Monitor Netscaler Changes with Azure Sentinel

I have been working on replacing my companies current SIEM with Azure Sentinel and one of the items I wanted to see if I could replicate is a report on Citrix Netscaler changes.

Azure Sentinel uses KSQL, which I do like, but at the time I was just learning the query syntax so it took me much longer than it should have. Part of the issue has to do with the fact the syslog information from the Netscaler is not formatted with individual fields when it is sent to Azure  Sentinel and you have to massage the data to get the information you need. List below is the query I wrote. I will break down this query below

Syslog
| where SyslogMessage contains "UI CMD_EXECUTED"
| where SyslogMessage contains "add" or SyslogMessage contains "bind" or SyslogMessage contains "unbind" or SyslogMessage contains "save" or SyslogMessage contains "set" or SyslogMessage contains "update"
| extend User = extract("User (.?) -", 1, SyslogMessage)
| extend Command = extract("Command (.?) -", 1, SyslogMessage)
| extend AdminIP = extract("Remote_ip (.*?) -", 1, SyslogMessage)
| extend Status = split(SyslogMessage, "-", 9 )
| project TimeGenerated, User, Command, AdminIP, HostName

All Netscaler data is stored in Azure Sentinels syslog table, so you need to specific that first by types syslog

Next you want to filter for only syslog messages that are related to admin changes. The commands below filter out the syslog data and only look for add, bind, unbind, save, set  or update when running the command UI CME_EXECUTED.


| where SyslogMessage contains "UI CMD_EXECUTED"
| where SyslogMessage contains "add" or SyslogMessage contains "bind" or SyslogMessage contains "unbind" or SyslogMessage contains "save" or SyslogMessage contains "set" or SyslogMessage contains "update"

This section of code extracts data from a field that is not formatted properly. What this section does is grab the Time Generated, the user who performed the change, the Command that was used, the IP address the admin came from and the host that was modified.

| extend User = extract("User (.?) -", 1, SyslogMessage)
| extend Command = extract("Command (.?) -", 1, SyslogMessage)
| extend AdminIP = extract("Remote_ip (.*?) -", 1, SyslogMessage)
| extend Status = split(SyslogMessage, "-", 9 )
| project TimeGenerated, User, Command, AdminIP, HostName

This is something I thought I wold share with others as I did not find an example on the Internet and it was time I gave something back to the Azure Sentinel community. I did not write up how to setup Azure Sentinel or how to setup the syslog forwarder. That has been covered already in numerous blogs.

I hope this helps someone who is looking to implement this in Azure Sentinel.

TBJ Consulting

TBJ Consulting