Citrix Analytics for Security

Citrix Gateway risk indicators

Access from an unusual location

Citrix Analytics detects access-based threats based on unusual sign-ins to the network and triggers the corresponding risk indicator.

The risk factor associated with the Access from an unusual location risk indicator is the Location-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the Access from an unusual location risk indicator triggered?

You get notified when a user in your organization signs-in from an unusual location. The location is determined from the IP address of the user’s device. Citrix Gateway detects these user events and reports them to Citrix Analytics. Citrix Analytics receives the events and increases the user’s risk score. The risk indicator is triggered when the user signs in from an IP address associated with a new country, or a new city that is anomalously far away from any previous sign-in location. Other factors include the user’s overall level of mobility and the relative frequency of sign-ins from the city across all users in your organization. In all cases, user location history is based on the previous 30 days of sign-in activity.

The Access from an unusual location risk indicator is added to the user’s risk timeline.

How to analyze the Access from an unusual location risk indicator?

Consider the user Georgina Kalou, who signs in from the United Kingdom for the first time. Her usual sign-in location is Beijing, China. Citrix Gateway reports this user event to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. The Access from an unusual location risk indicator is triggered and added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Access from an unusual location risk indicator. The reason for the event is displayed along with details such as time of the event, and sign-in location.

Access from unusual location

  • WHAT HAPPENED: Provides a brief summary that includes the number of sign-in attempts, unusual location, and time of event.

    Access from unusual location

  • SIGN IN locations: Displays a geographical map view of the usual and the unusual sign-in locations of the user. The usual location data is for the last 30 days. You can hover over the pointers on the map to view the exact details of each location.

    Access from unusual location

  • Usual location – Last 30 days: Displays a pie chart view of the last six usual sign-in locations from where the user signed-in, during the last 30 days.

    Access from unusual location

  • Unusual location event details: Provides a timeline visualization of the unusual sign-in event that occurred for the user. Also, this table provides the following information about the unusual sign-in event:

    • Date and time – Date and time of the unusual sign-in location event.

    • Client IP – IP address of the client device.

    • Device OS – Operating system of the device using which the user signed-in to the unusual location.

    • Device browser – Web browser using which the user signed-in to the application.

      Access from unusual location

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

End Point Analysis (EPA) scan failures

Citrix Analytics detects user access-based threats based on EPA scan failures activity and triggers the corresponding risk indicator.

The risk factor associated with the End Point Analysis scan failure risk indicator is the Other risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the EPA scan failures risk indicator triggered?

The EPA scan failure risk indicator is reported when a user tries to access the network using a device that has failed Citrix Gateway’s End Point Analysis (EPA) Scan policies for pre-authentication or post authentication.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many EPA scan failures. When Citrix Analytics determines excessive EPA scan failures for a user, it updates the user’s risk score and adds an EPA scan Failure risk indicator entry to the user’s risk timeline.

How to analyze the EPA scan failures risk indicator?

Consider the user Lemuel, who recently tried multiple times to access the network using a device that has failed Citrix Gateway’s EPA scan. Citrix Gateway reports this failure to Citrix Analytics, which assigns an updated risk score to Lemuel. The EPA scan failure risk indicator is added to Lemuel Kildow’s risk timeline.

To view the EPA scan failure entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest EPA scan failures risk indicator reported for the user. When you select an EPA scan failure risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

EPA scan failures

  • The WHAT HAPPENED section provides a brief summary of the EPA scan failure risk indicator. And, includes the number of post logon EPA scan failures reported during the selected period.

    EPA scan failures what happened

  • The EVENT DETAILS – SCAN FAILURES section, includes a timeline visualization of the individual EPA scan failure events that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

    • Time. The time the EPA scan failure occurred.

    • Client IP. The IP address of the client that causes the EPA scan failure.

    • Gateway IP. The IP address of Citrix Gateway that reported the EPA scan failure.

    • FQDN. The FQDN of Citrix Gateway.

    • Event description. Brief description of the reason for EPA scan failure.

    • Policy name. The EPA scan policy name configured on the Citrix Gateway.

    • Security expression. The security expression configured on the Citrix Gateway.

      EPA scan failure event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive authentication failures

Citrix Analytics detects user access-based threats based on Excessive authentication failures and triggers the corresponding risk indicator.

The risk factor associated with the Excessive authentication failures risk indicator is the Logon-failure-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the Excessive authentication failures risk indicator triggered?

The Logon failure risk indicator is reported when the user encounters multiple Citrix Gateway authentication failures within a given period. The Citrix Gateway authentication failures can be primary, secondary, or tertiary authentication failures, depending on whether multifactor authentication is configured for the user.

Citrix Gateway detects all the user authentication failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many authentication failures. When Citrix Analytics determines excessive authentication failures, it updates the user’s risk score. The Excessive authentication failures risk indicator is added to the user’s risk timeline.

How to analyze the Excessive authentication failures risk indicator?

Consider the user Lemuel, who recently failed multiple attempts to authenticate the network. Citrix Gateway reports these failures to Citrix Analytics, and an updated risk score is assigned to Lemuel. The Excessive authentication failures risk indicator is added to Lemuel Kildow’s risk timeline.

To view the Excessive authentication failures risk indicator entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest Excessive authentication failures risk indicator reported for the user. When you select the Excessive authentication failures risk indicator entry from the risk timeline, a corresponding detailed information panel appears in the right pane.

Excessive authentication failures

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of authentication failures that occurred during the selected period.

    Excessive authentication failures what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual Excessive authentication failure events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the logon failure occurred.

    • Error count. The number of authentication failures detected for the user at the time of the event and for the previous 48 hours.

    • Event description. Brief description of the reason for the logon failure.

      Excessive authentication failures event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Logon from suspicious IP

Citrix Analytics detects user access threats based on the sign-in activity from a suspicious IP and triggers this risk indicator.

The risk factor associated with the Logon from suspicious IP risk indicator is the IP-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the Logon from suspicious IP risk indicator triggered?

The Logon from suspicious IP risk indicator is triggered when a user attempts to access the network from an IP address that Citrix Analytics identifies as suspicious. The IP address is considered suspicious based on one of the following conditions:

  • Is listed on the external IP threat intelligence feed

  • Has multiple user sign-in records from an unusual location

  • Has excessive failed sign-in attempts that might indicate a brute-force attack

Citrix Analytics monitors the sign-in events received from Citrix Gateway and detects whether a user has signed in from any suspicious IP. When Citrix Analytics detects a sign-in attempt from a suspicious IP, it updates the user’s risk score and adds a Logon from suspicious IP risk indicator entry to the user’s risk timeline.

How to analyze the Logon from suspicious IP risk Indicator?

Consider the user Lemuel, who attempted to access the network from an IP address that Citrix Analytics identifies as suspicious. Citrix Gateway reports the sign-in event to Citrix Analytics, which assigns an updated risk score to Lemuel. The Logon from suspicious IP risk indicator is added to Lemuel Kildow’s risk timeline.

Logon from suspicious IP

To view the Logon from suspicious IP risk indicator reported for a user, navigate to Security > Users, and select the user. From Lemuel Kildow’s risk timeline, you can select the latest Logon from suspicious IP risk indicator reported for the user. When you select the Logon from suspicious IP risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

  • The WHAT HAPPENED section provides a brief summary of the Logon from suspicious IP risk indicator. And, includes the number of sign-ins from a suspicious IP address reported during the selected period.

    Logon from suspicious IP

  • The Suspicious IP section provides the following information:

    Suspicious IP section

    • Suspicious IP. The IP address associated with a suspicious sign-in activity.

    • Location. The city, region, and country of the user. These locations are displayed based on the availability of data.

    • Potential organization level risk. Indicates any patterns of suspicious IP activity that Citrix Analytics has recently detected in your organization. The risky patterns include excessive login failures consistent with potential brute force attempts and unusual access by multiple users.

      If no risky pattern is detected for an IP address in your organization, you see the following message.

      No risky pattern

    • Community intelligence. Provides the threat score and the threat categories of an IP address that is identified as high risk in the external IP threat intelligence feed. Citrix Analytics assigns a risk score to the high risk IP address. The risk score starts from 80.

      If an IP address does not have any threat intelligence available on the external IP threat intelligence feed, you see the following message.

      No intelligence feed

  • The EVENT DETAILS section provides the following information about the suspicious sign-in activity:

    Logon from suspicious IP

    • Time. The time of the suspicious sign-in activity.

    • Client IP. The IP address of the user’s device that was used for the suspicious sign-in activity.

    • Device OS. The operating system of the browser.

    • Device Browser. The web browser used for the suspicious sign-in activity.

What actions you can apply to the user?

You can do the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Unusual authentication failure

Citrix Analytics detects access-based threats when a user has logon failures from an unusual IP address and triggers the corresponding risk indicator.

The risk factor associated with the Unusual authentication risk indicator is the Logon-failure-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the unusual authentication failure indicator triggered?

You can be notified when a user in your organization has logon failures from an unusual IP address that is contrary to their usual behavior.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics receives the events and increases the user’s risk score. The Unusual Authentication Failure risk indicator is added to the user’s risk timeline.

How to analyze the unusual authentication failure indicator?

Consider the user Georgina Kalou, who routinely signs into Citrix Gateway from her usual home and office networks. A remote attacker attempts to authenticate Georgina’s account by guessing different passwords, resulting in authentication failures from an unfamiliar network.

In this scenario, Citrix Gateway reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. The Unusual Authentication Failure risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Unusual Authentication Failure risk indicator. The reason for the event is displayed along with details such as the time of the event, and location.

Authentication failure

  • In the WHAT HAPPENED section, you can view the brief summary that includes the total number of authentication failures and time of event.

  • In the EVENT DETAILS – LOGON SUCCESS and FAILURES section, you can view a graph indicating the unusual authentication failures, along with any other logon activity detected during the same duration.

  • In the UNUSUAL AUTHENTICATION DETAILS section, the table provides the following information about the unusual authentication failures:

    • Logon time – The date and time of the event

    • Client IP – IP address of the user device

    • Location – The location from where the event has occurred

    • Failure reason – The reason for authentication failure

      Authentication failure details

  • In the USER AUTHENTICATION ACTIVITY – PREVIOUS 30 DAYS section, the table provides the following information about the previous 30-days of authentication activity for the user:

    • Subnet – The IP address from the user network.

    • Success – The total number of successful authentication events and the time of the most recent success event for the user.

    • Failure – The total number of failed authentication events and the time of the most recent failed event for the user.

    • Location – The location from where the authentication event has occurred.

      Authentication activity

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators. You can also select the administrators who receive notification about the user activity.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Citrix Gateway risk indicators