Citrix Analytics for Security

Preconfigured custom risk indicators and policies

Citrix provides a list of preconfigured custom risk indicators and a policy to help you monitor the security of your Citrix infrastructure. The conditions of these preconfigured custom risk indicators and the policy are defined according to specific security risk scenarios such as compromised users, insider threats, and data exfiltration. You can also modify these conditions according to your security requirements and use the custom risk indicators to mitigate the risks.

Preconfigured custom risk indicators for geofencing

The preconfigured custom risk indicators are triggered whenever users access the Citrix products from outside their usual country of operation. By default, the country of operation is set to “United States”. You can set your required country for geofencing.

By default, the preconfigured custom risk indicators are in the disabled state. Toggle the STATUS button to enable them.

Preconfigured custom risk indicators

The following table describes the various preconfigured custom risk indicators.

Custom risk indicator name Scenario Custom indicator conditions Data source Risk category
CVAD-Session started outside of geofence User has started a virtual session outside their country of operation Event-Type = Session.logon Country != “United States” Citrix Workspace app Compromised users
GW-Geofence crossing User has successful authentication from outside their country of operation Event-Type = “VPN_AI” AND Country != “United States” Citrix Gateway (on-premises) Compromised users
CCC-Geofence crossing Login of a non-employee from outside of country of operation Is-Employee = “False” AND Operation-Name = “Login” AND Country != “United States” Citrix Content Collaboration Compromised users

Preconfigured policy for geofencing

Citrix provides a preconfigured policy that applies the Request End User Response action to a user account whenever the user start a virtual session from outside their country of operation. The user receives an email and based on the user’s response, an appropriate action is taken such as adding the user to the watchlist or notifying the administrator for further action. For more information, see Request user response.

Preconfigured policy

The following table describes the preconfigured policy.

Policy name Scenario Policy condition Applied action
Session start outside of geofence Ability for an administrator to validate the user’s legitimacy through the ‘Request End-user Response’ action when the user starts the virtual session outside their country of operation Use with preconfigured custom risk indicator- “CVAD-Session started outside of geofence” Request End-User Response
      Based on the following user’s response, the corresponding action is applied:
      If the user does not recognize the activity: Add to watchlist
      If the user recognizes the activity: No action required
      If the user does not respond within 60 minutes of receiving the email: Add the user to the watchlist

Note

The Request End User Response action is supported only in the United States region. So, if your organization is onboarded to the European Union region in Citrix Cloud, the preconfigured policy does not get applied to your account. To use the preconfigured policy, modify the policy and select another action of your choice.

Create your own policy with preconfigured custom risk indicators

You can also create your own policies with these preconfigured custom risk indicators and apply actions such as lock users or log off users whenever the indicators are triggered. For information on how to create policies, see Configure policies and actions.

The following example shows a policy that locks users who try to access the Citrix services from outside the United States. The user access is locked if the user does not recognize their access activity.

Condition: GW-Geofence crossing

Action: Request end user response

Next action: Lock the user if the user does not recognize the activity

Geofencing example

Note

The Request End User Response action is supported only in the United States region. So, if your organization is onboarded to the European Union region, select another action of your choice instead of the Request End User Response action.

Preconfigured custom risk indicators and policies