Custom risk indicators

The user risk indicators that Citrix Analytics detects by default are based on machine learning algorithms. Citrix Analytics now allows you to create custom risk indicators. You can define conditions based on the user events and create a custom risk indicator. If the events match the defined criteria, Citrix Analytics triggers the custom risk indicator and displays it on the user’s risk timeline.

You can create custom risk indicators on the following data sources:

  • Citrix Access Control
  • Citrix Content Collaboration
  • Citrix Gateway
  • Citrix Virtual Apps and Desktops

Custom risk indicators page

The Custom Risk Indicators page provides insights into all the custom risk indicators generated for a user, severity, data source, number of policies, risk category, status, and the last modified date and time of the indicator. To create a custom risk indicator, see Creating a custom risk indicator.

Custom indicators

When you select the risk indicator, you are redirected to the Modify Risk Indicator page. For more information, see Modifying a custom risk indicator.

Analyzing a custom risk indicator

Consider a user whose action triggered a custom risk indicator that you have defined. Citrix Analytics displays the custom risk indicator on the user’s risk timeline.

When you select the custom risk indicator on the user’s risk timeline, the right pane displays the following information:

  • Defined Condition(s): Shows a summary of the conditions that you define while creating a custom risk indicator.

  • Description: Provides a summary of the description you provide while creating the custom risk indicator. If no description is provided while creating the custom risk indicator, this section reflects None.

  • Trigger Frequency: Displays the option that you select in the Advanced options section while creating the custom risk indicator.

Custom indicators

Note

Custom risk indicators are represented with a label on the user risk timeline.

Actions you can apply to the user

Currently, the ability to take appropriate actions on user accounts that trigger custom risk indicators is not available.

Creating a custom risk indicator

  1. Navigate to Settings > Custom Risk Indicators and Policies.

  2. On the Indicators tab, select Create Indicator.

    Custom indicators

  3. Select the data source for which you want to create the custom risk indicator.

  4. Define the conditions for your custom risk indicator using the dimensions and the valid operators in the condition box. For more information on the dimensions (facets) for a data source, see Self-service search.

    The Estimated Triggers link is activated in the Advanced options section. Click the link to predict the approximate instances of the custom risk indicator that would be triggered for the defined conditions. These instances are calculated based on the historical data that Citrix Analytics maintains and meets your defined conditions.

    Note

    Ensure to click Estimated Triggers to predict the number of custom risk indicator occurrences for the last defined condition.

  5. On the Advanced options section, select the frequency of the event to trigger the custom risk indicator. When you do not select any option, Citrix Analytics considers Every time: Generate the risk indicator every time the event(s) occur as the default option and generates the custom risk indicator. You can select one of the following options:

    • Every time: The risk indicator is triggered whenever the events meet the defined conditions.

    • First time: The risk indicator is triggered when the events meet the defined conditions for the first time.

      • First time for a new: Enable this option to detect events received from a new entity for the first time. Some examples of the entities are Client IP, Country, City, and Device-ID. You can select only one entity based on the data source. This option allows you to create a risk indicator without specifying an explicit value for the entities. For example, when you select the entity as “City”, you need not specify the city name. The risk indicator is triggered when events are received from a new city for the first time.

        The following table lists the entities corresponding to each data source and describes the trigger conditions.

        Data source Entity Trigger condition
        Access Control, Content Collaboration Client-IP When a user logs on from a new IP address for the first time.
          Country When a user logs on from a new country for the first time.
          City When a user logs on from a new city for the first time.
        Virtual Apps and Desktops Device-ID When a user launches virtual apps or virtual desktops from a new device such as mobile, laptop, or desktop machine for the first time.
          Storage-Media When a user uses a new storage media such as a USB drive for the first time.
          App-Name When a user opens a new virtual application or a SaaS application for the first time.
          App-URL When a user enters a new app URL on a browser in their Virtual desktop for the first time.
          Country When a user launches virtual apps or virtual desktops from a new country for the first time.
          City When a user launches virtual apps or virtual desktops from a new city for the first time.
        Gateway Client-IP When a user logs on from a new IP address for the first time.

        The following example shows a custom risk indicator created for the Virtual Apps and Desktops data source. The risk indicator is triggered when a user launches a virtual desktop or a virtual app from a new device for the first time.

        First time device ID

        You can also add a condition along with the First time for a new option. In this case, the risk indicator is triggered when it detects the events from the new entity for the first time and when the events meet the defined condition.

        The following example shows a condition defined for the custom risk indicator and the First time for a new Device-ID option enabled. The risk indicator is triggered when a user located in India launches a virtual desktop session from a new device for the first time.

        First time with condition

    • Excessive: The risk indicator is triggered after the following conditions are met:

      • Events meet the defined conditions.

      • Events occur for the specified number of times during the specified period.

    • Frequent: The risk indicator is triggered after the following conditions are met:

      • The events meet the defined conditions.

      • The events occur for the specified number of times during the specified period.

      • The event pattern repeats for the specified number of times.

  6. Select the risk category of the custom risk indicator. Risk indicators are grouped based on the type risk exposure of the custom risk indicator. For assistance on the risk category selection, see Risk Categories.

  7. Select the severity of the custom risk indicator.

  8. Define the custom risk indicator name on the Indicator Name text box.

  9. In the Description text box, provide a valid description for the custom risk indicator.

  10. At the bottom of the Create Indicator page, you can enable or disable the custom risk indicator as required.

  11. Click Create Indicator.

    Custom indicators

Note

You can create custom risk indicators up to a maximum limit of 50. If you reach this maximum limit, you must either delete or edit any existing custom risk indicator to create a custom risk indicator.

Supported operators for defining a condition

You can use the following operators while defining a condition.

Operator Description Example Output
: Assign a value to the search query User-Name : John Displays events for the user John
= Assign a value to the search query User-Name = John Displays events for the user John
~ Search similar values User-Name ~ test Displays events having similar user names
”” Enclose values separated by spaces User-Name = “John Smith” Displays events for the user John Smith
<, > Search for relational value Data Volume > 100 Displays events where data volume is greater than 100 GB
AND Search values where both conditions are true User-Name : John AND Data Volume > 100 Displays events of user John where data volume is greater than 100 GB
* Search values that match the character zero or more times User-Name = John* Displays events for all user names that begin with John
    User-Name = *John* Displays events for all user names that contain John
    User-Name = *Smith Displays events for all user names that end with Smith
!= Search values where the condition is not true Country != USA Displays events for the countries except USA
IN Assign multiple values to a dimension to get the events related to one or more values User-Name IN (“John”, “Kevin”) Find all events related to John or Kevin
NOT IN Assign multiple values to a dimension and find the events that do not contain the specified values User-Name NOT IN (“John”, “Kevin”) Find the events for all users except John and Kevin

The NOT EQUAL (!=) operator is valid for the following dimensions:

Data source Dimensions
Access Control Country, City, Action, URL, URL Category, Reputation, Browser, OS, Device
Content Collaboration Country, City, Client OS
Gateway Authentication Stage, Client IP
Virtual Apps and Desktops Country, City, App Name, Clipboard Operation, Browser, OS

Note

For the NOT EQUAL operator, while entering the values for the dimensions in your condition, use the exact values available on the self-service search page for a data source. The dimension values are case-sensitive.

Modifying a custom risk indicator

  1. Navigate to Settings > Custom Risk Indicators and Policies.

  2. On the Indicators tab, select the custom risk indicator to modify.

  3. On the Modify Indicator page, modify the information as required.

  4. Click Save Changes.

Deleting a custom risk indicator

  1. Navigate to Settings > Custom Risk Indicators and Policies.

  2. On the Indicators tab, select the check-box of the custom risk indicator.

  3. Click Delete.

  4. In the dialog, confirm your request to delete the custom risk indicator.

Custom risk indicator examples

The following examples illustrate how to create custom risk indicators for the Citrix Gateway data source. For information on the dimensions (facets) and operators available for the Gateway data source, see Self-service search for Gateway.

Gateway custom risk indicators

  • Invalid credential custom risk indicator: You can create the custom risk indicator by defining the following conditions:

    • Event: Users enter invalid or wrong credentials.

    • Event frequency: The events occur three times a day.

    Invalid credentials defined conditions

    When the specified conditions are met, Analytics triggers the custom risk indicator and you can view the risk indicator on the user’s risk timeline.

    Invalid credential custom risk indicator

    Click Event Search on the custom risk indicator to view the event details on the self-service search page.

    Invalid credential search

  • Gateway user not found custom risk indicator: You can create the custom risk indicator by defining the following conditions:

    • Event: A user tries to sign in to Citrix Gateway using an unregistered user name.

    • Event frequency: The events occur three times a day and this pattern repeats at least twice.

    Unregistered credentials defined conditions

    When the specified conditions are met, Analytics triggers the custom risk indicator and you can view the risk indicator on the user’s risk timeline.

    Unregistered credential custom risk indicator

    Click Event Search on the custom risk indicator to view the event details on the self-service search page.

    Unregistered credential search

Preconfigured custom risk indicators

Citrix provides a list of preconfigured custom risk indicators to help you monitor the security of your Citrix infrastructure. The conditions of these preconfigured custom risk indicators are defined according to specific security risk scenarios such as compromised users, insider threats, and data exfiltration. For more information, see Preconfigured custom risk indicators.