Citrix Analytics for Security

Citrix Content Collaboration risk indicators

Access from an unusual location

Citrix Analytics detects access threats based on an unusual sign-in activity and triggers the corresponding risk indicator.

When is the Access from an unusual location risk indicator triggered?

You get notified when a user in your organization signs in from a location that is different from their usual location. The location is determined from the IP address of the user’s device. Content Collaboration detects these user events and reports them to Citrix Analytics. Citrix Analytics receives the events and increases the user’s risk score. The risk indicator is triggered when the user signs in from an IP address associated with a new country, or a new city that is anomalously far away from any previous sign-in locations. Other factors include the user’s overall level of mobility and the relative frequency of sign-ins from the city across all users in your organization. In all cases, the user location history is based on the previous 30 days of sign-in activity.

The Access from an unusual location risk indicator is added to the user’s risk timeline.

The risk factor associated with the Access from an unusual location risk indicator is the Location-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

How to analyze the Access from an unusual location risk indicator?

Consider the user Kevin Smith, who signs in from Bengaluru, India for the first time. His usual sign-in locations in the last 30 days are Canada, England, Germany, and the Netherlands. By this action, Kevin Smith triggered the machine learning algorithm that detected unusual behavior.

From Kevin Smith’s timeline, you can select the reported Access from an unusual location risk indicator. The reason for the event is displayed on the screen along with details such as logon time, and client IP address.

To view the Access from an unusual location risk indicator, navigate to Security > Users, and select the user.

Access from an unusual location

  • The WHAT HAPPENED section, you can view a summary of the access from the unusual location event. You can view the number of suspicious logons that occurred during a specific time period.

    Unusual logon access content collaboration what happened

  • Sign in locations: Displays a geographical map view of the usual and unusual locations from where the user has signed in.

    Sign in location

  • Number of sign-ins from usual locations - last 30 days: Displays a pie chart view of the top 6 usual locations from where the user has signed in the last 30 days. It also displays the number of sign-in events from these locations.

    Pie charts

  • Event details for unusual location: Provides the list of the sign-in events from the unusual location for the user. The table provides the following information about the unusual sign-in event:

    Unusual logon access content collaboration event details

    • Date and time. Indicates the date and time of the unusual sign-in location event.
    • Client IP. Indicates the IP address of the client device.
    • Device OS. Indicates the operating system of the device using which the user signed-in to the unusual location.
    • Tool name. The tool or application used to share the files.

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all the links associated with that indicator.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive access to sensitive files

Citrix Analytics detects data threats based on excessive file access activity and triggers the corresponding risk indicator.

The Excessive access to sensitive files risk indicator is triggered when a user’s behavior regarding access of sensitive files is excessive. This unusual activity might indicate a problem with the user’s account, such as, an attack on their account.

The risk factor associated with the Excessive access to sensitive files risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive access to sensitive files risk indicator triggered?

You are notified when a user has accessed an unusual amount of data that has been deemed sensitive during a given time period. This alert is triggered when a user accesses sensitive data identified by a Data Loss Prevention (DLP) or a Cloud Access Security Broker (CASB) solution. When Content Collaboration detects this excessive behavior, Citrix Analytics receives the events, and increases the risk score of the respective user. The Excessive access to sensitive files risk indicator is added to the user’s risk timeline.

How to analyze the excessive access to sensitive files risk indicator?

Consider the user Adam Maxwell, had access to 10 sensitive files, that he downloaded to his local system within a span of 15 minutes. The Excessive access to sensitive files risk indicator is triggered because it exceeds a threshold. The threshold is calculated based on the number of sensitive files downloaded in a given time window, factoring in contextual information such as the download mechanism.

From Adam Maxwell’s timeline, you can select the reported Excessive access to sensitive files risk indicator. The reason for the event is displayed on the screen along with details of the event such as file name, file size, and the download time.

To view the Excessive access to sensitive files risk indicator, navigate to Security > Users, and select the user.

Excessive access to sensitive files

  • The WHAT HAPPENED section, you can view a summary of the Excessive access to sensitive files risk indicator. You can view the number of sensitive files that were deemed excessive by Citrix Analytics and the time the events occurred.

    Excessive access to sensitive files what happened

  • The EVENT DETAILS – SENSITIVE DATA DOWNLOAD section, the events are displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time downloaded. Time when the file was downloaded.

    • File name. The name and extension of the downloaded file.

    • File size. The size of the file downloaded.

    Excessive access to sensitive files event details

  • In the ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

    • Total number of sensitive files downloaded.

    • Total size of the files downloaded by the user.

    Excessive access to sensitive files contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all the links associated with that indicator.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file sharing

Citrix Analytics detects data threats based on excessive file sharing activity and triggers the corresponding risk indicator.

The Excessive file sharing indicator is triggered when there is a deviation from the user’s typical file sharing behavior. Any deviation from a regular file sharing behavior is considered unusual and the user’s account is investigated for this suspicious activity.

The risk factor associated with the Excessive file sharing risk indicator is the Other risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file sharing risk indicator triggered?

You can be notified when a user within your organization has been sharing files more often than expected under normal behavior. By responding to the notification about a user who has excessively shared files, you can prevent a data exfiltration.

Citrix Analytics receives share events from Content Collaboration, analyzes them, and raises the risk score of a user who exhibits excessive sharing behavior. The Excessive file sharing risk indicator is added to the user’s risk timeline.

How to analyze the excessive file sharing risk indicator?

Consider the user Adam Maxwell, who shared files six times within a day. By this action, Adam Maxwell has shared files more times than he usually does based on machine learning algorithms.

From the Adam Maxwell’s timeline, you can select the reported Excessive file sharing risk indicator. The reason for the event is displayed along with details such as the Content Collaboration link shared, the time the file was shared, and more.

To view the Excessive file sharing risk indicator, navigate to Security > Users, and select the user.

Excessive file sharing

  • The WHAT HAPPENED section, you can view a summary of the excessive file sharing event. You can view the number of share links sent to recipients and when the sharing occurred.

    Excessive file sharing what happened

  • The EVENT DETAILS – EXCESSIVE FILES SHARED section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time shared. The time the file was shared.

    • Share ID. The Content Collaboration link used to share the file.

    • Operations. The operation performed by the user using Content Collaboration.

    • Tool name. The tool or application used to share the files.

    • Source. Repository (Citrix Files, OneDrive, and so on) in which the file was shared.

      Excessive file sharing event details

  • In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total number of files shared by the user during the event’s occurrence.

    Excessive file sharing contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the Excessive file sharing risk indicator, Citrix Analytics enables you to expire all the links associated with that indicator.

  • Change links to view-only sharing. When a user triggers the Excessive file sharing risk indicator, Citrix Analytics enables you to change the share links associated with that indicator to view-only sharing mode. This action prevents other users from downloading, copying, or printing the files associated with the share links.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

  • When the user is disabled, they cannot log on to Content Collaboration. They see a notification, on the logon page, prompting them to reach their Content Collaboration account administrator for further information.

  • When a share link is disabled, the share link is not accessible to any user or recipient. If the user tries to access the share link again, the page displays a message to the recipient stating that the link is no longer available.

  • Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file uploads

Citrix Analytics detects data threats based on an excessive file uploads activity and triggers the corresponding risk indicator.

The Excessive file uploads risk indicator helps you identify an unusual file upload activity. Each user has a file upload pattern that they follow which includes attributes such as:

  • Time the files were uploaded

  • Type of files that were uploaded

  • File upload volume

  • File upload source

Any deviation from a user’s usual pattern triggers the Excessive file uploads risk indicator.

The risk factor associated with the Excessive file uploads risk indicator is the Other risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file uploads risk indicator triggered?

Excessive file uploads can be categorized as risky because it indicates a compromised user or an insider threat who might be trying to upload malicious or encrypted content. If uploading a large amount of data is not consistent with the user’s normal behavior, it can be considered suspicious in a more general sense. This alert is triggered when the volume of data uploaded exceeds the user’s normal upload behavior based on machine learning algorithms.

When Citrix Analytics detects excessive upload behavior, it raises the risk score of the respective user. The Excessive file uploads risk indicator is added to the user’s risk timeline.

How to analyze the excessive file uploads risk indicator?

Consider the user Lemuel, who has uploaded a large amount of data within a span of one hour. By this action, Lemuel exceeded his normal upload behavior based on machine learning algorithms.

From the user’s timeline, you can select the reported Excessive file uploads risk indicator. The reason for the alert is displayed along with details of the event such as file name, upload time, tool name, and source.

To view the Excessive file uploads risk indicator, navigate to Security > Users, and select the user.

Excessive file uploads

  • The WHAT HAPPENED section, you can view a summary of the excessive file uploads event. You can view the amount of data uploaded by the user and the time the event occurred.

Excessive file uploads what happened

  • The EVENT DETAILS – EXCESSIVE FILES UPLOADS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time uploaded. Time when the file was uploaded.

    • File name. The name and extension of the uploaded file.

    • Tool name. The tool or application using which the file was uploaded.

    • Source. Repository (Citrix Files, OneDrive, and so on) to which the file was uploaded.

    Excessive file uploads event details

  • In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total size of the files uploaded by the user during the event’s occurrence.

    Excessive file uploads info

What actions you can apply to the user?

You can do the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file downloads

Citrix Analytics detects data threats based on excessive file downloads activity and triggers the corresponding risk indicator.

The Excessive file downloads risk indicator helps you identify unusual file download activity. Each user has a file download pattern that they follow which includes attributes such as:

  • Time the files were downloaded.

  • Type of files that were downloaded.

  • File download volume, and so on.

Any deviation from a user’s usual pattern triggers the Excessive file downloads risk indicator.

The risk factor associated with the Excessive file downloads risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file downloads risk indicator triggered?

Excessive file downloads can be categorized as risky because it indicates a compromised user or an insider who might be trying to exfiltrate data. If downloading a large amount of data is not consistent with the user’s normal behavior, it might be considered suspicious in a more general sense. This alert is triggered when the volume of data downloaded exceeds the user’s normal download behavior based on machine learning algorithms.

When Citrix Analytics detects excessive download behavior, it raises the risk score of the respective user. The Excessive file downloads risk indicator is added to the user’s risk timeline.

How to analyze the excessive file downloads risk indicator?

Consider the user Lemuel, who has downloaded a large amount of data to his local system within a span of one hour. By this action, Lemuel exceeded his normal download behavior based on machine learning algorithms.

From the user’s timeline, you can select the reported Excessive file downloads risk indicator. The reason for the excessive file download alert is displayed along with details of the event such as file name, file size, and download time.

To view the Excessive file downloads risk indicator, navigate to Security > Users, and select the user.

Excessive file downloads

  • The WHAT HAPPENED section, you can view a summary of the excessive file downloads event. You can view the amount of data downloaded by the user and the time the event occurred.

Excessive file downloads what happened

  • The EVENT DETAILS – EXCESSIVE FILES DOWNLOADS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time downloaded. Time when the file was downloaded.

    • File name. The name and extension of the downloaded file.

    • Source. Repository (Citrix Files, OneDrive, and so on) from which the file was downloaded.

    • File size. The size of the file downloaded.

      Excessive file downloads event details

  • In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total download size of the files downloaded by the user during the event’s occurrence.

    Excessive file downloads contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all the links associated with that indicator.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive file or folder deletion

Citrix Analytics detects data threats based on excessive file or folder deletion activity and triggers the corresponding risk indicator.

The Excessive file or folder deletion risk indicator is triggered when a user’s behavior regarding deletion of files of folders is excessive. This abnormality might indicate a problem with the user’s account, such as, an attack on their account.

The risk factor associated with the Excessive file or folder deletion risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the excessive file or folder deletion risk indicator triggered?

You can be notified when a user in your organization has deleted an excessive number of files or folders within a certain time period. This alert is triggered when a user deletes an excessive number of files or folders outside of their normal deletion behavior based on machine learning algorithms.

When this behavior is detected, Citrix Analytics increases the risk score to the respective user. The Excessive file or folder deletion risk indicator is added to the user’s risk timeline.

How to analyze the excessive file or folder deletion risk indicator?

Consider the user Lemuel, who deleted many files or folders over the course of a day. By this action, Lemuel exceeded his normal deletion behavior based on machine learning algorithms.

From Lemuel Kildow’s timeline, you can select the reported Excessive file or folder deletion risk indicator. The reason for the event is displayed on the screen along with the details of the event such as type of deletion (file or folder), time it was deleted, and so on.

To view the Excessive file or folder deletion risk indicator, navigate to Security > Users, and select the user.

Excessive file or folder deletion

  • The WHAT HAPPENED section, you can view a summary of the Excessive file or folder deletion event. You can view the number of files and folders that were deleted and the time the event occurred.

    Excessive file or folder deletion what happened

  • The EVENT DETAILS – EXCESSIVE DELETED ITEMS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time deleted. Time when the file or folder was deleted.

    • Type. Item type that was deleted – file or a folder.

    • Name. Name of the file or folder that was deleted.

    • Source. Repository (Citrix Files, OneDrive, and so on) in which the file was deleted.

      Excessive file or folder deletion event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all the links associated with that indicator.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Ransomware activity suspected

Citrix Analytics detects data threats based on a ransomware activity and triggers the corresponding risk indicator.

Ransomware is a malware that restricts users from accessing their files by either replacing or updating the files with an encrypted version. By identifying ransomware attacks across files shared by users within an organization, you can ensure that productivity is not impacted.

The risk factor associated with the Ransomware activity suspected risk indicator is the File-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the ransomware risk indicator triggered?

You are notified when a user on your account attempts to delete and replaces an excessive number of files with similar names and different extensions. You are also notified when a user updates an excessive number of files with similar names and different extensions. This activity indicates that the user’s account has been compromised and a possible ransomware attack has occurred. When Citrix Analytics detects this behavior, it increases the risk score of the respective user. The Ransomware activity suspected risk indicator is added to the user’s risk timeline.

The Ransomware Activity Suspected indicator can be of two types. They are:

  • Ransomware activity suspected (Files replaced) indicates an attempt to delete the existing files and replace with a new version of the files that resembles a ransomware attack. The attack patterns can result in more number of uploads than the number of deleted files. For example, a ransom note might be uploaded along with the other files.

  • Ransomware activity suspected (Files updated) indicates an attempt to update the existing files with a modified version of the files that resembles a ransomware attack.

How to analyze the ransomware risk indicator?

Consider the user Adam Maxwell, who tries to update many files with modified versions, within a span of 15 minutes. By this action, Adam Maxwell has triggered unusual and suspicious behavior based on what the machine learning algorithms deem normal for that specific user.

From Adam Maxwell’s timeline, you can select the reported Ransomware Activity Suspected (Files Updated) risk indicator. The reason for the event is displayed on the screen along with details such as the name of the file and the location of the file.

To view the Ransomware activity suspected (Files Updated) risk indicator, navigate to Security > Users, and select the user. From the user’s risk timeline, select the Ransomware activity suspected (Files Updated) risk indicator that is triggered for the user.

Ransomware files updated

  • The WHAT HAPPENED section, you can view the summary of the Ransomware activity suspected event. You can view the number of files that were updated in a suspicious manner, and the time the event occurred.

    Ransomware files updated what happened

  • The EVENT DETAILS – FILE OPERATIONS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

    • Time. The time the file was updated.

    • File name. The name of the file.

    • Path. The path where the file is located.

      Ransomware files updated event details

Similarly, you can select the reported Ransomware activity suspected (Files Replaced) risk indicator. You can view the details of this event such as:

  • The reason the risk indicator is triggered.

  • The number of files that were deleted and replaced with a new version.

    File replaced

  • The time the event (files being replaced) occurred.

  • The name of the files.

  • The location of the files.

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

  • Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all the links associated with that indicator.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Unusual authentication failures

Citrix Analytics detects access threats based on authentication activities from unusual IP addresses.

The Unusual authentication failures risk indicator is triggered when a user makes failed logon attempts from an IP address that is considered unusual based on the user’s historical access pattern. By identifying users with unusual authentication failures, based on previous behavior, administrators can monitor the user’s account for brute force attacks.

The risk factor associated with the Unusual authentication failure risk indicator is the Logon-failure-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the Unusual authentication failures risk indicator triggered?

You are notified when a user in your organization has multiple failed logon attempts that is contrary to their usual behavior.

The Unusual authentication failures risk indicator is triggered when a user repeatedly attempts to log on to the Content Collaboration service. When this behavior is detected, Citrix Analytics increases the risk score of the respective user. The Unusual authentication failures risk indicator is added to the user’s risk timeline.

How to analyze the Unusual authentication failures risk indicator?

Consider the user Maria Brown, who tried multiple times to log on to Content Collaboration. By this action, Maria Brown triggered the machine learning algorithm that detected unusual behavior. From Maria’s timeline, you can select the reported Unusual authentication failures risk indicator. Reason for the event and the event details is displayed on the screen.

To view the Unusual authentication failures risk indicator, navigate to Security > Users, and select the user.

Unusual authentication failures

  • In the WHAT HAPPENED section, you can view a summary of the unusual authentication failures event. You can view the number of unsuccessful logons that occurred during a specific time period.

    Excessive authentication failures

  • In the UNUSUAL AUTHENTICATION FAILURE- EVENT DETAILS section, you can view the timeline of the events and their details. The table provides the following key information:

    • Event time. The time of each logon attempt.

    • Client IP. The IP address of the user’s network.

    • Location. The location of the user device.

    • Tool name. The tool or application used to share the files.

    • OS. The operating system of the user device.

      Unusual authentication failures

  • In the AUTHENTICATION ACTIVITY – PREVIOUS 30 DAYS section, the table provides the following information about the previous 30-days of authentication activity for the user:

    • Subnet – The IP address from the user network.

    • Success – The total number of successful authentication events and the time of the most recent success event for the user.

    • Failure – The total number of failed authentication events and the time of the most recent failed event for the user.

    • Location – The location from where the authentication event has occurred.

      Authentication activity

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their Content Collaboration account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Citrix Content Collaboration risk indicators