Citrix Gateway risk indicators

Access from an unusual location

Citrix Analytics detects access-based threats based on unusual sign-ins to the network and triggers the corresponding risk indicator.

When is the Access from an unusual location risk indicator triggered?

You can be notified when a user in your organization signs-in from an unusual location that is contrary to their usual behavior.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics receives the events and increases the user’s risk score. The Access from an unusual location risk indicator is added to the user’s risk timeline.

How to analyze the Access from an unusual location risk indicator?

Consider the user Georgina Kalou, who signed-in from the United Kingdom when she has only ever signed-in from Beijing, China. Citrix Gateway reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. The Access from an unusual location risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Access from an unusual location risk indicator. The reason for the event is displayed along with details such as time of the event, sign-in location, and so on.

Access from unusual location

  • WHAT HAPPENED: Provides a brief summary that includes the number of sign-in attempts, unusual location, and time of event.

    Access from unusual location

  • SIGN IN locations: Displays a geographical map view of the usual and the unusual sign-in locations of the user. The usual location data is for the last 30 days. You can hover over the pointers on the map to view the exact details of each location.

    Access from unusual location

  • Usual location – Last 30 days: Displays a pie chart view of the last six usual sign-in locations from where the user signed-in, during the last 30 days.

    Access from unusual location

  • Unusual location event details: Provides a timeline visualization of the unusual sign-in event that occurred for the user. Also, this table provides the following information about the unusual sign-in event:

    • Date and time – Date and time of the unusual sign-in location event.
    • Client IP – IP address of the client device.
    • Device OS – Operating system of the device using which the user signed-in to the unusual location.
    • Device browser – Web browser using which the user signed-in to the application.

    Access from unusual location

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

EPA scan failures

Citrix Analytics detects user access-based threats based on EPA scan failures activity and triggers the corresponding risk indicator.

When is the EPA scan failures risk indicator triggered?

The EPA scan failure risk indicator is reported when a user tries to access the network using a device that has failed Citrix Gateway’s End Point Analysis (EPA) Scan policies for pre-authentication or post authentication.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many EPA scan failures. When Citrix Analytics determines excessive EPA scan failures for a user, it updates the user’s risk score and adds an EPA scan Failure risk indicator entry to the user’s risk timeline.

How to analyze the EPA scan failures risk indicator?

Consider the user Lemuel Kildow, who recently tried multiple times to access the network using a device that has failed Citrix Gateway’s EPA scan. Citrix Gateway reports this failure to Citrix Analytics, which assigns an updated risk score to Lemuel Kildow. The EPA scan failure risk indicator is added to Lemuel Kildow’s risk timeline.

To view the EPA scan failure entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest EPA scan failures risk indicator reported for the user. When you select an EPA scan failure risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

EPA scan failures

  • The WHAT HAPPENED section provides a brief summary of the EPA scan failure risk indicator. And, includes the number of post logon EPA scan failures reported during the selected period.

EPA scan failures what happened

  • The EVENT DETAILS – SCAN FAILURES section, includes a timeline visualization of the individual EPA scan failure events that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

    • Time. The time the EPA scan failure occurred.

    • Client IP. The IP address of the client that causes the EPA scan failure.

    • Gateway IP. The IP address of Citrix Gateway that reported the EPA scan failure.

    • FQDN. The FQDN of Citrix Gateway.

    • Event description. Brief description of the reason for EPA scan failure.

    • Policy name. The EPA scan policy name configured on the Citrix Gateway.

    • Security expression. The security expression configured on the Citrix Gateway.

    EPA scan failure event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive authentication failures

Citrix Analytics detects user access-based threats based on Excessive authentication failures and triggers the corresponding risk indicator.

When is the Excessive authentication failures risk indicator triggered?

The Logon failure risk indicator is reported when the user encounters multiple Citrix Gateway authentication failures within a given period. The Citrix Gateway authentication failures can be primary, secondary, or tertiary authentication failures, depending on whether multifactor authentication is configured for the user.

Citrix Gateway detects all the user authentication failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many authentication failures. When Citrix Analytics determines excessive authentication failures, it updates the user’s risk score. The Excessive authentication failures risk indicator is added to the user’s risk timeline.

How to analyze the Excessive authentication failures risk indicator?

Consider the user Lemuel Kildow, who recently failed multiple attempts to authenticate the network. Citrix Gateway reports these failures to Citrix Analytics, and an updated risk score is assigned to Lemuel Kildow. The Excessive authentication failures risk indicator is added to Lemuel Kildow’s risk timeline.

To view the Excessive authentication failures risk indicator entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest Excessive authentication failures risk indicator reported for the user. When you select the Excessive authentication failures risk indicator entry from the risk timeline, a corresponding detailed information panel appears in the right pane.

Excessive authentication failures

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of authentication failures that occurred during the selected period.

Excessive authentication failures what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual Excessive authentication failure events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the logon failure occurred.

    • Error count. The number of authentication failures detected for the user at the time of the event and for the previous 48 hours.

    • Event description. Brief description of the reason for the logon failure.

    Excessive authentication failures event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive authorization failures

Citrix Analytics detects user access-based threats based on excessive authorization failures and triggers the corresponding risk indicator.

When is the Excessive authorization failures risk indicator triggered?

The Excessive authorization failures risk indicator is reported in Citrix Analytics when a user in your enterprise attempts to access a resource without sufficient permissions.

When the user is authenticated, Citrix Gateway performs a group authorization check based on the authorization policy and expressions configured for the user. Citrix Gateway collects the user’s group information from either an LDAP, RADIUS, or TACACS+ server.

Citrix Gateway detects the authorization failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many authorization failures. When Citrix Analytics detects excessive authorization failures for a user, it updates the user’s risk score. The Excessive authorization failures risk indicator is added to the user’s risk timeline.

How to analyze the Excessive authorization failures risk indicator?

Consider the user Georgina Kalou, who recently tried multiple times to access an unauthorized resource in the network. Citrix Gateway reports these events to Citrix Analytics, and an updated risk score is assigned to Georgina Kalou. The Excessive authorization failures risk indicator is added to the Georgina Kalou’s risk timeline.

To view the Excessive authorization failures entry for a user, navigate to Security > Users, and select the user. From Georgina Kalou’s risk timeline, you can select the latest Excessive authorization failures risk indicator reported for the user. When you select the Excessive authorization failures risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Authorization failures

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of authorization failures that occurred during the selected period.

Authorization failures what happened

  • The EVENT DETAILS – AUTHORIZATION FAILURES section, includes a timeline visualization of the individual authorization failure events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the authorization failure occurred.

    • Client IP. The IP address of the client that has caused the authorization failure.

    • Gateway IP. The IP address of Citrix Gateway that reported the authorization failure.

    • FQDN. The FQDN of the Citrix Gateway.

    • App name. The application that the user used to access the resource.

    • VPN sessione. The type of VPN session established.

    • Event description. Brief description of the reason for authorization failure.

    • Nth factor. Brief description of the reason for authorization failure.

    Authorization failure event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

First time access from new IP

Citrix Analytics detects user access threats based on first-time access from a new IP address and triggers the corresponding risk indicator.

The First time access from new IP risk indicator is triggered when a Citrix Receiver user signs in from an IP address after a minimum of 90 days. This is because Citrix Receiver has no sign-in records for the user from this IP address for the last 90 days.

When is the First time access from new IP risk indicator triggered?

The First time access from new IP risk indicator is reported when a user signs in from an IP address after 90 days. When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The First time access from new IP risk indicator is added to the user’s risk timeline.

How to analyze the access from new IP risk Indicator?

Consider the user Adam Maxwell, who is signed in to a session through Citrix Receiver from an IP address that the user has not used for at least 90 days. From Adam Maxwell’s timeline, you can select the reported First time access new IP risk indicator. The reason for the first time access for new IP alert is displayed along with details such as the event time, IP address, and so on.

First time access from new IP

To view the First time access from new IP risk indicator reported for a user, navigate to Security > Users, and select the user.

  • In the WHAT HAPPENED section, you can view the summary of the First time access from new IP event. You can view the number of sign-in instances that occurred from a new IP address and the time the event occurred.

First time access from new IP

  • The EVENT DETAILS section, the access events coming from new IP address appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Time. The time the sign-in instance occurred.

    • Client IP. The IP address of the device that is used for sign-in.

First time access from new IP

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Logon from suspicious IP

Citrix Analytics detects user access threats based on suspicious sign-in activity and triggers the corresponding risk indicator.

When is the Logon from suspicious IP risk indicator triggered?

The Logon from suspicious IP risk indicator is reported when a user attempts to access the network from an IP address that Citrix Gateway identifies as suspicious. The IP address is considered suspicious based on any of the following conditions:

  • Is listed on the external IP threat intelligence feed

  • Has multiple user sign-in records from an unusual location

  • Has excessive failed sign-in attempts that might indicate a brute-force attack

Citrix Gateway detects this event and reports to Citrix Analytics. Citrix Analytics monitors this event to detect whether the user has had too many suspicious IP sign-in attempts. When Citrix Analytics determines suspicious IP sign-in attempts for a user, it updates the user’s risk score and adds a Logon from suspicious IP risk indicator entry to the user’s risk timeline.

How to analyze the Logon from suspicious IP risk Indicator?

Consider the user Lemuel Kildow, who attempted to access the network from an IP address that Citrix Gateway identifies as suspicious. Citrix Gateway reports this event to Citrix Analytics, which assigns an updated risk score to Lemuel Kildow. The Logon from suspicious IP risk indicator is added to Lemuel Kildow’s risk timeline.

Logon from suspicious IP

To view the Logon from suspicious IP risk indicator reported for a user, navigate to Security > Users, and select the user. From Lemuel Kildow’s risk timeline, you can select the latest Logon from suspicious IP risk indicator reported for the user. When you select the Logon from suspicious IP risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

  • The WHAT HAPPENED section provides a brief summary of the Logon from suspicious IP risk indicator. And, includes the number of sign-ins from a suspicious IP address reported during the selected period.

Logon from suspicious IP

  • The EVENT DETAILS section, includes a timeline visualization of the individual sign-in attempt that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

    • Time. The time the sign-in instance occurred.

    • Client IP. The IP address of the device that was used for sign-in.

    • Location. The location where the suspicious sign-in attempt was made from.

    • BRUTE FORCE. Indicates that a brute-force behavior has been detected.

    • EXTERNAL THREAT. Indicates that the IP address is on the external IP threat intelligence feed.

    • UNUSUAL GEO ACCESS. Indicates that access from an unusual geo location has been detected.

Logon from suspicious IP

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.