Product Documentation

Users dashboard

The Users dashboard is the launching point into user behavior analysis and threat prevention.

This dashboard provides visibility into user-behavior patterns across an organization. Using this data, you can proactively monitor, detect, and flag behavior that fall outside the norm, such as phishing or ransomware attacks.

Use the following map and numbered sections to learn how to interact with the data on the Users dashboard.

Users dashboard map

  1. Discovered users. Total number of users in your organization using the data sources for which you have enabled Analytics. Click the link on the dashboard to view the complete list of users discovered by Citrix Analytics.

  2. Risky users. Users that have acted in a risky manner or presented risky behavior. List of risky users who have the highest risk score and the highest risk score change associated with their account. Click the Risky Users link on top or the See More link on the Risky Users pane to view the list of all risky users and the risk indicators.

  3. High risk users. Users that represent immediate threat to the organization. Click the link to view the list of all high risk users and the risk indicators they triggered.

  4. Medium risk users. Users who could have multiple serious violations on their account and must be monitored closely. Click the link to view the list of all medium risk users and the risk indicators they triggered.

  5. Low risk users. Users who may have some violations detected on their account, but potentially may not be threat. Click the link to view the list of all low risk users and the risk indicators they triggered.

  6. Users in watchlist. Users monitored closely by administrators. Click the Users in Watchlist box or the See More link on the Users in Watchlist pane to view the list of all users who are added to the watchlist.

Discovered users

Total number of users in your organization using the data sources for which you have enabled Analytics. They might or might not have a risk score associated with their account. It is possible that the number of discovered users on the Users dashboard is more than the number of risky users.

Click the link on the dashboard to view the complete list of users discovered by Citrix Analytics.

Discovered users

The Discovered Users page displays the list of all users discovered over a period of time. You can view data for the last one hour, 12 hours, one day, one week, or one month.

Use the following interface map to learn how to interact with the Discovered Users page.

Discovered users section

View the following information:

User

List of all users discovered by Analytics. Click a user name to view the user information and risk timeline for the user. The user might or might not have triggered any risk indicator. If there are no risky events associated with this user, you’ll see the following message.

No risky event

If there are risky events associated with a user, you will see the risk timeline with risk indicator details.

Learn more: Risk timeline

Discovered user's risk timeline

Devices

Number of devices used by the user to access the data sources. Citrix Analytics collects this data from Citrix Endpoint Management and Citrix Virtual Apps and Desktops. Click a user name, then navigate to User Info to view the name and number of devices used by the user.

User info devices

Locations

The places from which the user might have logged on to the data sources. Citrix Analytics collects this data from Citrix Content Collaboration and Citrix Gateway. Click a user name, then navigate to User Info to view the name and number of locations from where the user has accessed data.

User info locations

Data Usage

Volume of data consumed by the user. This could include data uploaded or downloaded, files uploaded or downloaded, and files shared or deleted. Citrix Analytics collects this data from Citrix Content Collaboration. Click a user name, then navigate to User Info to view the details of data usage for the user.

User info data usage

Apps Used

Number of applications accessed by the user during this time period. Citrix Analytics collects this data from Citrix Virtual Apps and Desktops. Click a user name, then navigate to User Info to view the name and number of applications used by the user.

User info data usage

Accesses

Total number of times the user has accessed data from different locations. Click a user name, then navigate to User Info to view the number of times data was accessed by the user.

For example, in the below image, you can see that the user “Cross Product Heavy user” has “90” accesses.

Cross product heavy user

Now, click the user name and navigate to the User Info pane on the Risk Timeline page. You can see that this user has 90 accesses from seven different locations.

User info access

Risky users

Risky users are discovered users who have risky events associated with them and have triggered one or more risk indicators. The level of risk a user poses to the network for a specific time period is determined by the risk score associated with the user. The risk score value is dynamic and is based on user behavior analytics. Based on the risk score, a risky user can fall into one of the three categories: high risk user, medium risk user, or low risk user.

On the Users dashboard, you can view the top five risky users sorted based on the highest score. Click Highest Score Change to view the top five risky users based on the highest score change over a period of time.

Risky user link

Click the Risky Users link on top or the See More link in the Risky Users pane to view the list of all risky users and the risk indicators.

The Risky Users page displays the list of all risky users over a period of time. You can view data for the last one hour, 12 hours, one day, one week, or one month.

Use the following interface map to learn how to interact with the Risky Users page.

Risky users

View the following information:

Score

Score or risk score determines the level of risk a user poses to the network for a specific time period. The risk score value is dynamic and is based on user behavior analytics. Based on the risk score, a risky user can fall into one of the three categories: high risk user, medium risk user, or low risk user.

Change

Change is the risk score change over a period of time. A risk score change can be positive or negative. A positive risk score change is indicated by a minus ( - ) sign, which means the risk score of a user has decreased over a period of time. A negative risk score change is indicated by a plus ( + ) sign, which means the risk score of a user has increased over a period of time. For example, if the risk score of a user was 72 the previous day and the current risk score is 92, the risk score change is negative and is calculated as +20.

Risk score change

Access, Data, Application

Types of risk indicators triggered for a user. The columns show the number of different types of risk indicators raised on a user over a specific period of time.

Trend

Denotes the pattern of risk score change over a period of time for a user.

Risky user trend

User

List of all risky users identified by machine learning algorithms of Citrix Analytics. Click a user name to view the user information and risk timeline for the user.

The risk indicators associated with a user and the time when a risk indicator was triggered are displayed in the risk timeline. Click each risk indicator to view details. Click User Info to view the detailed user information such as devices, locations, data usage, and app usage.

Learn more: Risk timeline

Discovered user's risk timeline

High risk users

Users with risk score between 91 and 100. These users represent immediate threats to the organization.

On the Users dashboard, you can see the summary of the number of high risk users for a specific time. This shows the total number of high risk users and the number increase in the high risk users.

For example, the below image shows data for the last 12 hours. Currently, there are five high risk users out of which two were identified as high risk users in the last 12 hours.

High risk users

Click the box to view details about the high risk users such as risk score, score change, trend of score change, latest risk indicator triggered, and the types of risk indicators.

Learn more: Risky Users

High risk user details

Medium Risk Users

Users with risk score between 71 and 90. These users could have multiple serious violations on their account and must be monitored closely.

On the Users dashboard, you can see the summary of the number of medium risk users for a specific time. You can see the total number of medium risk users and the number increase in the medium risk users.

For example, the below image shows data for the last 12 hours. Currently, there are eight medium risk users out of which seven were identified as medium risk users in the last 12 hours.

Medium risk users

Click the box to view details about the medium risk users such as risk score, score change, trend of score change, latest risk indicator triggered, and the types of risk indicators.

Learn more: Risky Users

Medium risk user details

Low Risk Users

Users with risk score between 0 and 70. These users may have some violations detected on their account. They can also include users who were previously high or medium risk users who have been reevaluated over a pre-determined time period.

On the Users dashboard, you can see the summary of the number of low risk users for a specific time. You can see the total number of low risk users and the number increase in the low risk users.

For example, the below image shows data for the last 12 hours. Currently, there are 147 low risk users out of which 61 were identified as low risk users in the last 12 hours.

Low risk users

Click the box to view details about the low risk users such as risk score, score change, trend of score change, latest risk indicator triggered, and the types of risk indicators.

Learn more: Risky Users

Low risk user details

Users in watchlist

List of users monitored closely for potential threats. For example, you can monitor users who are not full-time employees within your organization by adding those users to the watchlist, or you can monitor users who trigger a specific risk indicator frequently.

You can either add a user to the watchlist manually, or you can define rules that when triggered adds a user to the watchlist. If there are no users added to the watchlist, you will see the following screen on the Users dashboard.

Zero users in watchlists

If you have added users to the watchlist, on the Users dashboard, you can view the top five users in the watchlist sorted based on the highest score. You can also view the score change data and the trend of score change.

Click the Users in Watchlist box or the See More link on the Users in Watchlist pane to view the list of all users who are added to the watchlist.

Learn More: Watchlist

Users dashboard users in watchlist

Users dashboard