Citrix Analytics¶
About¶
Citrix analytics solutions allow organizations to detect and deflect potential threats, and to quickly address performance issues—long before security incidents occur or employees begin to submit help desk tickets.
Product Details¶
Vendor URL: Citrix Analytics
Product Type: Security Audit
Product Tier: Tier II
Integration Method: API
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: CITRIX_ANALYTICS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| launch_type | additional.fields |
| Citrix | metadata.vendor_name |
| Analytics | metadata.product_name |
| product | metadata.product_version |
| event_id | metadata.product_log_id |
| occurrence_event_type | metadata.product_event_type |
| event_type | metadata.product_event_type |
| server_name | intermediary.hostname |
| city | principal.location.city |
| country | principal.location.country_or_region |
| latitude | principal.location.region_latitude |
| longitude | principal.location.region_longitude |
| session_user_name | principal.user.userid |
| user_samaccountname | principal.user.userid |
| user_samaccountname | principal.administrative_domain |
| client_ip | principal.ip |
| os_name | principal.platform |
| os_name | principal.platform_version |
| os | principal.platform_version |
| os_version | principal.platform_patch_level |
| receiver_type | principal.application |
| app_name | target.application |
| app | target.application |
| domain | target.administrative_domain |
| session_domain | target.administrative_domain |
| device | target.hostname |
| cur_riskscore | security_result.severity_details |
| indicator_category | security_result.category_details |
| occurrence_details.type | security_result.category_details |
| severity | security_result.severity |
| indicator_id | security_result.threat_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| occurrence_event_type = "Session.End" | USER_RESOURCE_DELETION |
| occurrence_event_type = "App.Start" | USER_RESOURCE_ACCESS |
| occurrence_event_type = "App.End"" | USER_RESOURCE_DELETION |
| occurrence_event_type = "Account.Logon" | USER_LOGIN |
| event_type = "userProfileRiskscore" | USER_UNCATEGORIZED |
| event_type = "indicatorSummary" | USER_UNCATEGORIZED |
| all others | GENERIC_EVENT |
Log Sample¶
{
"event_type": "datasourceCVADEventDetails",
"tenant_id": "tenatid",
"entity_id": "john.doe@domain.com",
"entity_type": "user",
"timestamp": "2023-03-13T17:28:50.000Z",
"version": 1,
"event_id": "aabbccdd-936c-4377-bf9c-aa3356ea2b50",
"occurrence_event_type": "App.Start",
"product": "Citrix Virtual Apps and Desktops",
"client_ip": "10.10.0.1",
"session_user_name": "john.doe@domain.com",
"city": "Kansas City",
"country": "United States",
"app_name": "NA",
"product_version": "22.10.5.14",
"device_id": "hostname1",
"launch_type": "App",
"domain": "domain",
"server_name": "hostname2",
"os_name": "Windows 10 Enterprise",
"os_version": "2009",
"os_extra_info": "19044"
}
Sample Parsing¶
metadata.product_log_id = "aabbccdd-936c-4377-bf9c-aa3356ea2b50"
metadata.event_type = "USER_RESOURCE_ACCESS"
metadata.vendor_name = "Citrix"
metadata.product_name = "Analytics"
metadata.product_version = "Citrix Virtual Apps and Desktops"
metadata.product_event_type = "App.Start"
additional.fields["entity_typ"] = "user"
additional.fields["launch_type"] = "App"
principal.hostname = "hostname1"
principal.user.userid = "john.doe@domain.com"
principal.platform = "WINDOWS"
principal.ip = "10.10.0.1"
principal.platform_version = "Windows 10 Enterprise"
principal.platform_patch_level = "2009"
principal.location.city = "Kansas City"
principal.location.country_or_region = "United States"
principal.asset.hostname = "hostname1"
principal.asset.ip = "10.10.0.1"
target.administrative_domain = "domain"
target.application = "NA"
intermediary.hostname = "hostname2"
Rules¶
Coming Soon