Citrix Analytics for Security (Security Analytics)

What is Security Analytics?

Recent studies indicate that online threats have evolved to attack company resources from within. Protecting internal users from an imminent attack is as important as protecting a company’s network resources. Corporations must be able to shield its network resources and apps from any unauthorized or suspicious access.

Users within the company share network resources such as the internet. As a security officer, your objective must be to monitor and identify ‘events’ that are potentially suspicious. The events can also be inconsistent with the requirements or procedures within the company. When a user connects their mobile devices and laptops, monitoring and flagging such events become important so that potential threats can be predicted and downtimes avoided.

Citrix Analytics is an analytics service that allows you to monitor and identify inconsistent or suspicious activities on your networks. It provides actionable insights such as:

  • User behavior

  • Usage based on indicators identified across users, endpoints, network traffic, and files.

The basics


There are three security dashboards where you can view details about user behavior.


  • Users dashboard. Provides visibility into user-behavior patterns across an organization.

  • User access dashboard. Summarizes the number of risky domains accessed and the volume of data uploaded and downloaded by the users in your network.

  • App access dashboard. Summarizes the details of the domains, URLs, and apps accessed by users in your network.

Discovered users

Discovered users are all the users in your organization who are discovered by Citrix Analytics. They may or may not have a risk score associated to their account.

Learn more: Discovered users

Risk score

A risk score is a value that indicates the aggregate level of risk a user poses to the network over a pre-determined monitoring period. This value is dynamic and is based on User Behavior Analytics (UBA) that study and determine patterns of user behavior. These algorithms are applied to analyze anomalies that indicate potential threats. For a defined monitoring period, risk score is an aggregate of the risk indicators that are triggered for a user.

Risk score

Risky users

A risky user is determined by their behavior such as links they visit.

A risky user associated with a risk score can be either of the following types:

  • High risk users. Users who represent immediate threats to the organization.

  • Medium risk users. Users who could have multiple serious violations on their account and must be monitored closely.

  • Low risk users. Users who may have some violations detected on their account.

Learn more: Risky users

Risk indicators

Risk indicators are user activities that look suspicious or can pose a security threat to your organization. Risk indicators span across all Citrix products used in your deployment. The indicators are based on user behavior and are triggered where the user’s behavior deviates from the normal. Risk indicators help in determining the user’s risk score.

Learn more: Risk indicators


A watchlist is a list of users that you want to monitor for potential threats. For example, you can monitor users who aren’t full-time employees within your organization by adding those users to the watchlist and monitor them separately. Or, you can monitor high risk users using a watchlist.

Learn more: Watchlist


You can create policies on Citrix Analytics to help you perform actions on user accounts when unusual or suspicious activities occur. Policies let you automate the process of applying actions such as disable a user, add users to a watchlist, and so on.

Learn more: Policies


Actions help you respond to suspicious events and prevent future anomalous events from occurring. You can take action on user accounts that display unusual or suspicious behavior.

Learn more: Actions

Citrix Analytics for Security (Security Analytics)