Citrix Analytics: New CCF Push Connector Enables Security Analytics Visibility

What Changed

New Microsoft Sentinel solution for Citrix Analytics has been added, providing a CCF push connector that ingests Citrix Analytics data (SPA, Security) via the Azure Monitor Logs Ingestion API.

Data Source

The connector ingests security analytics data from Citrix Analytics, including:

SPA (Security Performance Analytics) Events
CVAD (Citrix Virtual Apps and Desktops) Events
Risk Score Changes
Indicator Event Details and Summaries
User Profile data

Ingestion Mechanism

Push-based CCF connector using Azure Monitor Logs Ingestion API with DCR-based data transformation. The connector creates six custom log tables:

Custom-CitrixAnalytics_SPA_Events_V1_CL
Custom-CitrixAnalytics_CVAD_Events_V1_CL
Custom-CitrixAnalytics_indicatorSummary_V1_CL
Custom-CitrixAnalytics_indicatorEventDetails_V1_CL
Custom-CitrixAnalytics_riskScoreChange_V1_CL
Custom-CitrixAnalytics_userProfile_V1_CL

Detection Surface Unlocked

With this connector, security teams gain visibility into:

Citrix Virtual Apps and Desktops access patterns and security events
User risk score changes and security analytics indicators
Clipboard operations, file downloads, and session monitoring
Identity-based authentication and access events
Device posture and endpoint information for virtual desktop sessions

The solution includes a comprehensive workbook for visualizing Citrix Analytics data across these security domains.

Affected Files

Logos/citrix_logo.svg
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_DCR.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_Definition.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_dataConnector.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableCVADEvents.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableIndicatorEventDetails.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableIndicatorSummary.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableRiskScoreChange.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableSPAEvents.json
Solutions/Citrix Analytics CCF/Data Connectors/CitrixAnalytics_CCF/CitrixAnalytics_tableUserProfile.json
Solutions/Citrix Analytics CCF/Package/testParameters.json
Solutions/Citrix Analytics CCF/Workbooks/CitrixAnalytics.json
Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsBlack1.png
Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsBlack2.png
Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsBlack3.png
Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsWhite1.png
Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsWhite2.png
Solutions/Citrix Analytics CCF/Workbooks/Images/Preview/CitrixAnalyticsWhite3.png
Workbooks/Images/Preview/CitrixAnalyticsBlack1.png
Workbooks/Images/Preview/CitrixAnalyticsBlack2.png
Workbooks/Images/Preview/CitrixAnalyticsBlack3.png
Workbooks/Images/Preview/CitrixAnalyticsWhite1.png
Workbooks/Images/Preview/CitrixAnalyticsWhite2.png
Workbooks/Images/Preview/CitrixAnalyticsWhite3.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CitrixAnalytics.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Source#

Ingestion Mechanism#

Detection Surface Unlocked#

Affected Files#

What Changed

Data Source

Ingestion Mechanism

Detection Surface Unlocked

Affected Files