Citrix Analytics for Security

Insider threats

Unusual desktop names

This occurs when the user attempts to launch a desktop that is not considered usual.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "Session.Logon" AND Session-Launch-Type = "desktop" AND App-Name ~ "<Desktop Name>"

Sigma signature

author: Citrix date: 2023/01/31 description: Unusual desktop names detection: condition: selection1 and selection2 and not filter_null and filter_app_name filter_app_name: - app_name|contains: '<App Name>' filter_null: - app_name: null selection1: - occurrence_event_type: Citrix.EventMonitor.AppStart selection2: - launch_type: 'desktop' logsource: product: citrixanalytics service: security title: Unusual desktop names

Monitor specific process

This occurs when the user launches a published application that is in the watch list. The purpose could be to monitor the usage of specific published applications.

Details

Data Source: Apps and Desktops (Session Recording)

CAS query

Event-Type = "Citrix.EventMonitor.AppStart" AND App-Name IN ("<App-Name-1>", "<App-Name-2>")

Sigma signature

author: Citrix date: 2023/01/31 description: Monitor specific process detection: condition: selection and not filter_null and filter_app_name filter_app_name: - app_name: ['<App-Name1>', '<App-Name2>'] filter_null: - app_name: null selection: - occurrence_event_type: Citrix.EventMonitor.AppStart logsource: product: citrixanalytics service: security title: Monitor specific process

Unauthorized virtual apps

This occurs when the user accesses unauthorized virtual apps.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "App.Start" AND App-Name IN ("<App-Name1>", "<App-Name2>")

Sigma signature

date: 2023/01/31 description: Unauthorized virtual apps detection: condition: selection and not filter_null and filter_app_name filter_app_name: - app_name: ['<App-Name1>', '<App-Name2>'] filter_null: - app_name: null selection: - occurrence_event_type: App.Start logsource: product: citrixanalytics service: security title: Unauthorized virtual apps
Insider threats