Insider threats

October 31, 2023

Contributed by:

Unusual desktop names

This occurs when the user attempts to launch a desktop that is not considered usual.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "Session.Logon" AND Session-Launch-Type = "desktop" AND App-Name ~ "<Desktop Name>"
<!--NeedCopy-->

Sigma signature

author: Citrix
date: 2023/01/31
description: Unusual desktop names
detection:
  condition: selection1 and selection2 and not filter_null and filter_app_name
  filter_app_name:
  - app_name|contains: '<App Name>'
  filter_null:
  - app_name: null
  selection1:
  - occurrence_event_type: Citrix.EventMonitor.AppStart
  selection2:
  - launch_type: 'desktop'
logsource:
  product: citrixanalytics
  service: security
title: Unusual desktop names
<!--NeedCopy-->

Monitor specific process

This occurs when the user launches a published application that is in the watch list. The purpose could be to monitor the usage of specific published applications.

Details

Data Source: Apps and Desktops (Session Recording)

CAS query

Event-Type = "Citrix.EventMonitor.AppStart" AND App-Name IN ("<App-Name-1>", "<App-Name-2>")
<!--NeedCopy-->

Sigma signature

author: Citrix
date: 2023/01/31
description: Monitor specific process
detection:
  condition: selection and not filter_null and filter_app_name
  filter_app_name:
  - app_name: ['<App-Name1>', '<App-Name2>']
  filter_null:
  - app_name: null
  selection:
  - occurrence_event_type: Citrix.EventMonitor.AppStart
logsource:
  product: citrixanalytics
  service: security
title: Monitor specific process
<!--NeedCopy-->

Unauthorized virtual apps

This occurs when the user accesses unauthorized virtual apps.

Details

Data Source: Apps and Desktops (Workspace App)

CAS query

Event-Type = "App.Start" AND App-Name IN ("<App-Name1>", "<App-Name2>")
<!--NeedCopy-->

Sigma signature

date: 2023/01/31
description: Unauthorized virtual apps
detection:
  condition: selection and not filter_null and filter_app_name
  filter_app_name:
  - app_name: ['<App-Name1>', '<App-Name2>']
  filter_null:
  - app_name: null
  selection:
  - occurrence_event_type: App.Start
logsource:
  product: citrixanalytics
  service: security
title: Unauthorized virtual apps
<!--NeedCopy-->

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Insider threats

October 31, 2023

Contributed by:

October 31, 2023

Contributed by:

Insider threats

Unusual desktop names

Details

CAS query

Sigma signature

Monitor specific process

Details

CAS query

Sigma signature

Unauthorized virtual apps

Details

CAS query

Sigma signature

In this article