Citrix user risk indicators

User risk indicators are user activities that look suspicious or can pose a security threat to your organization. User risk indicators span across all Citrix products used in your deployment. The indicators are based on user behavior and are triggered where the user’s behavior deviates from the normal. User risk indicators help in determining the user’s risk score.

User risk indicators can be of the following categories:

  • Access based. These risk indicators are triggered when the user accesses the network or a specific resource, that is unauthorized or if they are unable to.

  • Data based. These risk indicators are triggered when a user has downloaded or uploaded an unusually large volume of data. This data upload or download activity can be to an internal or external destination over a specific time period.

  • Application based. These risk indicators are triggered when the user has attempted to access an unauthorized application over a specific time period.

You can get a summary of the top five default and custom risk indicators on the Risk Indicators dashboard. For more information, see Users dashboard.

The following table lists various Risk Indicators that provided by various Citrix products:

Citrix Products User Risk Indicators
Citrix Content Collaboration Excessive access to sensitive files
  Excessive file sharing
  Excessive file or folder deletion
  Excessive file uploads
  Excessive file downloads
  Excessive authentication failures
  Ransomware activity suspected
  First time access from new location
Citrix Gateway Access from an unusual location
  End point analysis (EPA) scan failure
  Excessive authentication failures
  Excessive authorization failures
  First time access from new IP
  Logon from suspicious IP
Citrix Endpoint Management Unmanaged device detected
  Jailbroken or rooted device detected
  Device with blacklisted apps detected
Citrix Virtual Apps and Desktops/ Citrix Workspace Access from device with unsupported OS
  First time access from new device
  Potential data exfiltration
Citrix Access Control Unusual upload volume
  Excessive data download
  Risky website access
  Attempt to access blacklisted URL

Citrix user risk indicators