Citrix Analytics for Security

Access assurance location dashboard

With an increase in remote working, as a Citrix IT administrator, you might want to get an assurance that your users are accessing Citrix Virtual Apps and Desktops from their usual and safe locations. If any users have logged on from unknown locations or new locations, you can validate their logon details and take necessary actions to mitigate any threats to your Citrix IT environment.

The Access Assurance Location dashboard provides an overview of the locations from where your users are accessing their Citrix Virtual Apps and Desktops environment. Citrix Analytics receives these user logon events from Citrix Workspace app installed on the users’ devices. The location information is provided at the city and the country level and does not represent a precise geolocation.

View the dashboard

To view the dashboard, click Security > Access Assurance. Select the time period for which you want to view the location details.

Assurance dashboard navigation

Analyze the user logon summary

The User Logon Summary page provides the following information for a selected period:

  • Total number of user logons across the locations (world wide).

  • Total number of unique user logons across the locations (world wide).

  • Total number of countries from where the users have logged on.

  • Top 10 locations with unique user logons. Sometimes the top unique user logons are also from unknown cities and countries and these are listed under the Unknown Locations tab. The list of unknown locations is also a subset of the top 10 locations. To find the reasons why some locations are unidentified, see Locations identified as not available.

You can also view the upward or downward trend of the total user logons world wide and the total unique user logons world wide. For the top 10 locations, the DEVIATION column shows the change (positive (+) or negative (-)) in the user logons for each location. This comparison is based on the selected time period and the previous time period of equal length. For example, if you select the time period Last 1 Month, the user logon trend and the deviation are compared between the last 1 month and the previous to last 1 month.

User log on summary page

On the Top 10 Unique Logon Locations table, select a location to view the users and their access profiles and logon details.

The map displays the number of unique users from various locations for a selected period. Hover over the blue bubble or zoom in to a location to view the total number of unique user logons from the location. Click the blue bubble to view the access details for a location.

Map zoom-in view

On the bottom right corner of the map, you can view the range of the unique user logons. For a selected period, the small bubble indicates the minimum number of the unique user logons across the locations. The large bubble indicates the maximum number of the unique user logons across the locations.

User count range

View access profiles of the users

The Access Profile page provides the summary of your users’ accesses to Citrix Virtual Apps and Desktops from the selected locations. It provides the trend analysis of the total and unique user logons for the selected period. You can view the top access events for the selected locations. This information helps you to review the access patterns and the details for threat investigation and analysis.

The upward or downward trend for the total user logons and the unique user logons is compared based on the selected time period and previous time period of equal length. For example, if you select the time period as Last 1 Month, the trend is compared between last 1 month and previous to last 1 month.

Access profile page view

Facets

You can use the following facets for the access events:

  • Location- Filter the access events by countries and their cities.

  • OS- Filter the access events by the operating systems and their versions.

    Access profile filters

Note

You might also see the not available label if data is either unavailable or unidentified.

Based on the applied filters, view the following information for total user logons and unique user logons:

  • Timeline details- The chronological sequence of total user logon events and unique user log on events for a selected period. It helps you to compare and understand the past and ongoing event patterns.

  • Locations details- The top countries and cities from which the users have logged on to Citrix Virtual Apps and Desktops.

  • Network IPs- The top subnets and the IP addresses from which the users have logged on to Citrix Virtual Apps and Desktops.

    Top access details

View logons details of users

The User Logons page provides the details of the user logons to Citrix Virtual Apps and Desktops from the selected locations. This information helps you during threat investigation and analysis.

User logon page

The DATA table displays the following logon details for the selected locations and the time period:

  • Time. The date and time when the user logged on.

  • User name. The identity of the user.

  • Client IP. The IP address of the user device.

  • Client IP Type. The type of IP address of the user such as public or private.

  • City and country. The locations from where the user has logged on to Citrix Virtual Apps and Desktops.

  • Device ID. The identity code of the user device.

  • OS name. The operating system on the user device. For more information, see Self-service search for Citrix Virtual Apps and Desktops.

  • OS version. The version of the operating system on the user device. For more information, see Self-service search for Citrix Virtual Apps and Desktops.

  • OS extra information- Any additional information of the operating system such as build numbers, service packs, and patches. For more information, see Self-service search for Citrix Virtual Apps and Desktops.

  • Workspace app version. The build version of Citrix Workspace app or Citrix Receiver.

User log on data table

On the DATA table, you can do the following operations:

  • Click Add or Remove Columns to update the table columns based on how you want to view the data.

  • Click Sort By and select the data elements to perform a multi-column sort. For more information, see Multi-column sorting.

  • Click Export to CSV format to download the data shown on the DATA table to a CSV file and use it for your analysis.

You can also use the search bar to define your query using the dimensions associated with a logon event.

For example:

User = “test user” AND Client-IP = “10.xx.xx.xx AND Client-IP-Type = public”

User = “demo_user@citrix.com” AND OS-Major-Version = “macOS 10.13” AND OS-Minor-Version = 6

Search box

Facets

You can use the following facets for the logon events:

  • Locations- Filter the logon events by countries and their cities.

  • OS- Filter the logon events by operating system and their versions.

  • Client IP type- Filter the access events by the public and the private IP types.

    Filters

Note

You might also see the not available label if data is either unavailable or unidentified.

Locations identified as not available

On the Top 10 Unique Logon Locations table, you might see that some locations are unknown or unavailable. Click an unknown location to view the corresponding user logon details on the User Logons page.

On the User Logons page, the DATA table displays the NA label if any country or city information is unavailable.

Hover over the NA label to view the reason why the location information is unavailable.

Location not available

You might see one of the following scenarios for the unavailability of a location:

Scenario Reasons
The city name and the country name are not available. One of the following:
  1. The users are using an unsupported version of Citrix Workspace app. To view the location information, update the client to a supported version.
  2. The user’s network public IP address is unavailable and therefore Citrix Analytics cannot find the location.
  3. The external geo-location service is unable to send the location information to Citrix Analytics.
Locations with private IPs The user’s device is within a private network. In this case, the location information is unavailable to Citrix Analytics.
The country name is available but the city name is not available. The user’s device might be using a corporate IP. The corporate IP ranges are obfuscated in the external geo-location service. Therefore, the location information is unavailable to Citrix Analytics.

Supported client versions to get user’s location

If the location information is unavailable because of the unsupported Citrix Workspace app versions, then update the client to one of the following versions.

Client name Version Build version
Citrix Workspace app for Windows 2008 or above 20.8.0.46 or above
Citrix Workspace app for Mac 2006 or above 20.06.0.7 or above
Citrix Workspace app for HTML5 2007 or above 20.7.0.4127 or above
Citrix Workspace app for iOS Latest version available in Apple App Store Latest version available in Apple App Store
Citrix Workspace app for Android Latest version available in Google Play Latest version available in Google Play
Citrix Workspace app for Chrome Latest version available in Chrome Web Store Latest version available in Chrome Web Store
Citrix Workspace app for Linux 2104 or above Not available

For specific lifecycle milestone dates for each release of Citrix Workspace app, see Lifecycle Milestones for Citrix Workspace app and Citrix Receiver. To download the latest version of Citrix Workspace app, visit the Citrix Downloads page.

Enable geofencing

Geofencing helps you to identify the users who access Citrix Virtual Apps and Desktops from outside your predefined areas (geofence).

To configure your geofence, click Add/Edit Geofence. Enable the Geofence Settings and select the countries.

Enable geofence

This feature uses the preconfigured custom risk indicator- CVAD-Session started outside of geofence to monitor the user logons outside the geofence. If any user logons are detected outside the geofence, the risk indicator is triggered and the Session started outside of geofence policy is applied on those users. The policy triggers the Request End User Response action and based on the user’s response, you can take appropriate action to prevent threats from any suspicious logons. For more information, see preconfigured custom risk indicators.

Notes

  • In the Geofence Settings, when you modify the countries, the CVAD-Session started outside of geofence risk indicator also gets updated.

  • For example, if you select and save the countries Australia and India as the new geofenced countries, the preconfigured condition of the risk indicator gets updated with the new countries, in addition to the United States (which is the default geofence). You can also remove the default geofenced country United States.

    Preconfigured condition of the risk indicator: Event-Type = \"Session.logon\" AND Country != \"\" AND Country ~ \"\" AND Country != \"United States\"

    After updating the Geofenced Settings, the condition of the risk indicator:

    Event-Type = \"Session.logon\" AND Country != \"\" AND Country ~ \"\" AND Country NOT IN (\"Australia\", \"United States\", \"India\"

  • If the CVAD-Session started outside of geofence risk indicator is previously deleted from your account, enabling the Geofence Settings creates the risk indicator again. The geofenced countries of the risk indicator are controlled from the Geofence Settings.

After enabling the Geofence Settings, the map displays the geofenced areas and the user logons that are from within or outside these areas. You can view the following information:

  • Total number of user logons outside the geofence

  • Number of unique logons outside the geofence

  • Number of countries outside the geofence from which users have logged on

Geofence display

Access assurance location dashboard