Product Documentation

Citrix Access Control risk indicators

Risky website access

Citrix Analytics detects data access threats based on the risky websites accessed by the user and triggers the corresponding risk indicator.

The Risky website access risk indicator is reported when a user in your organization attempts to access malicious, suspicious, or risky websites with high reputation ratings.

When is the risky website access risk indicator triggered?

Access Control supports setting a reputation score to a website, based on whether it has been marked as the following by the URL categorization database:

  • Malicious

  • Potentially dangerous

  • Unknown

  • Normal

For more information, see URL reputation score

When a user in your organization attempts to access risky websites, Access Control reports these events with Citrix Analytics. Citrix Analytics monitors all these events and if it identifies that the user has visited at least one website with reputation score of 3 or 4, that is, potentially dangerous site or malicious site. Citrix Analytics increases the risk score for the user. You are notified in the Alerts panel and the Risky website access risk indicator is added to the user’s risk timeline.

How to analyze the risky website access risk indicator?

Consider a user Georgina Kalou, attempted to access a risky website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts Panel, and the Risky website access risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Risky website access risk indicator. The reason for the event is displayed along with the details about the upload events, such as, time of the event, the website, and so on.

To view the Risky website access risk indicator entry for a user, navigate to Security > Users, and select the user.

When you select a Risky website access risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access Control risky website access

  • The WHAT HAPPENED section provides a brief summary of the risk indicator. It includes the number of risky websites accessed by the user during the selected period.

Access Control risky website access what happened

  • The EVENT DETAILS section,includes a timeline visualization of the individual events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the event occurred.

    • Website. The risky website accessed by the user.

    • Category group. The category group that Access Control assigned the risky website.

    • Category. The category specified by Access Control for the risky website.

    • Reputation rating. The reputation rating returned by Access Control for the risky website. For more information, see URL reputation score.

    Access Control risky website access event details

Attempt to access blacklisted URL

Citrix Analytics detects data access threats based on the blacklisted URLs accessed by the user and triggers the corresponding risk indicator.

The Attempt to access blacklisted URL risk indicator is reported in Citrix Analytics when a user attempts to access a blacklisted URL configured in Access Control.

When is attempt to access blacklisted URL risk indicator is triggered?

Access Control includes a URL categorization feature that provides policy-based control to restrict access to blacklisted URLs. When a user attempts to access a blacklisted URL, Access Control reports this event to Citrix Analytics. Citrix Analytics updates the user’s risk score and creates a notification in the Alerts panel. Also, it adds an Attempt to access blacklisted URL risk indicator entry to the user’s risk timeline.

How to analyze attempt to access blacklisted URL risk indicator?

Consider a user Georgina Kalou, accessed a blacklisted URL configured in Access Control. Access Control reports this event to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts panel and the Attempt to access blacklisted URL risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Attempt to access blacklisted URL risk indicator. The reason for the event is displayed along with the details about the events, such as, time of the event, website details, and so on.

To view the Attempt to access blacklisted URL entry for a user, navigate to Security > Users, and select the user.

When you select the Attempt to access blacklisted URL risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access control Attempt to access blacklisted URL

  • The WHAT HAPPENED section provides a brief summary of the risk indicator. It includes the details of the blacklisted URL accessed by the user during the selected period.

Access control Attempt to access blacklisted URL what happened

  • The EVENT DETAILS section,includes a timeline visualization of the individual events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the event occurred.

    • Website. The risky website accessed by the user.

    • Category. The category specified by Access Control for the blacklisted URL.

    • Reputation rating. The reputation rating returned by Access Control for the blacklisted URL. For more information, see URL reputation score.

    Access control Attempt to access blacklisted URL event details

Unusual upload volume

Citrix Analytics detects data access threats based on Unusual upload volume activity and triggers the corresponding risk indicator.

The Unusual upload volume risk indicator is reported when a user uploads excess volume of data to an application or website.

When is the Unusual upload volume risk indicator triggered?

You can configure Access Control to monitor user activities, such as malicious, dangerous, or unknown websites visited and the bandwidth consumed, and risky downloads and uploads. When a user in your organization uploads data to an application or website, Access Control reports these events to Citrix Analytics.

Citrix Analytics monitors all these events and if it determines that this user activity is contrary to the user’s usual behavior, it updates the user’s risk score. You are notified in the Alerts panel and the Unusual upload volume risk indicator is added to the user’s risk timeline.

How to analyze the unusual upload volume risk indicator?

Consider a user Adam Maxwell, uploaded excess volume of data to an application or website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Adam Maxwell. You are notified in the Alerts panel and the Unusual upload volume risk indicator is added to the Adam Maxwell’s risk timeline.

From Adam Maxwell’s risk timeline, you can select the reported Unusual upload volume risk indicator. The reason for the event is displayed along with the details about the events, such as, time of the event, domain, and so on.

To view the Unusual upload volume risk indicator, navigate to Security > Users, and select the user.

When you select an Unusual upload volume risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access Control unusual upload volume

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the volume of data uploaded during the selected period.

Access Control unusual upload volume what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual data upload events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the excessive data was uploaded to an application or a website.

    • Domain. The domain to which the user uploaded the data.

    • Category. The domain category.

    • Upload size. Volume of data uploaded to the domain.

    Access Control unusual upload volume event details

Unusual download volume

Citrix Analytics detects data access threats based on the excessive data downloaded by user in your network and triggers the corresponding risk indicator.

The Unusual download volume risk indicator is reported when a user in your organization downloads excess volume of data from an application or website.

When is the unusual download volume risk indicator triggered?

You can configure Access Control to monitor user activities, such as malicious, dangerous, or unknown websites visited and the bandwidth consumed, and risky downloads and uploads. When a user in your organization downloads data from an application or website, Access Control reports these events to Citrix Analytics.

Citrix Analytics monitors all these events and if it determines that the user activity is contrary to user’s usual behavior, it updates the user’s risk score. You are notified in the Alerts panel and the Unusual download volume risk indicator is added to the user’s risk timeline.

How to analyze Unusual download volume risk indicator?

Consider a user Georgina Kalou, downloaded excess volume of data from an application or website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. It notifies you in the Alerts panel and adds the Unusual download volume risk indicator entry to the user’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Unusual download volume risk indicator. The reason for the event is displayed along with the details about the events, such as, time, domain details, and so on.

To view the Unusual download volume risk indicator, navigate to Security > Users, and select the user.

When you select an Unusual download volume risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access control unusual download volume

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the volume of data uploaded downloaded during the selected period.

Access control unusual download volume what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual data download events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the excessive data was downloaded to an application or a website.

    • Domain. The domain to which the user downloaded the data.

    • Category. The domain category.

    • Download size. Volume of data downloaded to the domain.

    Access control unusual download volume event details

Citrix Access Control risk indicators