Issue: Configuring the "Citrix ADC" Data Connector
We followed the guide on configuring the Sentinel Data connector for "Citrix ADC" using this article: https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/citrix-adc-former-netscaler
However, when we tried running the KQL function "CitrixADCEvent," we didn't get any results.
To troubleshoot, we checked the syslog and confirmed that the Citrix ADC server was indeed sending the telemetry data. Upon reviewing the function code, we discovered that it uses a watchlist called "Sources_by_SourceType." The article mentioned this but we initially overlooked it. And added the entries in the watchlist in the wrong format.
After going through the article again, we created the watchlist in the required format:
Disclaimer
The views expressed in this blog post are solely my own and do not represent those of my employer or any clients. The views and opinions expressed in this blog post are based on references from Microsoft articles. Assistance from ChatGPT is taken for customizing the blog.
Comments