Product Documentation

Citrix Gateway risk indicators

EPA scan failures

Citrix Analytics detects user access-based threats based on EPA scan failures activity and triggers the corresponding risk indicator.

When is the EPA scan failures risk indicator triggered?

The EPA scan failure risk indicator is reported when a user tries to access the network using a device that has failed Citrix Gateway’s End Point Analysis (EPA) Scan policies for pre-authentication or post authentication.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many EPA scan failures. When Citrix Analytics determines excessive EPA scan failures for a user, it updates the user’s risk score, and creates a notification in the Alerts panel. Also, it adds an EPA scan Failure risk indicator entry to the user’s risk timeline.

How to analyze the EPA scan failures risk indicator?

Consider the user Lemuel Kildow, who recently tried multiple times to access the network using a device that has failed Citrix Gateway’s EPA scan. Citrix Gateway reports this failure to Citrix Analytics, which assigns an updated risk score to Lemuel Kildow. You are notified in the Alerts panel, and the EPA scan failure risk indicator is added to Lemuel Kildow’s risk timeline.

To view the EPA scan failure entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest EPA scan failures risk indicator reported for the user. When you select an EPA scan failure risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

EPA scan failures

  • The WHAT HAPPENED section provides a brief summary of the EPA scan failure risk indicator. And, includes the number of post logon EPA scan failures reported during the selected period.

EPA scan failures what happened

  • The EVENT DETAILS – SCAN FAILURES section, includes a timeline visualization of the individual EPA scan failure events that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

    • Time. The time the EPA scan failure occurred.

    • Client IP. The IP address of the client that causes the EPA scan failure.

    • Gateway IP. The IP address of Citrix Gateway that reported the EPA scan failure.

    • FQDN. The FQDN of Citrix Gateway.

    • Event description. Brief description of the reason for EPA scan failure.

    • Policy name. The EPA scan policy name configured on the Citrix Gateway.

    • Security expression. The security expression configured on the Citrix Gateway.

    EPA scan failure event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Logon failures

Citrix Analytics detects user access-based threats based on logon failures and triggers the corresponding risk indicator.

When is the logon failures risk indicator triggered?

The Logon failure risk indicator is reported when the user encounters multiple Citrix Gateway logon failures within a given period. The Citrix Gateway logon failures can be primary, secondary, or tertiary authentication failures, depending on whether multi-factor authentication is configured for the user.

Citrix Gateway detects all the user logon failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many logon failures. When Citrix Analytics determines excessive logon failures, it updates the user’s risk score. You are notified in the Alerts panel, and the Logon failure risk indicator is added to the user’s risk timeline.

How to analyze the logon failures risk indicator?

Consider the user Lemuel Kildow, who recently failed multiple attempts to authenticate the network. Citrix Gateway reports these failures to Citrix Analytics, and an updated risk score is assigned to Lemuel Kildow. You are notified in the Alerts panel, and the Logon failures risk indicator is added to Lemuel Kildow’s risk timeline.

To view the Logon failures risk indicator entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest Logon failures risk indicator reported for the user. When you select the Logon Failures risk indicator entry from the risk timeline, a corresponding detailed information panel appears in the right pane.

Logon failures

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of logon failures that occurred during the selected period.

Logon failures what happened

  • The EVENT DETAILS - LOGON FAILURES section, includes a timeline visualization of the individual logon failure events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the logon failure occurred.

    • Error count. The number of logon failures detected for the user at the time of the event and for the previous 48 hours.

    • Event description. Brief description of the reason for logon failure.

    Logon failure event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Authorization failures

Citrix Analytics detects user access-based threats based on authorization failures and triggers the corresponding risk indicator.

When is the authorization failures risk indicator triggered?

The Authorization failures risk indicator is reported in Citrix Analytics when a user in your enterprise attempts to access a resource without sufficient permissions.

When the user is authenticated, Citrix Gateway performs a group authorization check based on the authorization policy and expressions configured for the user. Citrix Gateway collects the user’s group information from either an LDAP, RADIUS, or TACACS+ server.

Citrix Gateway detects the authorization failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many authorization failures. When Citrix Analytics detects excessive authorization failures for a user, it updates the user’s risk score. You are notified in the Alerts panel and the authorization risk indicator is added to the user’s risk timeline.

How to analyze the authorization failures risk indicator?

Consider the user Georgina Kalou, who recently tried multiple times to access an unauthorized resource in the network. Citrix Gateway reports these events to Citrix Analytics, and an updated risk score is assigned to Georgina Kalou. You are notified in the Alerts panel, and the Authorization failures risk indicator is added to the Georgina Kalou’s risk timeline.

To view the Authorization failures entry for a user, navigate to Security > Users, and select the user. From Georgina Kalou’s risk timeline, you can select the latest Authorization failures risk indicator reported for the user. When you select the Authorization failures risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Authorization failures

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of authorization failures that occurred during the selected period.

EPA scan failure what happened

  • The EVENT DETAILS – AUTHORIZATION FAILURES section, includes a timeline visualization of the individual authorization failure events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the authorization failure occurred.

    • Client IP. The IP address of the client that has caused the authorization failure.

    • Gateway IP. The IP address of Citrix Gateway that reported the authorization failure.

    • FQDN. The FQDN of the Citrix Gateway.

    • App name. The application that the user used to access the resource.

    • VPN sessione. The type of VPN session established.

    • Event description. Brief description of the reason for authorization failure.

    • Nth factor. Brief description of the reason for authorization failure.

    Authorization failure event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Unusual logon access

Citrix Analytics detects user access-based threats based on logon access the user logs on to the network and triggers the corresponding risk indicator.

When is the unusual logon access risk indicator triggered?

You can be notified when a user in your organization logs on from an unusual location that is contrary to their usual behavior.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics receives the events, increases the user’s risk score. You are notified in the Alerts panel and the Unusual logon access risk indicator is added to the user’s risk timeline.

How to analyze the unusual logon access risk indicator?

Consider the user Georgina Kalou, who logged on from Moscow, Russia when she has only ever logged on from Raleigh, North Carolina. Citrix Gateway reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts panel, and the Unusual logon access risk indicator is added to the Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Unusual logon access risk indicator. The reason for the event is displayed along with the details such as, time of the event, logon location, and so on.

Unusual logon access gateway

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of suspicious logon attempts that occurred during a specific time period.

Unusual logon access gateway what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual logon events from unusual geographical location that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

    • Time. The time of each logon attempt.

    • Location. The location where the logon attempt was made from.

    • Client IP address. The client IP address used.

    • OS. The operation system used by the client.

    • Browser. The browser used by the user.

    Unusual logon access gateway event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Citrix Gateway risk indicators