Citrix share link risk indicators

Citrix share link risk indicators are activities that look suspicious or can pose a security threat to your organization.

Citrix share link risk indicators span across the Citrix Content Collaboration data source used in your deployment. The indicators are based on share link behavior and are triggered where the share link’s behavior deviates from the normal.

For more information, see Share Links dashboard.

Anonymous sensitive download

Citrix Analytics detects access threats based on anonymous sensitive downloads for a share link, and triggers the corresponding risk indicator.

This risk indicator is triggered when an anonymous user downloads from a share link, sensitive files identified by a Data Loss Prevention (DLP) solution, and did not require the recipient to log on. By identifying share links with sensitive file downloads, based on previous behavior, you can monitor the share link for potential attacks.

When is the anonymous sensitive download risk indicator triggered?

You are notified when an anonymous user has downloaded a file deemed sensitive by a DLP solution, during a given time period. Also, the file does not require the recipient to log on. When Content Collaboration detects this behavior, Citrix Analytics receives the events and the Anonymous sensitive download risk indicator is added to the share link’s risk timeline.

How to analyze the anonymous sensitive download risk indicator?

Consider an anonymous user downloaded from a share link, a sensitive file identified by DLP and did not require any recipient logon. The Anonymous sensitive download risk indicator is triggered because the share link exceeds a threshold. The threshold is calculated based on the fact that the sensitive file is accessible by any recipient without a logon. From the share link’s timeline, you can select the reported Anonymous sensitive download risk indicator. The reason for the event and details such as download time, file name, and file size are displayed.

Share Links risk indicator

For more information about share link risk timeline, see Share Link risk timeline.

To view the Anonymous sensitive download risk indicator, navigate to Security > Share Links, and select the share link URL.

  • In the WHAT HAPPENED section, you can view a summary of the Anonymous sensitive download risk indicator and the time the event occurred.

Share Links risk indicator

  • The EVENT DETAILS section, the events are displayed in tabular format. The table provides the following key information:

  • Time. Time when the sensitive file was downloaded.
  • File name. The name and extension of the downloaded file.
  • File size. The size of the file downloaded.

Share Links risk indicator

You can perform the following action to the share link:

  • Expire share link. When a share link triggers the Anonymous sensitive download risk indicator, Citrix Analytics enables you to expire the share link.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the share link manually, navigate to the share link profile. On the Actions menu, select Expire share link.

Excessive downloads

Citrix Analytics detects access threats based on excessive downloads for a share link, and triggers the corresponding risk indicator.

This risk indicator is triggered when users download data from a share link that is excessive and anomalous. By identifying share links with excessive downloads, based on previous behavior, you can monitor the share link for potential attacks. The Excessive downloads risk indicator helps you identify excessive file download activity.

When is the Excessive downloads risk indicator triggered?

You are notified when users have downloaded large amounts of data from a share link excessively, for a given time period. When Content Collaboration detects this behavior, Citrix Analytics receives the events and the Excessive downloads risk indicator is added to the share link’s risk timeline.

How to analyze the Excessive downloads risk indicator?

Consider a user downloaded from a share link, data that was excessive and anomalous. The Excessive downloads risk indicator is triggered because the share link exceeds a threshold. The threshold is calculated based on files contained within the share link being downloaded multiple times by multiple users. The download is deemed excessive compared to historical download behavior on share links. From the share link’s timeline, you can select the reported Excessive downloads risk indicator. Reasons for the event and event details are displayed on the right pane.

Share Links risk indicator

For more information about share link risk timeline, see Share Link risk timeline.

To view the Excessive downloads risk indicator, navigate to Security > Share Links, and select the share link URL.

  • In the WHAT HAPPENED section, you can view a summary of the Excessive downloads risk indicator and the time the event occurred.

Share Links risk indicator

  • In the EVENT DETAILS section, the events are displayed in tabular format. The table provides the following key information:

    • Time: Date and time of the excessive download activity that took place.

    • File name: The name of the file that was downloaded from the share link.

    • User email: Email address of the user that downloaded the file from the share link.

    • File size: Size of the file that was downloaded.

Share Links risk indicator

You can perform the following action on the share link:

  • Expire share link. When a share link triggers the Excessive downloads risk indicator, Citrix Analytics enables you to expire the share link.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the share link manually, navigate to the share link profile. On the Actions menu, select Expire share link.

Citrix share link risk indicators