Citrix Analytics for Security

Citrix user risk indicators

User risk indicators are user activities that look suspicious or can pose a security threat to your organization. These risk indicators span across all Citrix products used in your deployment. The risk indicators are triggered when the user’s behavior deviates from the normal. Each risk indicator can have one or more risk factors associated with it. These risk factors help you to determine the type of anomalies in the user events. The risk indicators and their associated risk factors determine the risk score of a user.

The following are the risk factors associated with the risk indicators:

  • Device-based risk indicators: Triggers when a user signs in from a device that is considered unusual based on the user’s device history.

  • Location-based risk indicators: Triggers when a user signs in from an IP address associated with a location that is considered unusual based on the user’s location history.

  • IP-based risk indicators: Triggers when a user attempts to access resources from an IP address that has been identified as suspicious, regardless of whether the IP address is unusual for the user.

  • Logon-failure-based risk indicators: Triggers when a user has a pattern of excessive or unusual logon failures.

  • Data-based risk indicators: Triggers when a user tries to exfiltrate data out of a Workspace session. The user behaviors under observation include copy or paste events, download patterns, and so on.

  • File-based risk indicators: Triggers when a user’s behavior regarding file access on Content Collaboration is considered unusual based on their historical access pattern. The user behaviors under observation include download patterns, access to sensitive content, activities indicative of ransomware, and so on.

  • Custom risk indicators: Triggers when a pre-configured condition or a user-defined condition is met. For more information, see the following articles:

  • Other risk indicators- The risk indicators that do not belong to any one of the predefined risk factors such as Device-based, Location-based, and Logon failure-based.

The risk indicators are also grouped into risk categories based on the risk that are of similar nature. For more information, see Risk Categories.

The following table shows the correlation between the risk indicators, risk factors, and the risk categories.

Citrix Products User Risk Indicator Risk Factor Risk Category
Citrix Content Collaboration Access from an unusual location Location-based risk indicators Compromised users
  Excessive access to sensitive files File-based risk indicators Data exfiltration
  Excessive file sharing Other risk indicators Data exfiltration
  Excessive file or folder deletion File-based risk indicators Insider threats
  Excessive file uploads Other risk indicators Insider threats
  Excessive file downloads File-based risk indicators Data exfiltration
  Ransomware activity suspected File-based risk indicators Compromised users
  Unusual authentication failures Logon-failure-based risk indicators Compromised users
Citrix Gateway Access from an unusual location Location-based risk indicators Compromised users
  End point analysis (EPA) scan failure Other risk indicators Compromised users
  Excessive authentication failures Logon-failure-based risk indicators Compromised users
  Logon from suspicious IP IP-based risk indicators Compromised users
  Unusual authentication failure Logon-failure-based risk indicators Compromised users
Citrix Endpoint Management Device with blacklisted apps detected Other risk indicators Compromised endpoints
  Jailbroken or rooted device detected Other risk indicators Compromised endpoints
  Unmanaged device detected Other risk indicators Compromised endpoints
Citrix Virtual Apps and Desktops/ Citrix Workspace Potential data exfiltration Data-based risk indicators Data exfiltration
  Suspicious Logon Device-based risk indicators, IP-based risk indicators, Location-based risk indicators, and Other risk indicators Compromised users
Citrix Access Control Attempt to access blacklisted URL Other risk indicators Insider threats
  Excessive data download Other risk indicators Insider threats
  Risky website access Other risk indicators Insider threats
  Unusual upload volume Other risk indicators Insider threats
Citrix user risk indicators