Product Documentation

Citrix Content Collaboration risk indicators

Unusual logon access

Citrix Analytics detects access threats based on unusual logon activity and triggers the corresponding risk indicator.

The Unusual logon access risk indicator is triggered when a user logs on from a location that is suspicious. By identifying users with unusual logon locations, based on previous behavior, administrators can monitor the user’s account for potential attacks.

When is the unusual logon access risk indicator triggered?

You can be notified when a user in your organization logs on from an unusual location that is contrary to their usual behavior.

The Unusual logon access risk indicator is triggered when a user accesses Content Collaboration from a city or country that the user doesn’t normally logon from. When this behavior is detected, Citrix Analytics increases the risk score of the respective user. You are then notified in the Alerts panel, and the Unusual logon access risk indicator is added to the user’s risk timeline.

How to analyze unusual logon access risk indicator?

Consider the user Georgina Kalou, who logged on from Manama when she had previously only ever logged on from Raleigh, North Carolina. By this action, Georgina Kalou triggered the machine learning algorithm that detected unusual behavior.

From Georgina Kalou’s timeline, you can select the reported Unusual logon access risk indicator. The reason for the event is displayed on the screen along with details such as logon time, client IP address.

To view the Unusual logon access risk indicator, navigate to Security > Users, and select the user.

Unusual logon access content collaboration

  • The WHAT HAPPENED section, you can view a summary of the Unusual logon access event. You can view the number suspicious logons that occurred during a specific time period.

Unusual logon access content collaboration what happened

  • The EVENT DETAILS – LOGON LOCATIONS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Logon time. The time of each logon attempt.

    • Client IP. The client IP address used.

    • Location. The location where the logon attempt was made from.

    Unusual logon access content collaboration event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Excessive access to sensitive files

Citrix Analytics detects data threats based on excessive file access activity and triggers the corresponding risk indicator.

The Excessive access to sensitive files risk indicator is triggered when a user’s behavior with regards to access of sensitive files, is excessive. This unusual activity might indicate a problem with the user’s account, such as, an attack on their account.

When is the excessive access to sensitive files risk indicator triggered?

You are notified when a user has accessed an unusual amount of data that has been deemed sensitive during a given time period. This alert is triggered when a user accesses sensitive data identified by a Data Loss Prevention (DLP) or a Cloud Access Security Broker (CASB) solution. When Content Collaboration detects this excessive behavior, Citrix Analytics receives the events, and increases the risk score of the respective user. You are then notified in the Alerts panel and the Excessive access to sensitive files risk indicator is added to the user’s risk timeline.

How to analyze the excessive access to sensitive files risk indicator?

Consider the user Adam Maxwell, had access to 10 sensitive files, that he downloaded to his local system within a span of 15 minutes. The Excessive access to sensitive files risk indicator is triggered because it exceeds a threshold. The threshold is calculated based on the number of sensitive files downloaded in a given time window, factoring in contextual information such as the download mechanism.

From Adam Maxwell’s timeline, you can select the reported Excessive access to sensitive files risk indicator. The reason for the event is displayed on the screen along with details of the event such as file name, file size, and the download time.

To view the Excessive access to sensitive files risk indicator, navigate to Security > Users, and select the user.

Excessive access to sensitive files

  • The WHAT HAPPENED section, you can view a summary of the Excessive access to sensitive files risk indicator. You can view the number of sensitive files that were deemed excessive by Citrix Analytics and the time the events occurred.

Excessive access to sensitive files what happened

  • The EVENT DETAILS – SENSITIVE DATA DOWNLOAD section, the events are displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time downloaded. Time when the file was downloaded.

    • File name. The name and extension of the downloaded file.

    • File size. The size of the file downloaded.

    Excessive access to sensitive files event details

  • In the ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

    • Total number of sensitive files downloaded.

    • Total size of the files downloaded by the user.

    Excessive access to sensitive files additional contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Excessive file sharing

Citrix Analytics detects data threats based on excessive file sharing activity and triggers the corresponding risk indicator.

The Excessive file sharing indicator is triggered when there is a deviation from the user’s typical file sharing behavior. Any deviation from regular file sharing behavior is considered unusual and the user’s account is investigated for this suspicious activity.

When is the excessive file sharing risk indicator triggered?

You can be notified when a user within your organization has been sharing files more often than expected under normal behavior. By responding to the notification about a user who has excessively shared files, you can prevent data exfiltration.

Citrix Analytics receives share events from Content Collaboration, analyzes them, and raises the risk score of a user who exhibits excessive sharing behavior. You are then notified in the Alerts panel, and the Excessive file sharing risk indicator is added to the user’s risk timeline.

How to analyze the excessive file sharing risk indicator?

Consider the user Adam Maxwell, who shared files six times within a day. By this action, Adam Maxwell has shared files more times than he usually does based on machine learning algorithms.

From the Adam Maxwell’s timeline, you can select the reported Excessive file sharing risk indicator. The reason for the event is displayed along with details such as the Content Collaboration link shared, the time the file was shared, and more.

To view the Excessive file sharing risk indicator, navigate to Security > Users, and select the user.

Excessive file sharing

  • The WHAT HAPPENED section, you can view a summary of the excessive file sharing event. You can view the number of share links sent to recipients and when the sharing occurred.

Excessive file sharing what happened

  • The EVENT DETAILS – EXCESSIVE FILES SHARED section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time shared. The time the file was shared.

    • Share ID. The Content Collaboration link used to share the file.

    • Operations. The operation performed by the user using Content Collaboration.

    • Tool name. The tool or application used to share the files.

    Excessive file sharing event details

  • In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total number of files shared by the user during the event’s occurrence.

    Excessive file sharing additional contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Note

  • When the user is disabled, they cannot log on to Content Collaboration. They see a notification, on the logon page, prompting them to reach their Content Collaboration account administrator for further information.

  • When a share link is disabled, the share link is not accessible to any user or recipient. If the user tries to access the share link again, the page displays a message to the recipient stating that the link is no longer available.

Excessive file downloads

Citrix Analytics detects data threats based on excessive file downloads activity and triggers the corresponding risk indicator.

The Excessive file downloads risk indicator helps you identify unusual file download activity. Each user has a file download pattern that they follow which includes attributes such as:

  • Time the files were downloaded.

  • Type of files that were downloaded.

  • File download volume, and so on.

Any deviation from a user’s usual pattern triggers the Excessive file downloads risk indicator.

When is the excessive file downloads risk indicator triggered?

Excessive file downloads can be categorized as risky because it indicates a compromised user or an insider who may be trying to exfiltrate data. If downloading a large amount of data is not consistent with the user’s normal behavior, it could be considered suspicious in a more general sense. This alert is triggered when the volume of data downloaded exceeds the user’s normal download behavior based on machine learning algorithms.

When Citrix Analytics detects excessive download behavior, it raises the risk score of the respective user. You are then notified in the Alerts panel and the Excessive file downloads risk indicator is added to the user’s risk timeline.

How to analyze the excessive file downloads risk indicator?

Consider the user Lemuel Kildow, who has downloaded a large amount of data to his local system within a span of one hour. By this action, Lemuel Kildow had exceeded his normal download behavior based on machine learning algorithms.

From the user’s timeline, you can select the reported Excessive file downloads risk indicator. The reason for the excessive file download alert is displayed along with details of the event such as file name, file size, and download time.

To view the Excessive file downloads risk indicator, navigate to Security > Users, and select the user.

Excessive file downloads

  • The WHAT HAPPENED section, you can view a summary of the excessive file downloads event. You can view the amount of data downloaded by the user and the time the event occurred.

Excessive file downloads what happened

  • The EVENT DETAILS – EXCESSIVE FILES DOWNLOADS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time downloaded. Time when the file was downloaded.

    • File name. The name and extension of the downloaded file.

    • File size. The size of the file downloaded.

    Excessive file downloads event details

  • In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total download size of the files downloaded by the user during the event’s occurrence.

    Excessive file downloads additional contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Excessive file or folder deletion

Citrix Analytics detects data threats based on excessive file or folder deletion activity and triggers the corresponding risk indicator.

The Excessive file or folder deletion risk indicator is triggered when a user’s behavior with regards to deletion of files of folders, is excessive. This abnormality might indicate a problem with the user’s account, such as, an attack on their account.

When is the excessive file or folder deletion risk indicator triggered?

You can be notified when a user in your organization has deleted an excessive number of files or folders within a certain time period. This alert is triggered when a user deletes an excessive number of files or folders outside of their normal deletion behavior based on machine learning algorithms.

When this behavior is detected, Citrix Analytics increases the risk score to the respective user. You are then notified in the Alerts panel, and the Excessive file or folder deletion risk indicator is added to the user’s risk timeline.

How to analyze the excessive file or folder deletion risk indicator?

Consider the user Lemuel Kildow, who deleted many files or folders over the course of a day. By this action, Lemuel Kildow had exceeded his normal deletion behavior based on machine learning algorithms.

From Lemuel Kildow’s timeline, you can select the reported Excessive file or folder deletion risk indicator. The reason for the event is displayed on the screen along with the details of the event such as type of deletion (file or folder), time it was deleted, and so on.

To view the Excessive file or folder deletion risk indicator, navigate to Security > Users, and select the user.

Excessive file or folder deletion

  • The WHAT HAPPENED section, you can view a summary of the Excessive file or folder deletion event. You can view the number of files and folders that were deleted and the time the event occurred.

Excessive file or folder deletion what happened

  • The EVENT DETAILS – EXCESSIVE DELETED ITEMS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time deleted. Time when the file or folder was deleted.

    • Type. Item type that was deleted – file or a folder.

    • Name. Name of the file or folder that was deleted.

    Excessive file or folder deletion event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Ransomware activity suspected

Citrix Analytics detects data threats based on ransomware activity and triggers the corresponding risk indicator.

Ransomware is a type of malicious software that encrypts a user’s file and replaces or updates them with decrypted files. By identifying ransomware attacks across files shared by users within an organization, you can ensure that productivity is not impacted.

When is the ransomware risk indicator triggered?

You can be notified when a user on your account begins to delete and upload an excessive number of files with similar names and different extensions. You can also be notified when the user updates an excessive number of files with similar names and different extensions. This activity indicates that the user’s account has been compromised and a possible ransomware attack has occurred. When Citrix Analytics detects this behavior, it increases the risk score of the respective user. You are then notified in the Alerts panel, and the Ransomware activity suspected risk indicator is added to the user’s risk timeline.

The Ransomware Activity Suspected indicator can be of two types. They are:

  • Ransomware activity suspected (Files replaced) indicates files deleted and new files uploaded in their place in a manner that resembles a ransomware attack. The attack patterns can result in more number of uploads than the number of deleted files. For example, a ransom note could be uploaded along with the other files.

  • Ransomware activity suspected (Files updated) indicates files updated in a manner that resembles a ransomware attack.

How to analyze the ransomware risk indicator?

Consider the user Adam Maxwell, who deleted many files and replaced them with different versions, within a span of 15 minutes. By this action, Adam Maxwell has triggered unusual and suspicious behavior based on what the machine learning algorithms deem normal for that specific user.

From Adam Maxwell’s timeline, you can select the reported Ransomware Activity Suspected (Files Replaced) risk indicator. The reason for the event is displayed on the screen along with details such as name of the file, location of the file.

To view the Ransomware activity suspected risk indicator, navigate to Security > Users, and select the user. From the user’s risk timeline, select the Ransomware activity suspected (Files Replaced) risk indicator that has been reported for the user.

Ransomware files updated

  • The WHAT HAPPENED section, you can view the summary of the Ransomware activity suspected event. You can view the number of files that were deleted and replaced in a suspicious manner, and the time the event occurred.

Ransomware files updated what happened

  • The EVENT DETAILS – FILE OPERATIONS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time. The time the file was replaced or deleted.

    • File name. The name of the file.

    • Path. The path where the file is located.

    Ransomware files updated event details

Similarly, you can select the reported Ransomware activity suspected (Files updated) risk indicator. You can view the details of this event such as:

  • The reason the risk indicator is triggered.

  • The number of files that were updated with encrypted versions.

  • The time the event (files being updated) occurred.

  • The name of the files.

  • The location of the files.

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.