Custom risk indicators

The user risk indicators that Citrix Analytics detects by default are based on machine learning algorithms. However, Citrix Analytics allows you to create custom risk indicators. You can define conditions based on the user events and create a custom risk indicator. If the events match the criteria defined while creating a custom risk indicator, Citrix Analytics generates the custom risk indicator and displays it on the user’s risk timeline.

Currently, you can create custom risk indicators for the following data sources:

  • Citrix Access Control
  • Citrix Content Collaboration
  • Citrix Virtual Apps and Desktops

Custom risk indicator dashboard

The Indicators tab summarizes the total occurrences of every custom risk indicator. It also summarizes the risk indicators’ severity. To view the total occurrences of a custom risk indicator, click the numbered link on the OCCURRENCES column. You are redirected to the Indicator Details page.

Custom indicators

The Indicator Details page summarizes the total occurrences of the custom risk indicator. It also provides details about the time of event, user name, and event details.

Custom indicators

To view the details of the custom risk indicator, select View in the EVENT DETAILS column. You are redirected to the user’s risk timeline. The user risk timeline displays the custom risk indicators generated for a selected time period. Custom risk indicators are represented with a label on the risk timeline.

Custom indicators

Analyzing a custom risk indicator

Consider the user whose action triggered a custom risk indicator that you defined. When this behavior is detected, Citrix Analytics generates a custom risk indicator for the respective user.

When you select the custom risk indicator on the user’s risk timeline, the right pane displays the following information:

  • Defined Condition(s): Shows a summary of the conditions that you define while creating a custom risk indicator.

  • Description: Provides a summary of the description you provide while creating the custom risk indicator. If no description is provided while creating the custom risk indicator, this section reflects None.

  • Trigger Frequency: Displays the option that you select in the Advanced options section while creating the custom risk indicator.

Actions you can apply to the user

Currently, the ability to take appropriate actions on user account that generate custom risk indicators is not available.

Creating a custom risk indicator

  1. Navigate to Settings > Indicators and Policies.

  2. On the Indicators tab, select Create Indicator.

    Custom indicators

  3. Select the data source for which you want to create the custom risk indicator.

  4. Define the conditions from the data set. The Estimated Triggers link is activated in the Advanced options section. By clicking this link, you can predict the approximate instances of the custom risk indicators. The instances are calculated based on the historical data that Citrix Analytics maintains.

    Note

    Ensure to click Estimated Triggers to predict the number of custom risk indicator occurrences for the last defined condition.

  5. From the Advanced options section, select the frequency of the event. When you do not select any option, Citrix Analytics considers Every time: Generate the risk indicator every time the event(s) occur as the default option and generates the custom risk indicator.

  6. Select the severity of the custom risk indicator.

  7. Define the custom risk indicator name in the Indicator Name text box.

  8. In the Description text box, provide a valid description for the custom risk indicator.

  9. At the bottom of the Create Indicator page, you can enable or disable the custom risk indicator as required.

  10. Click Create Indicator.

    Custom indicators

Modifying a custom risk indicator

  1. On the Indicator Details page, select Modify Indicator. Alternatively, when you select the risk indicator name on the custom risk indicator dashboard, you are redirected to the Modify Indicator page.

  2. On the Modify Indicator page, modify the information as required.

  3. Click Save Changes.

Deleting a custom risk indicator

  1. Navigate to Settings > Indicators and Policies.

  2. On the Indicators tab, select the check-box of the custom risk indicator.

  3. Click Delete.

  4. In the dialog, confirm your request to delete the custom risk indicator.