Preconfigured custom risk indicators and policies
Citrix provides a list of preconfigured custom risk indicators and a policy to help you monitor the security of your Citrix infrastructure. The conditions of these preconfigured custom risk indicators and the policy are defined according to specific security risk scenarios such as compromised users, insider threats, and data exfiltration. You can also modify these conditions according to your security requirements and use the custom risk indicators to mitigate the risks.
Preconfigured custom risk indicators for geofencing
The preconfigured custom risk indicators are triggered whenever users access the Citrix products from outside their usual country of operation. By default, the country of operation is set to “United States”. You can set your required country for geofencing.
By default, the preconfigured custom risk indicators are in the disabled state. Toggle the STATUS button to enable them.
The following table describes the various preconfigured custom risk indicators.
|Custom risk indicator name||Scenario||Custom indicator conditions||Data source||Risk category|
|CVAD-Session started outside of geofence||User has started a virtual session outside their country of operation||Event-Type = Session.logon Country != “United States”||Citrix Workspace app||Compromised users|
|GW-Geofence crossing||User has successful authentication from outside their country of operation||Event-Type = “VPN_AI” AND Country != “United States”||Citrix Gateway (on-premises)||Compromised users|
|CCC-Geofence crossing||Login of a non-employee from outside of country of operation||Is-Employee = “False” AND Operation-Name = “Login” AND Country != “United States”||Citrix Content Collaboration||Compromised users|
Preconfigured policy for geofencing
Citrix provides a preconfigured policy that applies the Request End User Response action to a user account whenever the user start a virtual session from outside their country of operation. The user receives an email and based on the user’s response, an appropriate action is taken such as adding the user to the watchlist or notifying the administrator for further action. For more information, see Request user response.
The following table describes the preconfigured policy.
|Policy name||Scenario||Policy condition||Applied action|
|Session start outside of geofence||Ability for an administrator to validate the user’s legitimacy through the ‘Request End-user Response’ action when the user starts the virtual session outside their country of operation||Use with preconfigured custom risk indicator- “CVAD-Session started outside of geofence”||Request End-User Response|
|Based on the following user’s response, the corresponding action is applied:|
|If the user does not recognize the activity: Add to watchlist|
|If the user recognizes the activity: No action required|
|If the user does not respond within 60 minutes of receiving the email: Add the user to the watchlist|
The Request End User Response action is supported only in the United States region. So, if your organization is onboarded to the European Union region in Citrix Cloud, the preconfigured policy does not get applied to your account. To use the preconfigured policy, modify the policy and select another action of your choice.
Create your own policy with preconfigured custom risk indicators
You can also create your own policies with these preconfigured custom risk indicators and apply actions such as lock users or log off users whenever the indicators are triggered. For information on how to create policies, see Configure policies and actions.
The following example shows a policy that locks users who try to access the Citrix services from outside the United States. The user access is locked if the user does not recognize their access activity.
Condition: GW-Geofence crossing
Action: Request end user response
Next action: Lock the user if the user does not recognize the activity
The Request End User Response action is supported only in the United States region. So, if your organization is onboarded to the European Union region, select another action of your choice instead of the Request End User Response action.