Citrix user risk indicators
User risk indicators are user activities that look suspicious or can pose a security threat to your organization. These risk indicators span across all Citrix products used in your deployment. The risk indicators are triggered when the user’s behavior deviates from the normal. Each risk indicator can have one or more risk factors associated with it. These risk factors help you to determine the type of anomalies in the user events. The risk indicators and their associated risk factors determine the risk score of a user.
The following are the risk factors associated with the risk indicators:
Device-based risk indicators: Triggers when a user signs in from a device that is considered unusual based on the user’s device history.
Location-based risk indicators: Triggers when a user signs in from an IP address associated with a location that is considered unusual based on the user’s location history.
IP-based risk indicators: Triggers when a user attempts to access resources from an IP address that has been identified as suspicious, regardless of whether the IP address is unusual for the user.
Logon-failure-based risk indicators: Triggers when a user has a pattern of excessive or unusual logon failures.
Data-based risk indicators: Triggers when a user tries to exfiltrate data out of a Workspace session. The user behaviors under observation include copy or paste events, download patterns, and so on.
File-based risk indicators: Triggers when a user’s behavior regarding file access on Content Collaboration is considered unusual based on their historical access pattern. The user behaviors under observation include download patterns, access to sensitive content, activities indicative of ransomware, and so on.
Custom risk indicators: Triggers when a pre-configured condition or a user-defined condition is met. For more information, see the following articles:
Other risk indicators- The risk indicators that do not belong to any one of the predefined risk factors such as Device-based, Location-based, and Logon failure-based.
The risk indicators are also grouped into risk categories based on the risk that are of similar nature. For more information, see Risk Categories.
The following table shows the correlation between the risk indicators, risk factors, and the risk categories.
|Citrix Products||User Risk Indicator||Risk Factor||Risk Category|
|Citrix Content Collaboration||Access from an unusual location||Location-based risk indicators||Compromised users|
|Excessive access to sensitive files||File-based risk indicators||Data exfiltration|
|Excessive file sharing||Other risk indicators||Data exfiltration|
|Excessive file or folder deletion||File-based risk indicators||Insider threats|
|Excessive file uploads||Other risk indicators||Insider threats|
|Excessive file downloads||File-based risk indicators||Data exfiltration|
|Ransomware activity suspected||File-based risk indicators||Compromised users|
|Unusual authentication failures||Logon-failure-based risk indicators||Compromised users|
|Citrix Gateway||Access from an unusual location||Location-based risk indicators||Compromised users|
|End point analysis (EPA) scan failure||Other risk indicators||Compromised users|
|Excessive authentication failures||Logon-failure-based risk indicators||Compromised users|
|Logon from suspicious IP||IP-based risk indicators||Compromised users|
|Unusual authentication failure||Logon-failure-based risk indicators||Compromised users|
|Citrix Endpoint Management||Device with blacklisted apps detected||Other risk indicators||Compromised endpoints|
|Jailbroken or rooted device detected||Other risk indicators||Compromised endpoints|
|Unmanaged device detected||Other risk indicators||Compromised endpoints|
|Citrix Virtual Apps and Desktops/ Citrix Workspace||Potential data exfiltration||Data-based risk indicators||Data exfiltration|
|Suspicious Logon||Device-based risk indicators, IP-based risk indicators, Location-based risk indicators, and Other risk indicators||Compromised users|
|Citrix Access Control||Attempt to access blacklisted URL||Other risk indicators||Insider threats|
|Excessive data download||Other risk indicators||Insider threats|
|Risky website access||Other risk indicators||Insider threats|
|Unusual upload volume||Other risk indicators||Insider threats|