Citrix Analytics for Security

Compromised endpoints

Unsanctioned browser

This occurs when a user attempts to access content from a browser type or version that is not allowed by the organization’s IT policy or because of security vulnerabilities.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "Session.Logon" AND Browser-Name !~ "<Browser-Name>"

The Session.Logon event triggers when a user enters their credentials and logs on to their app or desktop session.

Sigma signature

author: Citrix date: 2023/01/31 description: This occurs when a user accesses content from an authorized browser which might cause an undesirable event or action through the internet. detection: condition: index_selection and selection and not filter filter: - browser_name|contains: '<Browser-Name>' index_selection: source: cas_siem_consumer://<env>_<tenant_identifier> selection: - occurrence_event_type: Session.logon logsource: product: citrixanalytics service: security title: Access from unauthorized browser

Unsanctioned operating systems

This occurs when a user attempts to access a device with an operating system type or version that is not allowed by your organization’s IT policy or because of security vulnerabilities.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "Session.Logon" AND OS-Name ~ "<OS-Name>" AND OS-Version = "<OS-Version>" AND OS-Extra-Info = "<OS-Extra-Info>"

Sigma signature

author: Citrix date: 2023/01/31 description: This occurs when a user attempts to access apps from servers with blocked listed operating systems. detection: condition: index_selection and selection filter_null: [] index_selection: source: cas_siem_consumer://<env>_<tenant_identifier> selection: occurrence_event_type: Session.logon os_name|contains: '<OS-Name>' os_version: '<OS-Version>' os_extra_info: '<OS-Extra-Info>' logsource: product: citrixanalytics service: security title: Unauthorized operating systems in block list

Unauthorized IP address or subnets

This occurs when a user attempts to access from an IP address or range which is marked as unauthorized by your organization’s IT policy.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "Session.Logon" AND Client-IP = "<XX.YY.ZZ.*>"

Sigma signature

author: Citrix date: 2023/01/31 description: This occurs when a user accessing content from an unauthorized IPs which might cause an undesirable event or action through the internet. detection: condition: selection and not filter_null and filter filter: - client_ip: '<IP>' filter_null: - client_ip: null selection: - occurrence_event_type: Session.Logon logsource: product: citrixanalytics service: security title: Access from unauthorized IP

Unauthorized operating systems outside allow list

This occurs when a user attempts to access applications from servers that host operating systems outside the allow list.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "Session.Logon" AND OS-Name !~ "<OS-Name>" AND OS-Version != "<OS-Version>" AND OS-Extra-Info != "<OS-Extra-Info>"

Sigma signature

author: Citrix date: 2023/01/31 description: Unauthorized operating systems outside allow list detection: condition: selection and not filter_null and not filter_os and not filter_os_version and not filter_os_extra filter_os: - os_name|contains: '<OS INFO>' filter_os_version: - os_version: '<OS Version>' filter_os_extra: - os_extra_info: '<OS Extra Info>' filter_null: - os_name: null - os_version: null - os_extra_info: null selection: - occurrence_event_type: Session.Logon logsource: product: citrixanalytics service: security title: Unauthorized operating systems outside allow list

Unsanctioned Workspace app versions

This occurs when a user attempts to access a Workspace app version that is not a supported client version. In such cases, users must upgrade their client to a supported version. For more information, see Support client versions.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "Session.Logon" AND Client-Type IN ("Windows", "Macintosh", "Unix/Linux") AND Workspace-App-Version != "20*" AND Workspace-App-Version != "21*"

Sigma signature

author: Citrix date: 2023/01/31 description: Unsupported Workspace app versions detection: condition: selection and not filter_null and filter_product and not filter_product_version filter_product: - product: ['Windows', 'Mac', '<Other type>'] filter_product_version: - product_version|contains: ['<Product Version1>', '<Product Version2>'] filter_null: - product: null - product_version: null selection: - occurrence_event_type: Session.Logon logsource: product: citrixanalytics service: security title: Unsupported Workspace app versions
Compromised endpoints