Troubleshoot Citrix Analytics for Security

Troubleshooting events transmission issue from a data source

This section helps you to troubleshoot data transmission issues in Citrix Analytics for Security. When a data source fails to transmit user events accurately, you can encounter issues such as non-discovery of users and risk indicators.

Checklist

Sequence Checks
1 Is your organization in a supported geographic region- United States, European Union, or Asia Pacific South?
2 Do you have the correct entitlement to use Security Analytics?
3 Does your environment meet all the system requirements?
4 Are all the data sources discovered and data processing enabled on Analytics?
5 Are the user activities on the data source transmitting events accurately to Analytics?
6 Are the virtual apps and desktops events transmitted to Analytics?
7 Are the user events appearing on the self-service search page in Analytics?
8 Are the users discovered by Analytics?

Check 1- Is your organization in a supported geographic region?

If you do not see user events in Citrix Analytics, your organization might have been onboarded in a home region that is currently not supported. Citrix Analytics does not receive events from the non-supported regions.

To use Citrix Analytics, you must select either United States or European Union as the home region to onboard your organization. If your organization is located in the Asia Pacific South region, you must select the United States region to onboard your organization. For more information, see Geographical Considerations.

To verify the Citrix Cloud region in which your organization is onboarded:

On your Citrix Cloud account, select Account Settings > Company Account.

Cloud account

Supported data sources based on their locations

Citrix Analytics supports the following data sources based on their geographic regions. Data sources are the products that send data to Analytics. For more information, see Data sources.

Data source Region Supported by Analytics
Citrix Access Control US Yes
  EU No
Citrix Content Collaboration US Yes
  EU Yes
Citrix Endpoint Management US Yes
  EU Yes
Citrix Gateway US Yes
  EU No
Citrix Virtual Apps and Desktops service US Yes
  EU Yes
Citrix Virtual Apps and Desktops on-premises US Yes
  EU Yes
Citrix Secure Browser US Yes
  EU Yes
Microsoft Active Directory US Yes
  EU Yes
Microsoft Graph Security US Yes
  EU Yes
Splunk US Yes
  EU Yes

Check 2- Do you have the correct entitlement to use Security Analytics?

Citrix Analytics for Security is a subscription-based offering. You can either use a limited trial or buy a subscription to use this offering. For more information, see Getting started.

Check 3- Does your environment meet all the system requirements?

Citrix Analytics can take a few minutes to receive the user events from the data sources. If you do not see any user events on the data source site cards, ensure that your environment meets the prerequisites and the system requirements.

Prerequisites

  1. All your Citrix Cloud subscriptions must be active. On the Citrix Cloud page, ensure that all the Citrix Cloud services are active.

  2. If you are using on-premises Citrix Virtual Apps and Desktops, you must add your Sites to Citrix Workspace and configure Site aggregation. Citrix Analytics automatically discovers the Sites added to Citrix Workspace. For more information, see Aggregate on-premises virtual apps and desktops in workspaces.

  3. If you are using a StoreFront deployment for your Sites, configure your StoreFront servers to enable Citrix Workspace app to send user events to Citrix Analytics. Ensure that the StoreFront version is 1906 or later. If you do not configure the StoreFront server, Citrix Analytics fails to receive user events from Citrix Virtual Apps and Desktops. To configure StoreFront deployment, see the Citrix Analytics service article in the StoreFront documentation.

  4. Onboard your data sources as mentioned in the following articles:

  5. The Citrix Virtual Apps and Desktops users must use the specified version of Citrix Workspace apps or Citrix Receiver on their end points. Otherwise, Analytics does not receive the user events from the user end points. The list of supported versions of Citrix Workspace app or Citrix Receiver is available in Citrix Virtual Apps and Desktops data source.

Check 4- Are all data sources discovered and data processing enabled on Analytics?

Ensure that all your data sources are discovered and you have enabled data processing for them. If you do not enable data processing for a data source, the users using the data source are not discovered. This situation might create a potential security risk.

Enabling data processing ensures that Citrix Analytics is processing your user events. Events are sent to Citrix Analytics only when the users are actively using the data source.

Note

Citrix Analytics does not actively pull data from your environment.

To discover your data sources and enable analytics, do the following:

  1. Click Settings > Data Sources > Security to view your discovered data sources. Citrix Analytics automatically discovers the data sources that you have subscribed on your Citrix Cloud account.

    Data source page

  2. On the Data Sources page, the discovered data sources appear as site cards. By default, the data processing is off.

    Important

    Citrix Analytics processes your data after you have given your consent.

    Site cards

  3. Click Turn On Data Processing on the site card for which you want Citrix Analytics to process events. For example, on the Access Control site card, click Turn On Data Processing.

    site card access

  4. After you have turned on data processing, Citrix Analytics processes the events for the data source. The status of the site card changes to Data processing on. You can view the number of users and the received events based on the selected time period.

    access events

  5. For all discovered data sources, follow the steps specified in Getting started to enable analytics.

Check 5- Are the user activities on the data source transmitting events accurately to Analytics?

Citrix Analytics receives user events from the data sources when the users are actively using the data sources. The users must perform some activities on the data source to generate events. For example, to receive events from the Content Collaboration data source, the Content Collaboration users must share, upload, or download some files.

Note

Citrix Analytics does not actively pull data from your environment.

If you do not see any user events in Citrix Analytics for your data source, there is a high probability that the users are not active at that moment.

To verify that Citrix Analytics accurately receives the user events, perform the following activity. This activity uses the Citrix Content Collaboration data source. You can perform a similar activity using other Citrix products (data sources) based on your subscription.

  1. Log on to the Citrix Content Collaboration service.

  2. Perform some usual user activities such as create folder, download files, uploads files, or delete files.

    User activity

  3. For example, create a Test folder.

    Test folder

  4. Upload some local files.

    Upload local files

  5. Delete some files in the folder.

    Delete file

  6. Go back to Citrix Analytics and view the Content Collaboration side card on the Data Source page. Citrix Analytics receives the user events from the Content Collaboration data source and displays on the site card.

    User events

Check 6: Are the virtual apps and desktops events transmitted to Analytics?

Some versions of Citrix Workspace app or Citrix Receiver client fail to send user events to Citrix Analytics. When users launch virtual apps and desktops through these clients, Citrix Analytics fails to discover the users until they perform the supported events.

For example, the Citrix Workspace app for Mac prior to 1910 does not send the Account Logon event to Citrix Analytics. A user who logs on using such version of Citrix Workspace app for Mac is not discovered on Citrix Analytics. However, if the user later launches a SaaS app, the user is discovered as Citrix Workspace app for Mac prior to 1910 sends the SaaS App Launch event to Citrix Analytics.

Supported events

Refer to the following table to check the user events supported by each client version.

  • Yes- The event is sent by the client to Citrix Analytics.

  • No- The event is not sent by the client to Citrix Analytics.

  • NA- The event is not applicable for the client.

Event Workspace app for Windows 1808 or later Workspace app for Mac prior to version 1910 Workspace app for Mac 1910 or later Workspace app for Linux 2006 or later Workspace app for Android 1809 or later Workspace app for iOS 1811 or later Workspace app for Chrome 1809 or later Workspace app for HTML5 1809 or later Receiver for Windows 4.11 Receiver for Windows 4.12 Receiver for Mac 12.9.1
Account Logon Yes No Yes Yes Yes Yes No No Yes Yes No
Session Logon Yes No Yes Yes Yes Yes Yes Yes Yes Yes No
Session Launch Yes No Yes Yes Yes Yes Yes Yes Yes Yes No
Session End Yes No Yes Yes Yes Yes Yes Yes Yes Yes No
App Start Yes No Yes Yes No Yes Yes Yes Yes Yes No
App End Yes No Yes Yes No Yes Yes Yes Yes Yes No
File Download Yes Yes Yes Yes No No Yes Yes Yes Yes Yes
Printing No Yes Yes Yes No No Yes Yes Yes Yes Yes
SaaS App Launch Yes Yes Yes No No No No No NA NA NA
SaaS App End Yes Yes Yes No No No No No NA NA NA
SaaS App URL Navigation Yes Yes Yes No No No No No NA NA NA
SaaS App Clipboard Access Yes Yes Yes No No No No No NA NA NA
SaaS App File Download Yes Yes Yes No No No No No NA NA NA
SaaS App File Print Yes Yes Yes No No No No No NA NA NA

Recommendation

To get the maximum benefits of Analytics, Citrix recommends the following:

  • Windows user: Connect to your Citrix Virtual Apps and Desktops environment using Citrix Workspace app for Windows 1808 or later.

  • Mac user: Connect to your Citrix Virtual Apps and Desktops environment using Citrix Workspace app for Mac 1910 or later.

Check 7- Are the user events appearing on the self-service search page in Analytics?

Perform this final check to ensure that the events are being transmitted accurately to Citrix Analytics.

  1. On the top bar, click Search to go to the self-service search page.

    Search tab

  2. Select the data source to view the corresponding search page and the events.

    Search page

  3. To view the data associated to the Content Collaboration events, select Content Collaboration from the list, select the time period, and then click Search.

    Search result

For more information, see Self-service search.

Check 8- Are the users discovered by Analytics?

When events start flowing to Citrix Analytics, the users generating the events are discovered and shown on the Users dashboard. This process usually takes approximately a few minutes before you can view them on the dashboard.

  1. Click the Discovered Users link on the Users dashboard to view the complete list of users discovered by Citrix Analytics.

    Discovered users

  2. The Users page displays the list of all users discovered for the last 13 months. Select the time period to view the risk indicator occurrences.

    Discovered users page

If events are being transmitted successfully, your Citrix Analytics environment is performing as expected. Risk indicators are generated when anomalies are detected.

Triggering Virtual Apps and Desktops events, SaaS events, and verifying its transmission to Analytics

This section describes the procedures to trigger Virtual Apps and Desktops events, SaaS events, and verify that Citrix Analytics is actively receiving these user events.

Prerequisites

  • Onboard your Citrix Virtual Apps and Desktops to Citrix Analytics and then enable data processing. For more information, see Citrix Virtual Apps and Desktops data source.

  • Use the correct versions of Citrix Workspace app or Citrix Receiver in the users’ endpoint devices so that the events are accurately sent to Citrix Analytics. For more information, see Citrix Virtual Apps and Desktops data source.

  • Before triggering the printing event from your virtual desktop, ensure that a printer is configured and provisioned in your Citrix Virtual Apps and Desktops environment. For more information on managing a printer, see Print.

  • For triggering the SaaS events such as SaaS App Launch, SaaS App URL Navigation, SaaS App File Download, you must use a configured SaaS app from Workspace. Commonly used SaaS apps include Salesforce, Workday, Concur, GoTo Meeting.

    • If there are no configured SaaS apps, you must configure and publish a SaaS app. For more information, see Support for Software as a Service apps. When configuring a SaaS app, ensure that the following security options are disabled:

      • Restrict clipboard access

      • Restrict printing

      • Restrict navigation

      • Restrict download

    • If you want to use an already configured SaaS app from your Workspace to trigger the events, ensure that the specified enhanced security options are disabled for the SaaS app:

      1. Go to your Citrix Cloud account and select Library.

        Citrix Cloud library

      2. On the Library page, identify the SaaS app that you want to use for verifying the events. For example, Workday.

      3. Click the ellipses, and select Edit.

        Edit Workday

      4. On the Edit App page, click the down arrow for Enhanced security.

        Enhanced security

      5. Ensure that the following security options are not selected.

        Disable enhanced security

Known issue

Few versions of Citrix Workspace app and Citrix Receiver fail to send some events to Citrix Analytics. Therefore, Citrix Analytics cannot provide insights and generate risk indicators for these events. For more information about the issue and its workaround, see the known issue- CAS-16151.

Procedure

Perform the following steps in sequence to trigger the events in your Citrix Virtual Apps and Desktops deployment and verify that Citrix Analytics is actively receiving these events.

Note

  • The events might take some time to reach Citrix Analytics. Refresh the Citrix Analytics page if you do not see the triggered events.

  • For triggering the SaaS events, this procedure uses the Workday app as an example. You can use any configured SaaS apps from your Workspace to trigger the SaaS events.

  • Account Logon

    1. Launch Citrix Workspace app or Citrix Receiver to access your Workspace or StoreFront.

    2. Enter your credentials to log on to the Citrix Workspace app or Citrix Receiver.

      Workspace app logon

    3. Go to Citrix Analytics.

    4. Click Search and select Apps and Desktops from the list.

      localized image

    5. In the search page, view the data for the Account.Logon event. Expand the row to view the event details.

      Account logon

  • App Start

    1. Launch Citrix Workspace app or Citrix Receiver to access your Workspace or StoreFront.

    2. Launch an application such as calculator.

    3. Go to Citrix Analytics.

    4. Click Search and select Apps and Desktops.

    5. In the search page, view the data for the App.Start event data. Expand the row to view the event details.

      App Start

  • App End

    1. Close the calculator that you have already launched in your Workspace or StoreFront.

    2. Go to Citrix Analytics.

    3. Click Search and select Apps and Desktops.

    4. In the search page, view the data for the App.End event data. Expand the row to view the event details.

      App End

  • Session Logon and Session Launch

    1. Launch Citrix Workspace app or Citrix Receiver to access your Workspace or StoreFront.

    2. Launch your virtual desktop.

    3. Go to Citrix Analytics.

    4. Click Search and select Apps and Desktops.

    5. In the search page, view the data for the Session.Logon and Session.Launch events. Expand the row to view the event details.

      Session log on and launch

  • File Download

    1. Launch Citrix Workspace app or Citrix Receiver to access your Workspace or StoreFront.

    2. Launch your virtual desktop.

    3. Copy a file from your virtual desktop to your local computer.

    4. Go to Citrix Analytics.

    5. Click Search and select Apps and Desktops.

    6. In the search page, view the data for the File.Download event. Expand the row to view the event details.

      File download

  • Printing

    1. Launch Citrix Workspace app or Citrix Receiver to access Workspace.

    2. Launch your virtual desktop.

    3. Print a document using a printer that is configured with your virtual desktop.

    4. Go to Citrix Analytics.

    5. Click Search and select Apps and Desktops.

    6. In the Search page, view the data for the Printing event. Expand the row to view the event details.

      Printing

  • Session End

    1. Sign out from your virtual desktop. For example, if you are using a Windows virtual desktop, select the Sign out option.

      Sign out virtual desktop

    2. Go to Citrix Analytics.

    3. Click Search and select Apps and Desktops.

    4. In the search page, view the data for the Session.End event. Expand the row to view the event details.

      Session end

  • SaaS App Launch and SaaS App URL Navigation

    1. Launch Citrix Workspace app or Citrix Receiver to access your Workspace or StoreFront.

    2. Launch a SaaS application such as Workday and wait until the Workday page has loaded. Navigate around the webpages in Workday.

      Note

      Ensure that the Restrict navigate option is disabled in the Enhanced security section. For more information, see Prerequisites.

    3. Go to Citrix Analytics.

    4. Click Search and select Apps and Desktops.

    5. In the search page, view the data for the App.SaaS.Launch and App.SaaS.URL.Navigation events. Expand the row to view the event details.

      Session app launch

  • SaaS App File Print

    1. Print the Workday page that you are currently viewing.

      Note

      Ensure that the Restrict printing option is disabled in the Enhanced security section. For more information, see the Prerequisites.

    2. Go to Citrix Analytics.

    3. Click Search and select Apps and Desktops.

    4. In the search page, view the data for the App.SaaS.File.Print event. Expand the row to view the event details.

      SaaS file print

  • SaaS App Clipboard Access

    1. From the Workday page, copy some text to your system clipboard.

      Note

      Ensure that the Restrict clipboard access option is disabled in the Enhanced security section. For more information, see the Prerequisites.

    2. Go to Citrix Analytics.

    3. Click Search and select Apps and Desktops.

    4. In the search page, view the data for the App.SaaS.Clipboard event. Expand the row to view the event details.

      SaaS clipboard access

  • SaaS App File Download

    1. On the Workday page, search for a public document such as whitepaper and download the document.

      Note

      Ensure that the Restrict downloads option is disabled in the Enhanced security section. For more information, see the Prerequisites.

    2. Go to Citrix Analytics.

    3. Click Search and select Apps and Desktops.

    4. In the Search page, view the data for the App.SaaS.File.Download event. Expand the row to view the event details.

      SaaS file download

  • SaaS App End

    1. Close the Workday page.

    2. Go to Citrix Analytics.

    3. Click Search and select Apps and Desktops.

    4. In the search page, view the data for the App.SaaS.End event. Expand the row to view the event details.

      SaaS app end

Contact support

Citrix is committed to helping you be successful with our solutions. To ensure that your support request is routed to the correct resources, choose the options mentioned on our Contact Support page.

Troubleshoot Citrix Analytics for Security