Citrix Content Collaboration risk indicators

Excessive access to sensitive files

Citrix Analytics detects data threats based on excessive file access activity and triggers the corresponding risk indicator.

The Excessive access to sensitive files risk indicator is triggered when a user’s behavior regarding access of sensitive files is excessive. This unusual activity might indicate a problem with the user’s account, such as, an attack on their account.

The risk factor associated with the Excessive access to sensitive files risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive access to sensitive files risk indicator triggered?

You are notified when a user has accessed an unusual amount of data that has been deemed sensitive during a given time period. This alert is triggered when a user accesses sensitive data identified by a Data Loss Prevention (DLP) or a Cloud Access Security Broker (CASB) solution. When Content Collaboration detects this excessive behavior, Citrix Analytics receives the events, and increases the risk score of the respective user. The Excessive access to sensitive files risk indicator is added to the user’s risk timeline.

How to analyze the excessive access to sensitive files risk indicator?

Consider the user Adam Maxwell, had access to 10 sensitive files, that he downloaded to his local system within a span of 15 minutes. The Excessive access to sensitive files risk indicator is triggered because it exceeds a threshold. The threshold is calculated based on the number of sensitive files downloaded in a given time window, factoring in contextual information such as the download mechanism.

From Adam Maxwell’s timeline, you can select the reported Excessive access to sensitive files risk indicator. The reason for the event is displayed on the screen along with details of the event such as file name, file size, and the download time.

To view the Excessive access to sensitive files risk indicator, navigate to Security > Users, and select the user.

• The WHAT HAPPENED section, you can view a summary of the Excessive access to sensitive files risk indicator. You can view the number of sensitive files that were deemed excessive by Citrix Analytics and the time the events occurred.

  

• The EVENT DETAILS – SENSITIVE DATA DOWNLOAD section, the events are displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

  • Time downloaded. Time when the file was downloaded.

  • File name. The name and extension of the downloaded file.

  • File size. The size of the file downloaded.

  

• In the ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

  • Total number of sensitive files downloaded.

  • Total size of the files downloaded by the user.

  

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file sharing

Citrix Analytics detects data threats based on excessive file sharing activity and triggers the corresponding risk indicator.

The Excessive file sharing indicator is triggered when there is a deviation from the user’s typical file sharing behavior. Any deviation from a regular file sharing behavior is considered unusual and the user’s account is investigated for this suspicious activity.

The risk factor associated with the Excessive file sharing risk indicator is the Other risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file sharing risk indicator triggered?

You can be notified when a user within your organization has been sharing files more often than expected under normal behavior. By responding to the notification about a user who has excessively shared files, you can prevent a data exfiltration.

Citrix Analytics receives share events from Content Collaboration, analyzes them, and raises the risk score of a user who exhibits excessive sharing behavior. The Excessive file sharing risk indicator is added to the user’s risk timeline.

How to analyze the excessive file sharing risk indicator?

Consider the user Adam Maxwell, who shared files six times within a day. By this action, Adam Maxwell has shared files more times than he usually does based on machine learning algorithms.

From the Adam Maxwell’s timeline, you can select the reported Excessive file sharing risk indicator. The reason for the event is displayed along with details such as the Content Collaboration link shared, the time the file was shared, and more.

To view the Excessive file sharing risk indicator, navigate to Security > Users, and select the user.

• The WHAT HAPPENED section, you can view a summary of the excessive file sharing event. You can view the number of share links sent to recipients and when the sharing occurred.

  

• The EVENT DETAILS – EXCESSIVE FILES SHARED section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

  • Time shared. The time the file was shared.

  • Share ID. The Content Collaboration link used to share the file.

  • Operations. The operation performed by the user using Content Collaboration.

  • Tool name. The tool or application used to share the files.

  • Source. Repository (Citrix Files, OneDrive, and so on) in which the file was shared.

    

• In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total number of files shared by the user during the event’s occurrence.

  

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

• When the user is disabled, they cannot log on to Content Collaboration. They see a notification, on the logon page, prompting them to reach their Content Collaboration account administrator for further information.

• When a share link is disabled, the share link is not accessible to any user or recipient. If the user tries to access the share link again, the page displays a message to the recipient stating that the link is no longer available.

• Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file uploads

Citrix Analytics detects data threats based on an excessive file uploads activity and triggers the corresponding risk indicator.

The Excessive file uploads risk indicator helps you identify an unusual file upload activity. Each user has a file upload pattern that they follow which includes attributes such as:

• Time the files were uploaded

• Type of files that were uploaded

• File upload volume

• File upload source

Any deviation from a user’s usual pattern triggers the Excessive file uploads risk indicator.

The risk factor associated with the Excessive file uploads risk indicator is the Other risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file uploads risk indicator triggered?

Excessive file uploads can be categorized as risky because it indicates a compromised user or an insider threat who might be trying to upload malicious or encrypted content. If uploading a large amount of data is not consistent with the user’s normal behavior, it can be considered suspicious in a more general sense. This alert is triggered when the volume of data uploaded exceeds the user’s normal upload behavior based on machine learning algorithms.

When Citrix Analytics detects excessive upload behavior, it raises the risk score of the respective user. The Excessive file uploads risk indicator is added to the user’s risk timeline.

How to analyze the excessive file uploads risk indicator?

Consider the user Lemuel, who has uploaded a large amount of data within a span of one hour. By this action, Lemuel exceeded his normal upload behavior based on machine learning algorithms.

From the user’s timeline, you can select the reported Excessive file uploads risk indicator. The reason for the alert is displayed along with details of the event such as file name, upload time, tool name, and source.

To view the Excessive file uploads risk indicator, navigate to Security > Users, and select the user.

• The WHAT HAPPENED section, you can view a summary of the excessive file uploads event. You can view the amount of data uploaded by the user and the time the event occurred.

• The EVENT DETAILS – EXCESSIVE FILES UPLOADS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

  • Time uploaded. Time when the file was uploaded.

  • File name. The name and extension of the uploaded file.

  • Tool name. The tool or application using which the file was uploaded.

  • Source. Repository (Citrix Files, OneDrive, and so on) to which the file was uploaded.

  

• In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total size of the files uploaded by the user during the event’s occurrence.

  

What actions you can apply to the user?

You can do the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file downloads

Citrix Analytics detects data threats based on excessive file downloads activity and triggers the corresponding risk indicator.

The Excessive file downloads risk indicator helps you identify unusual file download activity. Each user has a file download pattern that they follow which includes attributes such as:

• Time the files were downloaded.

• Type of files that were downloaded.

• File download volume, and so on.

Any deviation from a user’s usual pattern triggers the Excessive file downloads risk indicator.

The risk factor associated with the Excessive file downloads risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file downloads risk indicator triggered?

Excessive file downloads can be categorized as risky because it indicates a compromised user or an insider who might be trying to exfiltrate data. If downloading a large amount of data is not consistent with the user’s normal behavior, it might be considered suspicious in a more general sense. This alert is triggered when the volume of data downloaded exceeds the user’s normal download behavior based on machine learning algorithms.

When Citrix Analytics detects excessive download behavior, it raises the risk score of the respective user. The Excessive file downloads risk indicator is added to the user’s risk timeline.

How to analyze the excessive file downloads risk indicator?

Consider the user Lemuel, who has downloaded a large amount of data to his local system within a span of one hour. By this action, Lemuel exceeded his normal download behavior based on machine learning algorithms.

From the user’s timeline, you can select the reported Excessive file downloads risk indicator. The reason for the excessive file download alert is displayed along with details of the event such as file name, file size, and download time.

To view the Excessive file downloads risk indicator, navigate to Security > Users, and select the user.

• The WHAT HAPPENED section, you can view a summary of the excessive file downloads event. You can view the amount of data downloaded by the user and the time the event occurred.

• The EVENT DETAILS – EXCESSIVE FILES DOWNLOADS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

  • Time downloaded. Time when the file was downloaded.

  • File name. The name and extension of the downloaded file.

  • Source. Repository (Citrix Files, OneDrive, and so on) from which the file was downloaded.

  • File size. The size of the file downloaded.

    

• In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total download size of the files downloaded by the user during the event’s occurrence.

  

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file or folder deletion

Citrix Analytics detects data threats based on excessive file or folder deletion activity and triggers the corresponding risk indicator.

The Excessive file or folder deletion risk indicator is triggered when a user’s behavior regarding deletion of files of folders is excessive. This abnormality might indicate a problem with the user’s account, such as, an attack on their account.

The risk factor associated with the Excessive file or folder deletion risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file or folder deletion risk indicator triggered?

You can be notified when a user in your organization has deleted an excessive number of files or folders within a certain time period. This alert is triggered when a user deletes an excessive number of files or folders outside of their normal deletion behavior based on machine learning algorithms.

When this behavior is detected, Citrix Analytics increases the risk score to the respective user. The Excessive file or folder deletion risk indicator is added to the user’s risk timeline.

How to analyze the excessive file or folder deletion risk indicator?

Consider the user Lemuel, who deleted many files or folders over the course of a day. By this action, Lemuel exceeded his normal deletion behavior based on machine learning algorithms.

From Lemuel Kildow’s timeline, you can select the reported Excessive file or folder deletion risk indicator. The reason for the event is displayed on the screen along with the details of the event such as type of deletion (file or folder), time it was deleted, and so on.

To view the Excessive file or folder deletion risk indicator, navigate to Security > Users, and select the user.

• The WHAT HAPPENED section, you can view a summary of the Excessive file or folder deletion event. You can view the number of files and folders that were deleted and the time the event occurred.

  

• The EVENT DETAILS – EXCESSIVE DELETED ITEMS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

  • Time deleted. Time when the file or folder was deleted.

  • Type. Item type that was deleted – file or a folder.

  • Name. Name of the file or folder that was deleted.

  • Source. Repository (Citrix Files, OneDrive, and so on) in which the file was deleted.

    

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Impossible travel

Citrix Analytics detects a user’s logons as risky when the consecutive logons are from two different countries within a time period that is less than the expected travel time between the countries.

The impossible travel time scenario indicates the following risks:

• Compromised credentials: A remote attacker steals a legitimate user’s credentials.
• Shared credentials: Different users are using the same user credentials.

When is the Impossible travel risk indicator triggered?

The Impossible travel risk indicator evaluates the time and estimated distance between each pair of consecutive user logons, and triggers when the distance is greater than an individual person can possibly travel in that amount of time.

Note

This risk indicator also contains logic to reduce false positive alerts for the following scenarios that do not reflect the users’ actual locations:

• When users log on to Content Collaboration from proxy connections.
• When users log on to Content Collaboration from hosted clients.

How to analyze the Impossible risk indicator

Consider the user Adam Maxwell, who logs on from two locations- Bengaluru, India and Oslo, Norway within a time duration of one minute. Citrix Analytics detects this logon event as an impossible travel scenario and triggers the Impossible travel risk indicator. The risk indicator is added to Adam Maxwell’s risk timeline and a risk score is assigned to him.

To view Adam Maxwell’s risk timeline, select Security > Users. From the Risky Users pane, select the user Adam Maxwell.

From Adam Maxwell’s risk timeline, select the Impossible travel risk indicator. You can view the following information:

• The WHAT HAPPENED section provides a brief summary of the impossible travel event.

  

• The INDICATOR DETAILS section provides the locations from which the user has logged on, the time duration between the consecutive logons, and the distance between the two locations.

  

• The LOGON LOCATION- LAST 30 DAYS section displays a geographical map view of the impossible travel locations and known locations of the user. The location data is shown for the last 30 days. You can hover over the pointers on the map to view the total logons from each location.

  

• The IMPOSSIBLE TRAVEL- EVENT DETAILS section provides the following information about the impossible travel event:

  • Time: Indicates the date and the time of the logons.
  • Client IP: Indicates the IP address of the user device.
  • Location: Indicates the location from where the user has logged on.
  • Device OS: Indicates the operating system of the user device.

  

What actions you can apply to the users?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.
• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.
• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.
• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.
• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Malware files detected

Citrix Analytics detects data threats based on the infected files uploaded in Content Collaboration and triggers the risk indicator.

The indicator provides visibility into the details of the malicious file such as the file owner, virus name, and the file location. You can analyze the nature of the threat and the behavior of the user and accordingly take timely action to prevent any data exfiltration or ransomware attacks in your organization.

The risk factor associated with the Malware files detected risk indicator is the File-based risk indicator. For more information about the risk factors, see Citrix user risk indicators.

When is the malware files detected risk indicator triggered?

The Malware files detected risk indicator is triggered when a Content Collaboration user uploads a file that is infected with a malware such as Trojan, virus, or any other malicious threats.

When Content Collaboration detects a malicious file, it sends the event to Citrix Analytics for Security. This event triggers the risk indicator and raises the risk score of the user on Citrix Analytics for Security. The Malware files detected risk indicator is added to the user’s risk timeline.

How to analyze the malware files detected risk indicator?

Consider the user Kevin Smith uploads an infected file to his Content Collaboration account. Citrix Analytics triggers the Malware files detected risk indicator and displays it on the Kevin’s timeline.

From Kevin’s timeline, select the risk indicator and the time period to view the following details:

• The WHAT HAPPENED section: Summary of the user events and the time of detection.

  

• The INDICATOR DETAILS section: Details of the infected file such as the virus name, file hash value, and the path of the infected file in the user’s Content Collaboration account.

  

• The RELATED RISK section: Additional information about the malware file:

  • Number of unique users with the infected file having the same file hash value. Click the number of users to view their details.

  • Total occurrences of the risk indicator associated with your users. Click the number of occurrences to view the details.

  

• The MALWARE CONTENT UPLOADED- EVENT DETAILS section: Details of the events that triggered the risk indicator.

  • Date and time: Indicates the date and time of the event.

  • File name: Indicates the name of the infected file.

  • Virus name: Indicates the name of the virus that infected the file.

  • Folder: Indicates the name of the folder where the file is stored in the user’s Content Collaboration account.

  • File hash: Indicates the hash value of the infected file.

  Click the Event Search link to view all the events related to this risk indicator for the user Kevin Smith.

  

What actions you can apply to the user?

You can do the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Remove folder access permission. You can block the access permission of the user who uploads the infected file. The user cannot access the folder where the infected file was uploaded.

• Remove upload permission to folder. You can block the upload permission of the user who uploads the infected file. The user cannot upload a file to the folder where the infected file was uploaded.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Ransomware activity suspected

Citrix Analytics detects data threats based on a ransomware activity and triggers the corresponding risk indicator.

Ransomware is a malware that restricts users from accessing their files by either replacing or updating the files with an encrypted version. By identifying ransomware attacks across files shared by users within an organization, you can ensure that productivity is not impacted.

The risk factor associated with the Ransomware activity suspected risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the ransomware risk indicator triggered?

You are notified when a user on your account attempts to delete and replaces an excessive number of files with similar names and different extensions. You are also notified when a user updates an excessive number of files with similar names and different extensions. This activity indicates that the user’s account has been compromised and a possible ransomware attack has occurred. When Citrix Analytics detects this behavior, it increases the risk score of the respective user. The Ransomware activity suspected risk indicator is added to the user’s risk timeline.

The Ransomware Activity Suspected indicator can be of two types. They are:

• Ransomware activity suspected (Files replaced) indicates an attempt to delete the existing files and replace with a new version of the files that resembles a ransomware attack. The attack patterns can result in more number of uploads than the number of deleted files. For example, a ransom note might be uploaded along with the other files.

• Ransomware activity suspected (Files updated) indicates an attempt to update the existing files with a modified version of the files that resembles a ransomware attack.

How to analyze the ransomware risk indicator?

Consider the user Adam Maxwell, who tries to update many files with modified versions, within a span of 15 minutes. By this action, Adam Maxwell has triggered unusual and suspicious behavior based on what the machine learning algorithms deem normal for that specific user.

From Adam Maxwell’s timeline, you can select the reported Ransomware Activity Suspected (Files Updated) risk indicator. The reason for the event is displayed on the screen along with details such as the name of the file and the location of the file.

To view the Ransomware activity suspected (Files Updated) risk indicator, navigate to Security > Users, and select the user. From the user’s risk timeline, select the Ransomware activity suspected (Files Updated) risk indicator that is triggered for the user.

• The WHAT HAPPENED section, you can view the summary of the Ransomware activity suspected event. You can view the number of files that were updated in a suspicious manner, and the time the event occurred.

  

• The EVENT DETAILS – FILE OPERATIONS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

  • Time. The time the file was updated.

  • File name. The name of the file.

  • Path. The path where the file is located.

    

Similarly, you can select the reported Ransomware activity suspected (Files Replaced) risk indicator. You can view the details of this event such as:

• The reason the risk indicator is triggered.

• The number of files that were deleted and replaced with a new version.

  

• The time the event (files being replaced) occurred.

• The name of the files.

• The location of the files.

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Suspicious logon

Notes

• This risk indicator replaces the Access from an unusual location risk indicator.

• Any policies based on the Access from an unusual location risk indicator are automatically linked to the Suspicious logon risk indicator.

Citrix Analytics detects the user’s logons that appear unusual or risky based on multiple contextual factors, which are defined jointly by the device, location, and network used by the user.

When is the Suspicious logon risk indicator triggered?

The risk indicator is triggered by the combination of the following factors, where each factor is regarded as potentially suspicious based on one or more conditions.

Factor	Conditions
Unusual device	The user logs on from a device with a signature that is different from the devices used in the last 30 days. The device signature is based on the operating system of the device and the client tool (application) used.
Unusual location	Log on from a city or a country that the user has not logged on in the last 30 days.
	The city or country is geographically far from the recent (last 30 days) logon locations.
	Zero or minimum users have logged on from the city or the country in the last 30 days.
Unusual network	Log on from an IP address that the user has not used in the last 30 days.
	Log on from an IP subnet that the user has not used in the last 30 days.
	Zero or minimum users have logged on from the IP subnet in the last 30 days.
IP threat	The IP address is identified as high risk by the community threat intelligence feed- Webroot.
	Citrix Analytics recently detected highly suspicious logon activities from the IP address from other users.

How to analyze the Suspicious logon risk indicator

Consider the user Adam Maxwell, who signs in from the North Charleston, United States for the first time. He uses a device with an unfamiliar signature to access the Content Collaboration service. Also, he connects from a network, which he has not used in the last 30 days.

Citrix Analytics detects this logon event as suspicious because the factors- location, device, and network deviate from his usual behavior and triggers the Suspicious logon risk indicator. The risk indicator is added to Adam Maxwell’s risk timeline and a risk score is assigned to him.

To view Adam Maxwell’s risk time, select Security > Users. From the Risky Users pane, select the user Adam Maxwell.

From Adam Maxwell’s risk timeline, select the Suspicious logon risk indicator. You view the following information:

• The WHAT HAPPENED section provides a brief summary of the suspicious activities that include the risk factors and the time of the event.

  

• The LOGON DETAILS section provides detailed summary of the suspicious activities corresponding to each risk factor. Each risk factor is assigned a score that indicates the suspicion level. Any single risk factor does not indicate high risk from a user. The overall risk is based on the correlation of the multiple risk factors.

  Suspicion level	Indication
  0–69	The factor appears normal and is not considered suspicious.
  70–89	The factor appears slightly unusual and is considered moderately suspicious with other factors.
  90–100	The factor is entirely new or unusual and is considered highly suspicious with other factors.

  

• The LOGON LOCATION- LAST 30 DAYS displays a geographical map view of the last known locations and the current location of the user. The location data is shown for the last 30 days. You can hover over the pointers on the map to view the total logons from each location.

  

• The SUSPICIOUS LOGON- EVENT DETAILS section provides the following information about the suspicious logon event:

  • Time: Indicates the date and time of the suspicious logon.

  • Device OS: Indicates the operating system of the user device.

  • Tool name: The application used to sign in to Content Collaboration.

  

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Unusual authentication failures

Citrix Analytics detects access threats based on authentication activities from unusual IP addresses.

The Unusual authentication failures risk indicator is triggered when a user makes failed logon attempts from an IP address that is considered unusual based on the user’s historical access pattern. By identifying users with unusual authentication failures, based on previous behavior, administrators can monitor the user’s account for brute force attacks.

The risk factor associated with the Unusual authentication failure risk indicator is the Logon-failure-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the Unusual authentication failures risk indicator triggered?

You are notified when a user in your organization has multiple failed logon attempts that is contrary to their usual behavior.

The Unusual authentication failures risk indicator is triggered when a user repeatedly attempts to log on to the Content Collaboration service. When this behavior is detected, Citrix Analytics increases the risk score of the respective user. The Unusual authentication failures risk indicator is added to the user’s risk timeline.

How to analyze the Unusual authentication failures risk indicator?

Consider the user Maria Brown, who tried multiple times to log on to Content Collaboration. By this action, Maria Brown triggered the machine learning algorithm that detected unusual behavior. From Maria’s timeline, you can select the reported Unusual authentication failures risk indicator. Reason for the event and the event details is displayed on the screen.

To view the Unusual authentication failures risk indicator, navigate to Security > Users, and select the user.

• In the WHAT HAPPENED section, you can view a summary of the unusual authentication failures event. You can view the number of unsuccessful logons that occurred during a specific time period.

  

• In the RECOMMENDED ACTION section, you find the suggested actions that can be applied on the risk indicator. Citrix Analytics for Security recommends the actions depending on the severity of the risk posed by the user. The recommendation can be one or combination of the following actions:

  • Notify administrator(s)

  • Add to watchlist

  • Create a policy

  You can select an action based on the recommendation. Or you can select an action that you want to apply depending on your choice from the Actions menu. For more information, see Apply an action manually.

  

• In the UNUSUAL AUTHENTICATION FAILURE- EVENT DETAILS section, you can view the timeline of the events and their details. The table provides the following key information:

  • Event time. The time of each logon attempt.

  • Client IP. The IP address of the user’s network.

  • Location. The location of the user device.

  • Tool name. The tool or application used to share the files.

  • OS. The operating system of the user device.

    

• In the AUTHENTICATION ACTIVITY – PREVIOUS 30 DAYS section, the table provides the following information about the previous 30-days of authentication activity for the user:

  • Subnet – The IP address from the user network.

  • Success – The total number of successful authentication events and the time of the most recent success event for the user.

  • Failure – The total number of failed authentication events and the time of the most recent failed event for the user.

  • Location – The location from where the authentication event has occurred.

    

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

• Disable user. Citrix Analytics enables you to restrict or revoke the user’s access by disabling their Content Collaboration account. You can apply this action on your employee user and client user.

• Expire all links. Citrix Analytics enables you to expire all the active share links of the user. When the share links are expired, the links become invalid and they are not accessible by the other users with whom the links are shared.

• Change link to view-only sharing. Citrix Analytics enables you to change the active share links of the user to view-only mode. This action prevents other users from downloading, copying, or printing the files associated with the share links. For more information, see View-only sharing.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.