User risk timeline

The User risk timeline on a user’s profile enables you, as a Citrix Analytics administrator to gain deeper insights into a user’s risky behavior. You can also see the corresponding actions taken on their account for a selected time period. From the User risk timeline, you can delve deeper into a user’s profile to understand the following:

  • Data usage

  • Device usage

  • Application usage

  • Location usage

Additionally, you can view the risk score and risk indicator trends for the user and determine if the user is a high-risk user or not.

When you go to a user’s risk timeline, you can select either a risk indicator or an action that has been applied to their account. If you choose one of the above, the right pane displays the risk indicator section or the action section.

Risk timeline

The Risk Timeline displays the following information:

  • Risk indicators. Risk Indicators are user activities that are suspicious or can pose a security threat to your organization. The indicators are triggered when the user’s behavior deviates from their normal behavior. The risk indicators can be for the following data sources:

    • Citrix Content Collaboration

    • Citrix Gateway

    • Citrix Endpoint Management

    • Citrix Virtual Apps and Desktops / Citrix Workspace

    • Citrix Access Control

    Learn more: Risk indicators

  • Actions. Actions help you respond to suspicious events and prevent future anomalous events from occurring. Actions that have been applied on a user’s profile are displayed on the risk timeline. These actions are either automatically applied to a user’s account through configured policies or you can apply a specific action manually.

    Learn more: Policies and actions.

    Risk timeline actions

    When you select a risk indicator from the user’s timeline, the risk indicator information section is displayed in the right pane. You can view the reason for the risk indicator along with details of the event. They are broadly categorized into the following sections:

    Risk timeline info section

  • What happened. You can view a summary of the risk indicator here. For example, if you have selected the Excessive file sharing risk indicator. In the What happened section, you can view the number of share links sent to recipients and when the sharing event occurred.

  • Event details. You can view individual event entries in graphical and tabular format along with details of the event. Click Event Search to access the self-service search page and view the events corresponding to the user’s risk indicator. For more information on self-service search, see the About self-service search topic.

  • Additional contextual information. You can view data shared, if any, during an event’s occurrence in this section.

User risk timeline