Product Documentation

Rules and actions

You can create rules on Citrix Analytics to help you perform actions on user accounts when unusual or suspicious activities occur. Rules let you automate the process of applying actions such as disable a user, add users to a watchlist, and so on. When you apply these rules, the action is applied immediately after an anomalous event occurs and the rule condition is met. You can also manually take actions on user accounts with anomalous activities.

What are Rules?

A rule can be defined as a set of conditions that must be met for an action to be executed. A rule can contain a single condition and one or more actions. You can create a rule with multiple actions that can be applied to a user’s account.

Conditions such as Risk score and Risk score change are global conditions. Global conditions can be applied to a specific user for a specific data source. You can keep a watch on user accounts that show unusual activity. Other conditions are specific to data sources and their risk indicators.

Create rule

For example, if your organization works with sensitive data, you might want to restrict the amount of data shared or accessed by users internally. But if you have a large organization, it wouldn’t be feasible for a single administrator to manage and monitor many users. You can create a rule wherein, anyone who shares sensitive data excessively can be added to a watchlist or have their account disabled immediately.

Note

Rules with identical conditions return an error. In such a scenario, users see the following error:

(Name of the rule created) has the same condition. Modify condition and try again.”

Create rule error

What are Actions?

Actions help you respond to suspicious events and prevent future anomalous events from occurring. You can take action on user accounts that display unusual or suspicious behavior. You can either configure rules to take action on the user’s account automatically or apply a specific action manually from the user’s risk timeline.

You can view global actions or actions for each Citrix data source. You can also disable previously applied actions for a user at any time.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

The following table describes the actions that you can take.

Action Name Description Data Sources Applicable On
Global actions    
Add to watchlist When you want to monitor a user for future potential threats, you can add them to a watchlist. All data sources
  The “Users in Watchlist” pane lists all the users that you want to monitor for potential threats based on the unusual activity on their account. Based on your organization’s policy, you can add a user to the watchlist using the Add to watchlist action.  
  To add a user to the watchlist, navigate to the user’s profile, from the Actions menu, select Add to watchlist. Click Apply to enforce the action.  
Notify Admin When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. All data sources
Citrix Gateway actions    
Log Off User When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Gateway administrator clears the Log Off User action. Citrix Gateway on-premises and Citrix Application Delivery Management
Citrix Content Collaboration actions    
Disable user Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account. Citrix Content Collaboration
  After their account is disabled, the user will see a notification. The notification on the logon page of their account asks them to reach their Content Collaboration administrator for further information.  
Expire All Shared Links When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator. Citrix Content Collaboration
  When a user shares files excessively, the Excessive File Sharing risk indicator is triggered and the shared links are expired. When the shared links are expired, the link becomes invalid and it is not accessible by the users with whom the link was shared.  
Citrix Virtual Apps and Desktops actions    
Log Off User When a user is logged off from their account, they cannot access the resource through Virtual Desktops until the Virtual Desktops administrator clears the Log Off User action. On-premises Virtual Apps and Desktops and Citrix Virtual Apps and Desktops service
Start Session Recording If there is an unusual event on the user’s Citrix Virtual Desktops account, the Virtual Apps and Desktops administrator can begin to record the user’s usage session. The recording can be stopped the administrator. On-premises Virtual Apps and Desktops
Citrix Endpoint Management actions    
Lock Device When there is unusual activity on a device, causing the user’s risk score to exceed a specified value, you can use the Lock Device action Citrix Endpoint Management service
  When the action is applied, all the user’s devices are locked. However, users can swipe on their device’s screen, enter the passcode, and continue with their work.  

Note

  • If you apply the Disable user action for a Content Collaboration user, the user’s account is not disabled until the Content Collaboration administrator sees the notification. During the interim period, the user can use their Content Collaboration account and the data continue to be processed by Citrix Analytics. After the Content Collaboration administrator disables the user’s account, the user must contact their Content Collaboration administrator to have their account reactivated. The Citrix Analytics administrator cannot enable disabled Content Collaboration accounts.

  • For On-premises Virtual Apps and Desktops, Citrix Smart Tools Agent is required to perform the Log Off User and the Start Session Recording actions.

Configure rules and actions

For example, following the steps below, you can create an “excessive file sharing” rule. Using this rule, when a user in your organization shares an unusually large amount of data, the share links are automatically expired. You are notified when a user shares data that exceeds that user’s normal behavior. By applying the “excessive file sharing” rule, and taking immediate action, you can prevent data exfiltration from any user’s account.

To create a rule, do the following:

  1. After signing in to Citrix Analytics, on the toolbar, go to Settings > Rules.

    Settings rule

  2. On the Rules dashboard, click Create Rule.

    Create rule button

  3. From the IF THE FOLLOWING CONDITION IS MET list box, select the risk indicator condition upon which you want an action applied.

    If the following condition is met

  4. From the THEN DO THE FOLLOWING list box, select one or more actions and click Apply.

    Then do the following

  5. In the Rule Name text box, provide a name and enable the rule using the toggle button provided.

  6. Click Create Rule.

Apply an action manually

Consider a user, Sallie Linville who shares excessive files from her Content Collaboration account. To monitor her account since her behavior is unusual, you can use the Notify administrator(s) action.

To apply the above mentioned action to the user manually, you must:

Navigate to the Sallie Linville’s profile and select the appropriate risk indicator. From the Actions menu, select the Notify administrator(s) action and click Apply.

Action list

Due to the unusual and suspicious activity on Sallie Linville’s account, an email notification is sent to all Citrix Cloud administrators to monitor her account. The action applied is added to her risk timeline, and the action details are displayed on the right pane of the risk timeline page.

Action applied

Manage rules

You can view the Rules dashboard to manage all the rules created on Citrix Analytics to monitor and identify inconsistencies on your network. On the Rules dashboard, you can:

  1. View the list of rules

  2. Details of the rule

    • Name of the rule

    • Status – Enabled or disabled.

    • Duration of the rule – Number of days the rule been active or inactive.

    • Hits – The number of times the rule is triggered.

    • Modified – Timestamp, only if the rule has been modified.

  3. Delete the rule

    • To delete a rule, you can select the rule you want to delete and click Delete.

    • Or you could click on the rule’s name to be directed to the Modify Rule page. click Delete Rule. In the dialog, confirm your request to delete the rule.

  4. Create a rule

  5. Click on a rule’s name to view more details. You can also modify the rule when you click on its name. Other modifications that can be done are as follows:

    • Change the name of the rule.

    • Conditions of the rule.

    • The actions to be applied.

    • Enable or disable the rule.

    • Delete the rule.

Note

  • If you don’t want to delete your rule, you can choose to disable the rule.

  • To re-enable the rule on the rules dashboard, do the following:

    • On the Rules dashboard, click the Status slider button to green.

    • On the Modify Rule page, click the Enabled slider button on the bottom of the page.

Rules and actions