Citrix Access Control risk indicators

Risky website access

Citrix Analytics detects data access threats based on the risky websites accessed by the user and triggers the corresponding risk indicator.

The Risky website access risk indicator is reported when a user in your organization attempts to access malicious, suspicious, or risky websites with high reputation ratings.

When is the risky website access risk indicator triggered?

Access Control supports setting a reputation score to a website, based on whether it has been marked as the following by the URL categorization database:

  • Malicious

  • Potentially dangerous

  • Unknown

  • Normal

For more information, see URL reputation score

When a user in your organization attempts to access risky websites, Access Control reports these events with Citrix Analytics. Citrix Analytics monitors all these events and if it identifies that the user has visited at least one website with a reputation score of 3 or 4, that is, potentially dangerous site or malicious site. Citrix Analytics increases the risk score for the user. The Risky website access risk indicator is added to the user’s risk timeline.

How to analyze the risky website access risk indicator?

Consider a user Georgina Kalou, attempted to access a risky website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. The Risky website access risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Risky website access risk indicator. The reason for the event is displayed along with the details about the upload events, such as, time of the event and the website.

To view the Risky website access risk indicator entry for a user, navigate to Security > Users, and select the user.

When you select a Risky website access risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access Control risky website access

  • The WHAT HAPPENED section provides a brief summary of the risk indicator. It includes the number of risky websites accessed by the user during the selected period.

Access Control risky website access what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the event occurred.

    • Website. The risky website accessed by the user.

    • Category group. The category group that Access Control assigned the risky website.

    • Category. The category specified by Access Control for the risky website.

    • Reputation rating. The reputation rating returned by Access Control for the risky website. For more information, see URL reputation score.

    Access Control risky website access event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Attempt to access blacklisted URL

Citrix Analytics detects data access threats based on the blacklisted URLs accessed by the user and triggers the corresponding risk indicator.

The Attempt to access blacklisted URL risk indicator is reported in Citrix Analytics when a user attempts to access a blacklisted URL configured in Access Control.

When is the Attempt to access blacklisted URL risk indicator is triggered?

Access Control includes a URL categorization feature that provides policy-based control to restrict access to blacklisted URLs. When a user attempts to access a blacklisted URL, Access Control reports this event to Citrix Analytics. Citrix Analytics updates the user’s risk score and adds an Attempt to access blacklisted URL risk indicator entry to the user’s risk timeline.

How to analyze the Attempt to access blacklisted URL risk indicator?

Consider a user Georgina Kalou, accessed a blacklisted URL configured in Access Control. Access Control reports this event to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. The Attempt to access blacklisted URL risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Attempt to access blacklisted URL risk indicator. The reason for the event is displayed along with the details about the events, such as, time of the event, website details.

To view the Attempt to access blacklisted URL entry for a user, navigate to Security > Users, and select the user.

When you select the Attempt to access blacklisted URL risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access control Attempt to access a blacklisted URL

  • The WHAT HAPPENED section provides a brief summary of the risk indicator. It includes the details of the blacklisted URL accessed by the user during the selected period.

Access control Attempt to access a blacklisted URL what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the event occurred.

    • Website. The risky website accessed by the user.

    • Category. The category specified by Access Control for the blacklisted URL.

    • Reputation rating. The reputation rating returned by Access Control for the blacklisted URL. For more information, see URL reputation score.

    Access control Attempt to access blacklisted URL event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Unusual upload volume

Citrix Analytics detects data access threats based on Unusual upload volume activity and triggers the corresponding risk indicator.

The Unusual upload volume risk indicator is reported when a user uploads an excess volume of data to an application or website.

When is the Unusual upload volume risk indicator triggered?

You can configure Access Control to monitor user activities, such as malicious, dangerous, or unknown websites visited and the bandwidth consumed, and risky downloads and uploads. When a user in your organization uploads data to an application or website, Access Control reports these events to Citrix Analytics.

Citrix Analytics monitors all these events and if it determines that this user activity is contrary to the user’s usual behavior, it updates the user’s risk score. The Unusual upload volume risk indicator is added to the user’s risk timeline.

How to analyze the unusual upload volume risk indicator?

Consider a user Adam Maxwell, uploaded an excess volume of data to an application or website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Adam Maxwell. The Unusual upload volume risk indicator is added to the Adam Maxwell’s risk timeline.

From Adam Maxwell’s risk timeline, you can select the reported Unusual upload volume risk indicator. The reason for the event is displayed along with the details about the events, such as, time of the event and domain.

To view the Unusual upload volume risk indicator, navigate to Security > Users, and select the user.

When you select an Unusual upload volume risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access Control unusual upload volume

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the volume of data uploaded during the selected period.

Access Control unusual upload volume what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual data upload events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the excessive data was uploaded to an application or a website.

    • Domain. The domain to which the user uploaded the data.

    • Category. The domain category.

    • Upload size. Volume of data uploaded to the domain.

    Access Control unusual upload volume event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive data download

Citrix Analytics detects data access threats based on the excessive data downloaded by users in your network and triggers the corresponding risk indicator.

The risk indicator is reported when a user in your organization downloads an excess volume of data from an application or website.

When is the Excessive data download risk indicator triggered?

You can configure Access Control to monitor user activities, such as malicious, dangerous, or unknown websites visited and the bandwidth consumed, and risky downloads and uploads. When a user in your organization downloads data from an application or website, Access Control reports these events to Citrix Analytics.

Citrix Analytics monitors all these events and if it determines that the user activity is contrary to the user’s usual behavior, it updates the user’s risk score. The Excessive data download risk indicator is added to the user’s risk timeline.

How to analyze the Excessive data download risk indicator?

Consider a user Georgina Kalou, downloaded an excess volume of data from an application or website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou and adds the Excessive data download risk indicator entry to the user’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Excessive data download risk indicator. The reason for the event is displayed along with the details about the events, such as, time and domain details.

To view the Excessive data download risk indicator, navigate to Security > Users, and select the user.

When you select an Excessive data download risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Access control excessive data download

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the volume of data uploaded downloaded during the selected period.

Access control excessive data download what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual data download events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the excessive data was downloaded to an application or a website.

    • Domain. The domain to which the user downloaded the data.

    • Category. The domain category.

    • Download size. Volume of data downloaded to the domain.

    Access control excessive data download event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Citrix Access Control risk indicators