What’s new

A goal of Citrix is to deliver new features and product updates to Citrix Analytics customers when they are available. New releases provide more value, so there’s no reason to delay updates.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize the availability.

December 04, 2019

New features

Custom risk indicator for Citrix Gateway

Using custom risk indicators, you can now define the conditions and the frequency for triggering risk indicators for Citrix Gateway events. When a user event meets the conditions, Analytics triggers the risk indicators. For more information on how to create custom risk indicator, see Custom risk indicators.

Fixed issues

Some users in the Asia Pacific-South region are unable to sign in to Citrix Analytics although they have onboarded to Citrix Cloud by selecting United States as the home region. [CAS-27368]

November 22, 2019

New features

First time access from new device – Citrix Virtual Apps and Desktops risk indicator

Citrix Analytics detects access threats based on access from a new device and triggers the corresponding risk indicator.

The First time access from new device risk indicator is triggered when a user signs in for the first time from an unfamiliar device, typically a new device. This event is triggered because Citrix Receiver has no sign-in records from this new and unfamiliar device. For more information, see Citrix Virtual Apps and Desktops risk indicators.

Deprecated risk indicator - Access from new device

Citrix Analytics no longer triggers the Access from new device risk indicator. However, on the user dashboard, user timeline, and the policy dashboard, you can view historic data related to this risk indicator.

For previously created policies based on Access from new device, you must either modify the policy or create a policy with the new risk indicator First time access from new device.

For more information, see First time access from new device risk indicator.

First time access from new IP - Citrix Gateway risk indicator

Citrix Analytics detects access threats based on access from a new IP address and triggers the corresponding risk indicator.

The First time access from new IP risk indicator is triggered when a user signs in from an unfamiliar IP address. This event is triggered because Citrix Receiver has no sign-in records from this new IP address.

For more information, see Citrix Gateway risk indicators.

Logon from suspicious IP - Citrix Gateway risk indicator

Citrix Analytics detects user access threats based on the suspicious IP sign-in activity and triggers the Logon from suspicious IP risk indicator.

This risk indicator is triggered when a user attempts to access the network from a suspicious IP address. Analytics considers an IP address as suspicious based on any of the following conditions:

• Is listed on the external IP threat intelligence feed

• Has multiple user sign-in records from an unusual location

• Has excessive failed sign-in attempts that might indicate a brute-force attack

For more information, see Citrix Gateway risk indicators.

Self-service search for Citrix Gateway events

Use the self-service search feature to get insight into user events received from the Citrix Gateway data source. Citrix Analytics receives events such as authentication stage, authorization type, VPN session code, VPN session state for Citrix Gateway users. Use the facets and the search box to search for the required events and explore the underlying data.

To view the events, in the search box, select Gateway from the list, select the time period, and then click Search.

For more information, see Self-service search for Gateway.

Self-service search for Citrix Secure Browser events

Use the self-service search feature to get insight into the browsing events received from the Citrix Secure Browser service. Citrix Analytics receives events such as session connect, session launch, published applications, deleted applications for each user connection. Use the search box to search for the required events and explore the underlying data.

To view the events, in the search box, select Secure Browser from the list, select the time period, and then click Search.

For more information, see Self-service search for Secure Browser.

Remove from watch list action

You can remove a user from the watchlist either by applying the manual method or by applying a policy-based method. For more information, see Watchlist.

Improved onboarding messages when configuring a StoreFront deployment

Citrix Analytics now provides the following messages to help you configure your StoreFront deployments:

• After downloading the configuration file, you can see a message indicating the date and time of the download and the user name. When you refresh this page, the Download file button changes to Download file again.

  

• If your StoreFront configuration is incomplete, you see a warning message instructing you to follow configuration steps and connect your StoreFront deployment with Analytics.

  

For more information on how to configure your StoreFront deployment, see Onboard your Virtual Apps and Desktops Sites using StoreFront.

Redesigned overview page for Analytics

The Analytics overview page is redesigned to allow access to all the Analytics offerings from this page. You can request for a trial, try demo, or manage your Analytics offering. Currently, only Security Analytics and Operations Analytics are generally available and therefore, active on this page.

To view the overview page, select Help > Overview.

Fixed issues

• The self-service search for authentication fails to display the events. [CAS-24959]

November 08, 2019

Fixed issues

• For Citrix Content Collaboration risk indicators, users are unable to apply actions on the risk timeline. [CAS-24844]

October 21, 2019

New features

Modified name for analytics agent

The agent name is specifically mentioned as Analytics policy agent on the user interfaces to indicate its role. When onboarding the on-premises Citrix Virtual Apps and Desktops data sources, Citrix Analytics clearly notifies that a policy agent is required only to configure policies and actions for your Site. This agent has no role in transmitting data from the data source. For more information, see Citrix Virtual Apps and Desktops data source.

Support for the time dimension for custom report

You can now group the events based on time by selecting the Time dimension for the x-axis. The report displays the total events received based on the time intervals for the selected period. For more information on how to create reports, see Custom reports.

Audit logs enhancements

The user experience of the Audit Log page is enhanced.

• You can view the date and time details when the Audit Log page was last updated and refresh the page to view the latest audit logs.

• You have an option to clear all the filters that were applied on the audit logs.

For more information on the audit data, see Audit logs.

Technical security overview

The technical security overview provides you an understanding of the security best practices related to Citrix Analytics. This document describes the data flow, data protection, network requirements, and the security responsibilities that need to be considered when using Citrix Analytics.

Fixed issues

• Citrix Analytics is unable to generate the Anonymous IP address risk indicator even though Microsoft Graph Security is successfully onboarded. [CAS-21329]

• Versions prior to 1910 of Citrix Workspace App for HTML5 fail to send event details to Citrix Analytics. [CAS-24938]

September 23, 2019

Fixed issues

• On the data sources site cards, the Latest event field displays incorrect date and time information. [CAS-24087]

September 11, 2019

Fixed issues

• Citrix Cloud is unable to redirect users to the region-specific Citrix Analytics page. [CAS-20559]

August 30, 2019

New features

Change in default time period across dashboards

The default time period on the following dashboards is changed from Last 1 Hour to Last 1 Month:

• Users

• Risk Timeline

• User Access

• App Access

• Share Links

• Alerts History

• User Operations

• App Operations

Now the dashboards display the events for the last one month by default. You get a more engaging experience while using these dashboards. For example, when you open the App Access dashboard, the dashboard displays the app access events for the last one month by default.

Fixed issues

• For Content Collaboration risk indicators, the Disable user policy-based action cannot be applied successfully. [CAS-17304]

• Citrix Analytics cannot process events from Citrix Gateway 13.0. This issue occurs because Citrix Gateway 13.0 fails to provide user names in the logon events sent to Citrix Analytics. [CAS-21339]

August 20, 2019

New features

Self-service search enhancements

• The user experience of the self-service page is enhanced. You can now seamlessly switch back and forth between the user risk timeline and the self-service search page.

• You can now sort your events by time. By default, the latest events appear first in the event table. Click the sort icon on the TIME column to sort the events based on either latest time or earliest time.

For more information on how to use self-service search, see Self-service search.

Custom report enhancements

• New dimensions are added for the Access Control, Content Collaboration, and Virtual Apps and Desktops data sources. You can choose these dimensions to create reports. The following dimensions are added for the data sources:

  • Access Control: User Agent, User Name

  • Content Collaboration: User Email, User Name, Created by, Account Id, OAuth Client Id, Event Id, Folder Id, Folder Name, Resource Id, Form Id, Client Ip

  • Virtual Apps and Desktops: User Name, Ip Address, Device Id, Jail Broken, Session Launch Type, Session Server Name, Session User Name, Download File Name, Download File Path, Printing Printer Name, Printing Job Details File Name, SaaS App Launch URL, Clipboard Operation, Clipboard Details Result

• The custom report user interface is enhanced with support for pagination and a Clear All option for the filters.

For more information on how to create a custom report using these dimensions, see Custom reports.

Risk Indicators dashboard

The Risk Indicators dashboard is introduced on the Users page. It summarizes the top five default and custom risk indicators for a user. A See More link redirects you to the Risk Indicator Overview page. This page provides detailed information about the risk indicators generated for a selected time period.

For more information, see Users dashboard.

Risky Users dashboard enhancements

Citrix Analytics introduces the Risk Indicators and Risk Indicators Change tabs on the Risky Users dashboard. You can view the top five risky users based on these tabs. The dashboard also introduces the Risk Indicators column. It shows the number of risk indicators for a user.

The Risky Users page introduces the Occurrences and Occurrences Change columns. These columns summarize the total occurrences and the change in occurrences of the custom and the default risk indicators.

For more information, see Users dashboard.

Share link risk indicator - Excessive downloads

Citrix Analytics detects access threats based on excessive downloads on a share link and triggers the Excessive downloads risk indicator. By identifying share links with excessive downloads, based on previous behavior, you can monitor the share link for potential attacks. This risk indicator helps you identify an excessive file download activity.

For more information, see Excessive downloads.

Self-service search for the Authentication data

Use self-service search to get insights into the authentication events. Citrix Analytics receives the authentication events such as user login, user logoff, and client update from the Identity and Access Management service of Citrix Cloud. The search provides a detailed report on the authentication events, helps you to identify any authentication issues, and troubleshoot them. You can also define a search query to retrieve events that match your defined criteria.

To view the events, select Authentication from the list, select the time period, and then click Search.

For more information, see Self-service search for Authentication.

Fixed issues

• In some scenarios, administrators encounter a socket hang up error while accessing the User Operations dashboard. [CAS-16122]

• The Citrix Analytics walkthrough functionality does not load accurately on the Microsoft Edge and Safari browsers. [CAS-20906]

July 31, 2019

New features

Support for the European Union region

Citrix Analytics now supports the European Union region. You can choose European Union as a home region while onboarding your organization to Citrix Cloud and use the Citrix Analytics service. Citrix Analytics will store the user events and metadata for your organization in the European Union region. For more information on Citrix Cloud regions, see Geographical Considerations.

July 11, 2019

New features

Custom risk indicators

The default risk indicators that Citrix Analytics generates are based on machine learning algorithms. Citrix Analytics now allows you to create custom risk indicators. Based on user events, you can define the conditions and create custom risk indicators.

When the defined conditions are met, Citrix Analytics generates the custom risk indicators similar to default risk indicators, and displays them on the user’s risk timeline. Custom risk indicators are denoted with a label on the user’s risk timeline.

For more information, see Custom risk indicators.

Privileged status on risk timeline

The user risk timeline displays the following events whenever there is a change in Admin or Executive privilege status of a user:

• Added to Executive group

• Removed from Executive group

• Privilege elevated to Admin

• Admin privilege removed

When a risk indicator is triggered for a user, you can co-relate it with the specified privilege status change event. If necessary, you can apply appropriate actions on the user profile.

For more information, see User risk timeline.

Expire share link action

Citrix Analytics enables you to apply actions on share link risk indicators. Currently, the supported action is Expire share link.

For more information, see Citrix share link risk indicators.

Self-service search enhancements

• Support for wild card character * in search query: Use the asterisk (*) character in your search query to match any character zero or more times. For example, the search query User-Name = “John*” displays events for the all usernames that begin with John.

• Added the Clear All option for facets: Click Clear All to remove all the selected facets at a time.

• View hidden column data in the event list: After removing a column from the event table, you can view the corresponding data in the user event list. Expand the event row for a user and view the data.

For more information, see Self-service search.

Data error status on the site cards

The Site cards display the No data received label in red when Citrix Analytics does not receive events for the last one hour from the data source. It also displays the number of events received and is linked to the corresponding self-service search page. This feature helps you view the corresponding events on the self-service search page and check for any data transmission issues.

Note

Currently, self-service search is available only for the Access, Content Collaboration, and Virtual Apps and Desktop data sources.

For more information, see Enable Analytics on Citrix data sources.

Fixed issues

• For the Access Control data source, the number of events on the site card does not match the self-service search results.

  [CAS-18286]

June 26, 2019

Fixed issues

• Citrix Analytics does not load accurately on Internet Explorer 11.

  [CAS-19867]

June 19, 2019

Fixed issues

• Citrix Analytics does not load accurately on Microsoft Edge.

  [CAS-19930]

• The Audit Log page displays the data transmission on or off status every time the Active Directory data source is discovered.

  [CAS-17575]

• The time period menu on the Users dashboard does not load accurately. It displays a timeout error message.

  [CAS-19467]

• Users get an error message on Citrix Analytics while connecting to a tenant from Splunk. Occasionally, onboarding of new data sources fails.

  [CAS-19429]

June 17, 2019

New features

StoreFront configuration

If your organization uses on-premises StoreFront, you can now configure StoreFront to connect to Citrix Analytics. Configuration is performed using a configuration file imported from Citrix Analytics. After the configuration is successful, Citrix Workspace app sends user events to Citrix Analytics for generating actionable insights into user behaviors. The insights help you to detect any anomalous user behaviors and proactively handle security threats in your organization. For more information, see Onboard Virtual Apps and Desktops Sites using StoreFront.

May 30, 2019

New features

Excessive logon failures

Citrix Analytics detects access threats based on excessive logon activity and triggers the Excessive logon failures risk indicator. This risk indicator is triggered when a user experiences multiple failed logon attempts to access Content Collaboration. By identifying users with excessive logon failures, based on previous behavior, administrators can monitor the user’s account for brute force attacks.

For more information, see Excessive logon failures.

Fixed issues

• For some user events transmitted by Citrix Workspace apps, the data source is incorrectly identified as Endpoint Management instead of Citrix Virtual Apps and Desktops.

  [CAS-17323]

• The Users dashboard takes a long time to load for the Last 1 Month time period. This issue occurs when the number of users are high. In some instances, you might even encounter 601 errors.

  [CAS-16300]

• Citrix Content Collaboration is not discovered as a data source although some users subscribe to the service on Citrix Cloud.

  [CAS-16299]

May 09, 2019

New features

Creating custom reports

You can now create custom reports based on your operational requirements. Citrix Analytics provides a list of dimensions and metrics according to the selected data source. Choose the required parameters and the visualization types such as bar chart, event chart, line chart, or table to create your reports. Creating reports help you to organize and analyze your data graphically.

To create a custom report, from the Security tab, click Reports > Create Report. To view your previously created reports, from the Security tab, click Reports. For more information, see Custom reports.

Privileged user monitoring

Citrix Analytics enables you to closely monitor the behavior anomalies of privileged users in an organization. As privileged users are highly vulnerable to security threats, it becomes challenging to distinguish their daily activities from the malicious ones. Hence, the malicious activities of privileged users remain undetected for a long time. This feature enables you to proactively monitor such activities and take appropriate actions on the appropriate user accounts. Privileged users are represented with an icon on the Users dashboard.

Citrix Analytics supports monitoring for the following types of privileged users:

• Admins - Users who are assigned Admin privileges by the respective Citrix service. Currently, Citrix Analytics supports privileged user monitoring for users with Admin privileges in the Content Collaboration service.

• Executives - On Citrix Analytics, you can mark an AD group as an Executives group. Marking an AD group as an Executive group makes all the users in the group as privileged users. If there is no need to further support the behavior anomalies of users in an AD group, you can remove the group as an Executive group.

For more information, see Privileged users.

Weekly email summary

Citrix Analytics sends a weekly email to the administrators summarizing the security risk exposures in their organization’s IT environment. The email notification is sent every Tuesday to the administrators and it highlights the security events that have occurred in the previous week. This email ensures that the administrators are informed about the security risk exposures without signing in to Citrix Analytics. For more information, see Weekly email summary.

April 26, 2019

New features

Delegated administrators

Citrix Analytics now supports delegated administrator roles. This functionality enables you to invite other administrators to your Citrix Cloud account to manage Citrix Analytics for your organization. If you are a Citrix Analytics administrator with full access permission, you can add other administrators to your Citrix Cloud account. These additional administrators are called delegated administrators. You can currently assign read-only access to the delegated administrators. For more information, see Delegated administrators.

Fixed issues

Few risk indicators for the data sources that use data streaming do not generate alerts. You do not get any alert notifications and policy-based actions are not applied automatically if any one of the following risk indicators is triggered:

• Citrix Endpoint Management risk indicators - Unmanaged device, Jailbroken or rooted device, and Device with blacklisted apps.

• Citrix Virtual Apps and Desktops risk indicator - Access from device with unsupported operating system (OS).

• Citrix Content Collaboration risk indicator - Excessive access to sensitive files.

[CAS-14590]

February 19, 2019

New features

Splunk integration

Citrix Analytics integrates with Splunk to enhance your security incident monitoring and troubleshooting experiences. This integration augments your existing data sources with the intelligence of Citrix Analytics’ risk analysis capabilities such as risk indicators, risk scores, and user profiles. Citrix Analytics exports risk analysis information to a channel. Splunk pulls the same from this channel.

Splunk integration involves configuration on Citrix Analytics, installation of the Citrix Analytics Add-on for Splunk app, and configuration of the app. Ensure to turn on data processing for at least one data source. It helps Citrix Analytics to begin the Splunk integration process.

For more information, see Splunk integration.

Dynamic session recording

Citrix Analytics introduces the ability to trigger session recording dynamically on the users’ current Virtual Apps and Desktops sessions. It helps to capture evidences required for risk analysis and take appropriate incident response actions such as disconnect sessions and block user.

For more information, see Policies and actions.

Share Links dashboard and risk indicator

Citrix Analytics introduces the risk visibility to Share Links based on data collected from Citrix Content Collaboration. It helps you to understand the risk exposure of share links through the risk indicators that the share links trigger.

For more information, see Share Links dashboard.

Currently, the Anonymous sensitive share download risk indicator is triggered for a share link. When Content Collaboration detects this risky behavior, Citrix Analytics receives the events. You are notified in the Alerts panel and the Anonymous Sensitive Download risk indicator is added to the share link’s risk timeline.

For more information, see Share Link risk timeline and Citrix Share Link risk indicators.

Microsoft Active Directory integration

You can now integrate Microsoft Active Directory with Citrix Analytics. This integration enhances the context of risky users with additional information such as job title, organization, office location, email, and contact details. You can get a better visibility of a user on the user profile page in Citrix Analytics.

For more information, see Integrate Analytics with Microsoft Active Directory.

January 04, 2019

New features

Addition of SOURCE column for existing risk indicators

The SOURCE column has been introduced in the EVENT DETAILS section for following risk indicators:

• Excessive file uploads

• Excessive file downloads

• Excessive file sharing

• Excessive file or folder deletion

For more information, see Citrix Content Collaboration risk indicators.

Advanced user profile

The User Info view on the user profile has been enhanced. The Trend View link has been introduced at the top right corner of the Application, Devices, and Data Usage sections. The Map View link has been introduced at the top right corner of the Locations section. These links provide a graphic representation about the user’s historical behavior during a specific time period. You can navigate to User Info from the user’s risk timeline or from the Data Sources page.

Note

The Authentication and Domains data are currently not available on the User Info profile.

For more information, see Users dashboard.

Microsoft Graph Security risk indicators

The onboarded Microsoft Graph Security can receive risk indicator details from one of the following security providers, and forwards it to Citrix Analytics:

• Azure AD Identity Protection

• Windows Defender Advanced Threat Protection

For more information, see Microsoft Graph Security risk indicators.

Ways to enter the self-service search page

You can now access the self-service search page using the following options:

• Top bar: Click Search on the top bar to directly access the search page.

  

• Risk timeline on user profile page: Click Event Search to access the search page and view the events corresponding to a specific user’s risk indicator and the data source. For more information, see Self-service search.

  

Self-service search for Content Collaboration

Use self-service search to get insight into the events associated with the Content Collaboration data source. To view the events, select Content Collaboration from the list, select the time period, and then click Search. For more information, see Self-service search for Content Collaboration.

Self-service search for Virtual Apps and Desktops

Use self-service search to get insight into the events associated with the Virtual Apps and Desktops data source. To view the events, select Apps and Desktops from the list, select the time period, and then click Search. For more information, see Self-service search for Virtual Apps and Desktops.

Export self-service search events to CSV file

You can now export the self-service search events to a CSV file and download the file for future use. For more information, see Self-service search.

Improved onboarding for Virtual Apps and Desktops

The onboarding process for Virtual Apps and Desktop data source is now improved to provide a better user experience. The site cards and the on boarding steps have been modified. For more information, see Citrix Virtual Apps and Desktops data source.

November 29, 2018

New features

Microsoft Security Graph data source

Microsoft Graph Security is an external data source that aggregates data from multiple security providers. It also provides access to the user inventory data.

Citrix Analytics currently supports the Azure AD identity protection and Windows Defender ATP security providers associated with this data source.

To onboard this data source, you must obtain permissions from the Microsoft identity platform. For more information, see Microsoft Graph Security.

View event details and discovered users on the site cards for data sources

The site cards for the data sources now display event details and the number of users. For example, you can view the event details and the users for Access Control on the site card. For more information, see Enable Analytics on data sources.

November 16, 2018

New features

Self-service search for access data

You can use self-service search to get insight into the access details for the users in your enterprise. Citrix Analytics collects the users’ access details from the Citrix Access Control service. Use the facets and the search query to narrow down your search results.

To use the self-service search page, from the Security tab, click Event Search .

For more information, see Self-service search for Access.

Risk indicator feedback

Using the risk indicator feedback feature on Citrix Analytics, you can provide feedback regarding a risk indicator. Your feedback helps to confirm if the security incident reported is accurate or not.

Currently, this feature is supported on the Unusual logon access risk indicator triggered by the Content Collaboration data source. If this risk indicator triggered is incorrect, you can report it as a false positive and provide feedback. You can also edit feedback that you have previously submitted. Citrix Analytics captures your feedback and validates the predicted information to optimize the anomalous behavior detection.

For more information, see Risk indicator feedback.

Fixed issues

• You cannot edit and save a policy if you are accessing Citrix Analytics using Internet Explorer 11.0.

• If you are accessing Citrix Analytics using Internet Explorer version 11.0, the Citrix Cloud navigation bar fails to load and restricts you from accessing the hamburger menu.

October 10, 2018

Architecture and platform enhancements

Multiple architectural and platform improvements were done in this release to enhance performance, scale, monitoring, supportability, security, and user experience.

August 23, 2018

Citrix Analytics is a cloud service delivered through Citrix Cloud. It collects data across Citrix portfolio products and provides actionable insights, enabling administrators to proactively handle security threats, improve app performance, and support continuous operations. Currently, Citrix Analytics provides the following analytics offerings:

• Security Analytics: Collates and provides visibility into user and entity behavior. For more information, see Security Analytics.

• Operations Analytics: Collates and presents information on the activities of users, such as, websites visited, and the bandwidth spent. For more information, see Operations Analytics.

New product names

The Citrix products supported by Citrix Analytics are now renamed as part of the Citrix unified product portfolio.

You might notice new names in our products and product documentation. This is a result of the expansion of the Citrix portfolio and cloud strategy. For more details about the Citrix unified portfolio, see Citrix product guide. Implementing this transition in our products and their documentation is an ongoing process.

• In-product content and documentation might still contain former names. For example, you might see instances of earlier names in console text, messages, directory/file names, screenshots, and diagrams.

• It is possible that some items (such as commands) might continue to retain their former names to prevent breaking existing customer scripts.

• Related product documentation and other resources (such as videos and blog posts) that are linked from this product’s documentation might still contain former names.