Product Documentation

Citrix Virtual Apps and Desktops risk indicators

Access from new device

Citrix Analytics detects access threats based on access from a new device and triggers the corresponding risk indicator.

The Access from new device risk indicator is triggered when a Citrix Receiver user logs on from an unfamiliar device, typically a new device. This is because Citrix Receiver has no logon records for the user from this new and unfamiliar device.

When is the access from new device risk indicator triggered?

The Access from new device risk indicator is reported when a user logs in from a new device. This risk indicator is also flagged if you have cleared the cache or cookies on Citrix receiver for HTML5 or Citrix Receiver for Chrome. Then, when you connect to Citrix Receiver, the device is considered as a new device and the device ID is cleared along with cache and cookies.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns risk score to the respective user. The Access from new device risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the access from new device risk Indicator?

Consider the user Adam Maxwell, who is logged on to a session through Citrix Receiver from a new device the user has not previously used.

From the Adam Maxwell’s timeline, you can select the reported Access new device risk indicator. The reason for the access for new device alert is displayed along with details such as the event type, the device ID, and so on.

To view the Access from new device risk indicator reported for a user, navigate to Security > Users, and select the user.

Access from new device

  • The WHAT HAPPENED section, you can view the summary of access from new device event. You can view the number of logon instances that occurred from a new device and the time the event occurred.

Access from new device what happened

  • The EVENT DETAILS – DEVICE DETECTED section, the access events coming from new device appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Time. The time the logon instance occurred.

    • Events. The type of event.

    • IP address. The IP address of the device that is used for logon.

    • OS. The operating system version used for logon.

    • Platform. The Receiver platform details.

    Access from new device event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. . When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin to record the user’s usage session. The recording can be stopped by the administrator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Potential data exfiltration

Citrix Analytics detects data threats based on excessive attempts to exfiltrate data and triggers the corresponding risk indicator.

The Potential data exfiltration risk indicator is triggered when a Citrix Receiver user attempts to download or transfer files to a drive or printer. This data could be a file-download event such as downloading a file to a local drive, mapped drives, to an external storage device, and so on. It can also be data that is exfiltrated using the clipboard or by the copy-paste action.

When is potential data exfiltration risk indicator triggered?

You can be notified when a user has transferred an excessive number of files to a drive or printer in a certain time period. This risk indicator is also triggered when the user uses the copy-paste action on their local computer.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Potential data exfiltration risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the potential data exfiltration risk Indicator?

Consider the user Adam Maxwell, who is logged on to a session and attempts to print files that exceed the predefined limit. By this action, Adam Maxwell had exceeded his normal file transfer behavior based on machine learning algorithms.

From Adam Maxwell’s timeline, you can select the Potential data exfiltration risk indicator. The reason for the event is displayed along with the details such as the files transferred, the device used to transfer the file, and so on.

To view the Potential data exfiltration risk indicator reported for a user, navigate to Security > Users, and select the user.

Potential data exfiltration

  • The WHAT HAPPENED section, you can view the summary of the potential data exfiltration event. You can view the number of data exfiltration events during a specific time period.

Potential data exfiltration what happened

  • The EVENT DETAILS section, the data exfiltration attempts appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information:

    • Time. The time the data exfiltration event occurred.

    • Files. The file that was either downloaded, printed, or copied.

    • File type. The file type that was either downloaded, printed, or copied.

    • Action. The kind of data exfiltration event that was performed – print, download, or copy.

    • Devices. The device used.

    • Size. The size of the file being exfiltrated.

    Potential data exfiltration event details

  • The ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

    • The number of files exfiltrated.

    • The actions performed.

    • The applications used.

    • Device used by the user.

    Potential data exfiltration additional contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. . When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin to record the user’s usage session. The recording can be stopped by the administrator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Access from device with unsupported operating system (OS)

Citrix Analytics detects access threats based on a user’s access from a device running an unsupported operating system and triggers the corresponding risk indicator.

The Access from device with unsupported OS risk indicator is triggered when a Citrix Receiver user logs on from an unsupported operating system (OS) or browser. The alert is raised based on the set of OS and browser versions that are supported by Citrix Receiver.

When is the access from device with unsupported OS risk indicator triggered?

The Access from device with unsupported OS risk indicator is reported when a user logs on from a device running an unsupported OS or browser. When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Access from device with unsupported OS risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

Note

When a user switches to another operating system, but connects to the same session, the session logon event is retained.

How to analyze the access from device with unsupported OS risk indicator?

Consider the user Georgina Kalou, logged on to a session that is running on an OS or browser not supported by Citrix Receiver. Citrix Analytics detects this event and assigns a risk score to Georgina Kalou. You are then notified in the Alerts panel and the Access from device with unsupported OS risk indicator is added to user’s risk timeline.

From Georgina Kalou’s timeline, you can select the reported the Access from device with unsupported OS risk indicator. The reason for the event is displayed on the screen along with details of the event such as the OS version, browser version, and more.

To view the Access from device with unsupported OS risk indicator, navigate to Security > Users, and select the user.

Access from device with unsupported OS

  • The WHAT HAPPENED section, you can view the summary of the Access from device with unsupported OS risk indicator. You can view the number of devices with an unsupported OS or browser version used to launch Citrix Receiver and the time the events occurred.

Access from device with unsupported OS what happened

  • The EVENT DETAILS - DEVICE ACCESS section, the unsupported device access events appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Launch time. The time the event occurred.

    • Receiver. The Receiver platform details.

    • Browser. The browser version used for logon.

    • OS. The operating system version used for logon.

    • Device ID. Information about the ID of the device that is used to log on to the session.

    • IP Address. The IP address of the device that is used for logon.

    Note. If your device uses an unsupported browser for access, you cannot see any data under the IP address column.

    Access from device with unsupported OS event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. . When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin to record the user’s usage session. The recording can be stopped by the administrator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Unusual application usage (Virtual)

Citrix Analytics detects data threats based on a user’s access from a new application and triggers the corresponding risk indicator.

The Unusual application usage risk indicator is triggered when a Citrix Receiver user exhibits unusual app usage behavior. Unusual behavior could be the first-ever launch of an HDX application during a particular time of the day.

When is the unusual application usage risk indicator triggered?

The Unusual application usage risk indicator is reported when the user attempts to access an application they have not previously used, factoring in time of day.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Unusual application usage risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the unusual application usage risk Indicator?

Consider the user Georgina Kalou, who is logged on to a session and attempts to access an application for the first time during non-working hours.

From Georgina Kalou’s timeline, you can select the reported the Unusual application usage risk indicator. The reason for the event is displayed along with details such as the application’s name, the time zone it was accessed from, and so on.

To view the Unusual application usage risk indicator reported for a user, navigate to Security > Users, and select the user.

Unusual application usage usage

  • The WHAT HAPPENED section, you can view the summary of the event. You can view the number of new applications that were accessed and when they were accessed.

Unusual app usage what happened

  • The EVENT DETAILS - APPLICATION USAGE section, the event is displayed in graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Time. The time the application was accessed.

    • Application name. Name of the application accessed.

    • Time zone. Time zone from which the application is accessed.

    Unusual app usage event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. . When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin to record the user’s usage session. The recording can be stopped by the administrator.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.