Citrix Analytics for Security

Policies and actions

You can create policies on Citrix Analytics to help you perform actions on user accounts when unusual or suspicious activities occur. Policies let you automate the process of applying actions such as disable a user, add users to a watchlist. When you enable policies, a corresponding action is applied immediately after an anomalous event occurs and the policy condition is met. You can also manually apply actions on user accounts with anomalous activities.

What are policies?

A policy is a set of conditions that must be met to apply an action. A policy contains one or more conditions and a single action. You can create a policy with multiple conditions and one action that can be applied to a user’s account.

Risk score is a global condition. Global conditions can be applied to a specific user for a specific data source. You can keep a watch on user accounts that show any unusual activities. Other conditions are specific to data sources and their risk indicators. The conditions contain combinations of risk scores, default risk indicators, and custom risk indicators. You can add up to 4 conditions when creating a policy.

Create policy

For example, if your organization uses sensitive data, you might want to restrict the amount of data shared or accessed by users internally. But if you have a large organization, it wouldn’t be feasible for a single administrator to manage and monitor many users. You can create a policy wherein, anyone who shares sensitive data excessively can be added to a watchlist or have their account disabled immediately.

Default policies

Default policies are pre-defined and enabled on the Policies dashboard. They are created based on pre-defined conditions and a corresponding action is assigned to every default policy. You can either use a default policy or modify it based on your requirements.

Citrix Analytics supports the following default policies:

  • Successful credential exploit
  • Potential data exfiltration
  • Unusual access from a suspicious IP
  • Unusual app access from an unusual location
  • Low risk user - first time access from new IP
  • First time access from device

For information about the preset conditions and actions regarding the preceding default policies, see Continuous risk assessment.

Default policies

For information about the pre-defined policy for the geofencing use case, see Preconfigured policy.

How to add or remove conditions?

To add more conditions, select Add condition in the IF THE FOLLOWING CONDITION IS MET section of the Create Policy page. To remove a condition, select the - icon that is displayed next to the condition.

Add and remove condition

Default and custom risk indicators

The conditions menu is segregated based on Default Risk Indicators and Custom Risk Indicators tabs on the Create Policy page. Using these tabs, you can easily identify the type of risk indicator that you want to choose when selecting a condition for policy configuration.

Add and remove condition

What are actions?

Actions are responses to suspicious events that prevent future anomalous events from occurring. You can apply actions on user accounts that display unusual or suspicious behavior. You can either configure policies to apply action on the user’s account automatically or apply a specific action manually from the user’s risk timeline.

You can view global actions or actions for each Citrix data source. You can also disable previously applied actions for a user at any time.


Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

The following table describes the actions that you can take.

Action Name Description Data Sources Applicable On
Global actions    
Add to watchlist When you want to monitor a user for future potential threats, you can add them to a watchlist. All data sources
  The Users in Watchlist pane displays all the users that you want to monitor for potential threats based on the unusual activity on their account. Based on your organization’s policy, you can add a user to the watchlist using the Add to watchlist action.  
  To add a user to the watchlist, navigate to the user’s profile, from the Actions menu, select Add to watchlist. Click Apply to enforce the action.  
Notify Admin When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.  
Request user response When there is any unusual or suspicious activity on the user’s account, you can notify the user to confirm if the user identifies the activity. Based on the activity, you can determine the next course of action to be taken on the user’s account. You can apply this action only when you configure policies. You cannot apply this action manually. All data sources
Citrix Gateway actions    
Log Off User When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Gateway administrator clears the Log Off User action. Citrix Gateway on-premises and Citrix Application Delivery Management
Lock user When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account. Citrix Gateway
Unlock user When a user’s account is accidentally locked although anomalous behavior was not detected, you can apply this action to unlock it and restore access to the account. Citrix Gateway
Citrix Content Collaboration actions    
Disable user Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account. Citrix Content Collaboration
  After their account is disabled, the user will see a notification. The notification on the logon page of their account asks them to reach their Content Collaboration administrator for further information.  
Expire All Shared Links When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all the links associated with that indicator. Citrix Content Collaboration
  When a user shares files excessively, the Excessive File Sharing risk indicator is triggered and the shared links are expired. When the shared links are expired, the link becomes invalid and it is not accessible by the users with whom the link was shared.  
Citrix Virtual Apps and Desktops actions    
Log Off User When a user is logged off from their account, they cannot access the resource through Virtual Desktops until the Virtual Desktops administrator clears the Log Off User action. On-premises Virtual Apps and Desktops and Citrix Virtual Apps and Desktops service
Start Session Recording If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. If the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session. On-premises Virtual Apps and Desktops
Citrix Endpoint Management actions    
Lock Device When there is unusual activity on a device, causing the user’s risk score to exceed a specified value, you can use the Lock Device action Citrix Endpoint Management service
  When the action is applied, all the user’s devices are locked. However, users can swipe on their device’s screen, enter the passcode, and continue with their work.  


  • If you apply the Disable user action for a Content Collaboration user, the user’s account is not disabled until the Content Collaboration administrator sees the notification. During the interim period, the user can use their Content Collaboration account and the data continue to be processed by Citrix Analytics. After the Content Collaboration administrator disables the user’s account, the user must contact their Content Collaboration administrator to have their account reactivated. The Citrix Analytics administrator cannot enable disabled Content Collaboration accounts.

  • For on-premises Virtual Apps and Desktops, you must download an agent from Citrix Analytics and install it on the Delivery Controller to perform the Log Off User and the Start Session Recording actions. For more information on the agent, see Enable Analytics on Virtual Apps and Desktops Sites.

Configure policies and actions

For example, following the steps below, you can create an Excessive file sharing policy. Using this policy, when a user in your organization shares an unusually large amount of data, the share links are automatically expired. You are notified when a user shares data that exceeds that user’s normal behavior. By applying the Excessive file sharing policy, and taking immediate action, you can prevent data exfiltration from any user’s account.

To create a policy, do the following:

  1. After signing in to Citrix Analytics, on the toolbar, go to Settings > Custom Risk Indicators and Policies.

    Settings policy

  2. On the Policies dashboard, click Create Policy.

    Create policy button

  3. From the IF THE FOLLOWING CONDITION IS MET list box, select the default or the custom risk indicator conditions upon which you want an action applied.

    Add and remove condition

  4. From the THEN DO THE FOLLOWING list, select an action.

    Then do the following

  5. In the Policy Name text box, provide a name and enable the policy using the toggle button provided.

    Create policy

  6. Click Create Policy.

After creating a policy, the policy appears on the Policies dashboard.

The Policies dashboard displays the policies associated with the data sources that are successfully discovered and connected to Citrix Analytics. The dashboard does not display the policies that have conditions defined for the undiscovered data sources.

For example, you have selected a risk indicator from Content Collaboration as a condition for your policy. But you do not have a subscription to use Citrix Content Collaboration and therefore Citrix Analytics has not discovered this data source. So, your policy does not appear on the Policies dashboard.

However, turning off data processing for an already connected data source does not affect the existing policies on the Policies dashboard.

Request user response

Request End User Response is a global action using which you can alert a user immediately after you detect an unusual activity. Based on the user’s response, you can determine the next course of action that you want to take. If you receive a response that the user performed the reported activity, then the activity is not suspicious and you need not take action on the user’s account. The daily limit to send a security alert to the user is three emails.

Consider a Citrix Content Collaboration user whose risk score has exceeded 80 in a duration of 80 minutes. You can alert the user about this unusual behavior by applying the Request End User Response action. A security alert is sent to the user from the email ID

The email contains the following information:

  • User’s activity that triggered the risk indicator

  • User’s device

  • Date and time of the user activity

  • Locations (cities and countries) from where products or services are successfully accessed. If the city or country is unavailable, the corresponding value is shown as “Unknown”

The Request End User Response action is added to the user’s risk timeline.

Request user response


The Request End User Response action is supported only in the United States region. If your organization is onboarded to the European Union region in Citrix Cloud, you cannot use this action.

How to set the user response time?

You can configure the user’s response time to your security alert email by using the following steps:

  1. Navigate to Settings > Custom Risk Indicators and Policies.

  2. On the Policies page, select the Settings menu and update the number of minutes on the text box.

  3. Click Save Settings.

    User response time

Notify user after applying disruptive action

In this action type, you can apply a disruptive action such as Log off user and Lock user on the user’s account when an unusual activity is detected. When an action is applied on the user’s account, services to their account might be interrupted. In such instances, the user must contact the administrator to be able to access their account like before.

Consider a Citrix Content Collaboration user whose risk score has exceeded 80 in a duration of 80 minutes. You can log the user off. Once this task is performed, the user cannot access their account and an email notification is sent to the user from the email ID The email contains details of the event such as the activity, device, date and time, and the IP address. The user must contact the administrator to access their account as before.

Apply disruptive action

Apply an action manually

Consider a user, Lemuel who signs in to a network by using a new device for the first time. To monitor her account since her behavior is unusual, you can use the Notify administrator(s) action.

To apply the action to the user manually, you must:

Navigate to a user’s profile and select the appropriate risk indicator. From the Actions menu, select the Notify administrator(s) action and click Apply.

Action list

Due to the unusual and suspicious activity on Lemuel’s account, an email notification is sent to all Citrix Cloud administrators to monitor her account. The action applied is added to her risk timeline, and the action details are displayed on the right pane of the risk timeline page.

Action applied

Manage policies

You can view the Policies dashboard to manage all the policies created on Citrix Analytics to monitor and identify inconsistencies on your network. On the Policies dashboard, you can:

  1. View the list of policies

  2. Details of the policy

    • Name of the policy

    • Status – Enabled or disabled.

    • Duration of the policy – Number of days the policy has been active or inactive.

    • Occurrences – The number of times the policy is triggered.

    • Modified – Timestamp, only if the policy has been modified.

  3. Delete the policy

    • To delete a policy, you can select the policy you want to delete and click Delete.

    • Or you can click the policy’s name to be directed to the Modify Policy page. Click Delete Policy. In the dialog, confirm your request to delete the policy.

  4. Create a policy

  5. Click a policy’s name to view more details. You can also modify the policy when you click its name. Other modifications that can be done are as follows:

    • Change the name of the policy.

    • Conditions of the policy.

    • The actions to be applied.

    • Enable or disable the policy.

    • Delete the policy.


  • If you don’t want to delete your policy, you can choose to disable the policy.

  • To re-enable the policy on the Policies dashboard, do the following:

    • On the Policies dashboard, click the Status slider button and refresh the page. The Status slider button turns green.

    • On the Modify Policy page, click the Enabled slider button on the bottom of the page.

Supported modes

Citrix Analytics supports the following modes on policies:

  • Enforcement mode - In this mode, the configured policies impact user accounts.

  • Monitor mode - In this mode, the configured policies do not impact user accounts. You can set policies to this mode if you want to test any policy configurations.

Use the following instructions to configure modes on policies:

  1. Navigate to Settings > Custom Risk Indicators and Policies.

  2. On the Policies page, select the icon at the top right corner, that is displayed next to the Search bar. The SELECT MODE window is displayed.

  3. Select the mode of your choice and click Save Settings.


The default policies created by Analytics are set to monitor mode. As a result, the existing policies also inherit this mode. You can assess the impact of all the policies together and then, change them to enforcement mode.

Policy modes

Self-service search for Policies

On the self-service search page, you can view the user events that have satisfied the conditions defined in the policies. The page also displays the actions applied on these user events. Filter the user events based on the applied actions.

Policies and actions