SIEM integration

The Secure Private Access plug-in supports integration with Security Information and Event Management (SIEM) services. Security events are stored in real time to Windows Event Log (Event Viewer\Applications and Services Logs\Citrix Access Security) and can be collected and analyzed by third-party tools.

The following table lists the Secure Private Access plug-in security events:

Event ID Summary Description Source
4624 An account was successfully logged on Event created when Secure Private Access administrator logged in to Secure Private Access admin console Citrix Access Security Admin service
4625 An account failed to log on Event created when Secure Private Access administrator failed to logged in to Secure Private Access admin console Citrix Access Security Admin service
4634 An account was logged off Event created when Secure Private Access administrator logged off from Secure Private Access admin console Citrix Access Security admin service
4720 A user account was created Event created when new Secure Private Access administrator added Citrix Access Security admin service
4738 A user account was changed Event created when new Secure Private Access administrator updated Citrix Access Security admin service
4726 A user account was deleted Event created when new Secure Private Access administrator removed Citrix Access Security admin service
8001 User secure access session Event created when user session initiated or terminated on endpoint. Contains user, session, and device details, visited internal and external domains during the session Citrix Access Security admin service
8002 User access authorization request Event created when Secure Private Access plugin authorizes access to resource. Contains resource FQDN and authorization decision Citrix Access Security admin service

References

SIEM integration