that are required for the integration. Please note that we currently support one SIEM integration at a time. If you have multiple SIEMs integrating with a single account, then you might see inconsistencies in the data.

LogStash as a “Broker”

The new approach uses LogStash as a broker between Citrix Analytics and Microsoft Sentinel. The customer must install LogStash on a machine of their choice, either in the cloud or on premises. A LogStash config file facilitates the connection to Citrix Analytics as the input and Microsoft Sentinel as the output. We have made it easy for the customer by providing the ability to download a custom config file tailored for the customer directly from our UI. The is also the case for the trust (jks) file that is used for authentication purposes.

LogStash Config File

In the config file that’s downloaded from our UI, you’ll see the following placeholders that need to be replaced with values specific to your environment:

  • sasl_jaas_config => …………. password='<your password>’

This is the password that you set in the SIEM Configuration UI.

  • ssl_truststore_location => “/etc/logstash/ssl/kafka.client.truststore.jks”

Please make sure to point to the right directory where the jks file is placed.

  • workspace_id => “<your Azure Log analytics Workspace ID>”
  • workspace_key => “<your Shared Key>”

You can get the workspace id and workspace key from the Citrix Analytics (Security) Data Connector UI in Azure Sentinel. Make sure to replace all five instances of the above placeholder in the config file.

Running LogStash

You can run LogStash on Windows or Linux, and you can find installation instructions here. Microsoft provides a Microsoft Sentinel plugin for LogStash. Follow the instructions here to install it. LogStash should run on a dedicated machine so other services do not affect its performance. Please note that, as of this writing, the Microsoft Sentinel plugin works with LogStash versions 7.0 to 7.9.

We recommend that you run it from a command line, which will help you troubleshoot any connectivity issues related to Citrix Analytics or Microsoft Sentinel. Here are the command-line examples:

In Windows:

c:\logstash-7.9.0\bin\logstash.bat -f CAS_AzureSentinel_LogStashConfig.conf

In Linux:

sudo /usr/share/logstash/bin/logstash -f CAS_AzureSentinel_LogStash_Config.conf

In the console, if you can see messages as highlighted below, then your configuration is correct. You can verify that the data was populated in the Custom Log tables in the Azure Workspace by querying the tables from the Logs section in the Azure Workspace.

Once you’ve confirmed that the configuration is correct, run LogStash using the Task Scheduler in Windows using the instructions here or as a service in Linux using the instructions here.

The Microsoft Sentinel Experience

Our integration with Microsoft Sentinel involves a data connector, a set of four custom log tables, and a workbook. Let’s look at each:

Data Connector: This provides information on how to integrate with Citrix Analytics. The two key pieces of information here are the Workspace ID and the Primary Key, which are required in the LogStash config file.

Custom Log Tables: These tables store the data we send to Microsoft Sentinel and drive the visualization in the workbook. These custom log tables are created automatically when LogStash posts data to the Microsoft Sentinel Workspace. If you see the four tables shown in the screenshot below, you’re off to a good start.

Citrix Analytics Workbook: This workbook provides a visual representation of the data sent to Microsoft Sentinel. It’s a “starting point” for customers, and you can extend it to meet your needs.

Get Started Today

Citrix Analytics for Security and Microsoft Sentinel together provide the perfect solution if you’re using Microsoft Sentinel with products from other security vendors to manage threat-hunting activities and if you’re operating advanced SecOps or incident response teams. You can seamlessly aggregate and correlate data from other vendors with data from Citrix Analytics for Security to get a 360-degree view of your organization’s security posture.

This integration is a great step forward for the Citrix and Microsoft security/infrastructure ecosystem and will deliver value for our mutual customers who use Microsoft Sentinel as their SIEM of choice. Learn more in our Citrix Analytics for Security product documentation. And try it today! If you’re not already a customer, you can sign up for a trial at analytics.cloud.com.