Citrix cloud lets you export events out to Splunk so that you can correlate data from your Citrix environment and get a trail as well as greater insights into your organization’s security posture. This happens with two items that are available for you to try, one being the System Log and the other Analytics events. In this article I will go through what both are and how we go about setting them up. As we bring more events to the table and enhance these services I will follow up with an update to this blog.
System Log for the Citrix Cloud
System logging allows admins to have a record of configuration or system changes in their Citrix Cloud tenant.
In a nutshell these are the events that are captured today:
- Administrator invites and acceptance events.
- Changes in administrator permissions.
- Deletion of administrators.
- Secure client creation and deletions.
Below we will install the Citrix System Log forwarder app to allow you to set up the connection between Citrix Cloud, taking the System Logs and handing them off into your Splunk instance.
Specifically Citrix Analytics for Security is what we are talking about here and sending events from data sources consumed by Security Analytics to your Splunk Instance. If you are thinking what about my performace cvad events then you will have to wait a little longer.
The app enables you to merge all your data sources together, helping you gain better insights. It gives SOC teams the ability to cross reference with other logging so as that security risk can be quickly resolved. You can hold onto your logs in your Splunk instance and have a reference back further than what Citrix Cloud will allow as well as having nice dashboards like we see in security analytics now in Splunk. This can visually make it easier in Splunk beyond all the data to see where the issues are coming from. Lastly you can create your own custom views to meet your specific needs.
- Risk score change
- Risk indicator summary
- User risk score
- User apps
- User device
- User location
- Data usage
More details on the schema of the processed data, see the following: https://docs.citrix.com/en-us/security-analytics/siem-messages-schema.html
Citrix Analytics Splunk Config
Ensure that the endpoints are in the allow list in your network. You can find the latest brokers to whitelist against for CAS within the Splunk data source in the CAS UI. This is an example of what mine looks like below:
Alternatively we have this doc: https://docs.citrix.com/en-us/citrix-analytics/citrix-analytics.pdf That lists the brokers for both EU and US, this may not get updated so stick to the CAS UI when configuring Splunk.
In my lab I got a Splunk Dev license and it lasts 6 months: https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html
Creating your Spunk Instance
I Installed Splunk in Azure and created a Linux ubuntu image as seen below:
This is not a how to setup Linux blog so I followed the steps here to install Splunk: https://www.bitsioinc.com/tutorials/install-splunk-linux/
When this is done open a browser and access your Splunk instance on the default port 8000
Preparing Analytics and Installing the AddOn
In Citrix Cloud, navigate to Analytics > Security > Settings > Data Sources > SIEM/Splunk > Configure
Once in we see a screen like this where we see a username and password. Go ahead and reset the password to something of your choosing, we will need this for Splunk shortly when configuring the application.
Then if you like you can download the file or leave this page open and copy over the details when we get to Splunk.
Head over here now to https://www.citrix.com/downloads/citrix-cloud/product-software/citrix-analytics-add-on-for-splunk.html?_ga=2.66344550.931582213.1635238464-2025369988.1629802344 to download the add on for Splunk
Over to your Splunk instance and choose to install the app from file and upload as seen below:
Now that the app in installed we need to configure it with the details provided by Citrix Analytics for Security, this is the page I mentioned to keep open. Let’s head over to Settings and data inputs and you should see like below the analytics add on. Create a new input:
Enter the details from security analytics and then save like mine below:
Once done head back to Citrix Security Analytics and check the data sources, make sure the Splunk/SIEM source is consuming events and green like the below:
Try searching for events with:
If you don’t see anything immediately that’s ok, note that some events can take up to 12 hours to process:
- Risk score change – The change in a user’s risk score. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
- Risk indicator summary – All risk indicators associated with a user.
- User risk score – Current risk score of a user. Citrix Analytics for Security sends this data to Splunk every 12 hours.
- User apps – Applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to Splunk every 12 hours.
- User device – Devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to Splunk every 12 hours.
- User location – The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Content Collaboration and Citrix Virtual Apps and Desktops. This data is sent to Splunk every 12 hours.
- Data usage– Data uploaded and downloaded by a user through Citrix Content Collaboration. Citrix Analytics for Security sends this data to Splunk every 12 hours.
When you do have events in there you should see this:
To further add to the above we recently release a new app into Splunkbase that will visualise all the data above from Citrix Analytics for Security into very nice and easy to use dashboards.
On your Splunk server look for new apps in Splunkbase and this time look for “Citrix Analytics App for Splunk”. Direct URL here: https://apps.splunk.com/app/5696/
Login and download then in the Apps section in Splunk choose to install from file and upload:
Once done the app prompts you to set it up, enter the Index and source type of where the data from Citrix Analytics for Security is stored. This was configured previously when we set up the add-on for Splunk in the first part of this install above. If you left all the defaults then it will be the same as mine below. Click on Finish App Setup:
Now back to Splunk home and you should see your new Splunk app:
Clicking through we now see some really nice dashboard for further threat hunting and correlation of events:
Individual dashboards give even more details about what’s happening in your Citrix environment and make it easier for security operations to gain deeper insights and remediate risks quickly.
System Log Configuration
On your Splunk instance home page click on more apps and search for Citrix System Log and click to download:
The direct link is here: https://splunkbase.splunk.com/app/5496/
The next window appears to download the application:
Accept the terms and download the file:
To install apps and add-ons from within Splunk Enterprise
- Log into Splunk Enterprise.
- On the Apps menu, click Manage Apps.
- Click Install app from file.
- In the Upload app window, click Choose File.
- Locate the .tar.gz file you just downloaded, and then click Open or Choose.
- Click Upload.
- Click Restart Splunk, and then confirm that you want to restart.
To install apps and add-ons directly into Splunk Enterprise
- Put the downloaded file in the $SPLUNK_HOME/etc/apps directory.
- Ungzip your app or add-on, using a tool like tar -xvf (on *nix) or WinZip (on Windows).
- Restart Splunk.
After you install a Splunk app, you will find it on Splunk Home.
Now its time to create a secure client in Citrix Cloud so that we can authrise events to send to our Splunk app we just created. From https://citrix.cloud.com login and from the menu select , Identity and Access Management > API Access.
Give your secure client a name like below I choose SysLog and click on Create Client.
We now are have an id and secret as well as the customer id above so we know what tenant we are sending the events from. Download this secure client to a secure location and have it ready for the next steps.
Now back to your Splunk tenant and click on the home screen, the app we installed so we can configure it.
Navigate to configuration and then Add-On Settings and enter the three items I mentioned above. The secure client we created has our Client ID, the Secret and the API access page had our customer id. Enter all three here and save your config.
Nearly there now. Next we need to create an index and an input for the System Logging data as its not created automatically when we install the app.
Head over to Settings in the top right and click indexes:
Lets create a new index:
Give it a name as highlighted here and hit save, the rest of the information as seen on screen will populate:
Lastly we need to create a new input for the data by clicking back to the home page and going into the system log app once more. Go to inputs and create a new input:
Give it a name, suggested start date, interval and the index we just created and you can select Add:
Next thing to do is to do one of the events I mentioned in the introduction to this blog and see it surface in Splunk.
Below I created a new secure client and you can see all the details around this: