Citrix Virtual Apps and Desktops risk indicators

First time access from new device

Citrix Analytics detects access threats based on first time access from a new device and triggers the corresponding risk indicator.

The First time access from new device risk indicator is triggered when a Citrix Workspace user signs in from a device after a minimum of 90 days. This is because Citrix Receiver has no sign-in records for the user from this new or unfamiliar device for the last 90 days.

When is the First time access from new device risk indicator triggered?

The First time access from new device risk indicator is reported when a user signs in from a device after 90 days.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The First time access from new device risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the access from new device risk Indicator?

Consider the user Adam Maxwell, who is signed in to a session through Citrix Receiver from a device that the user has not used for the last 90 days.

From Adam Maxwell’s timeline, you can select the reported First time access new device risk indicator. The reason for the access from new device alert is displayed along with details such as the event time, the device ID, and so on.

To view the First time access from new device risk indicator reported for a user, navigate to Security > Users, and select the user.

First time access from new device

  • The WHAT HAPPENED section, you can view the summary of the first time access from new device event. You can view the number of sign-in instances that occurred from a new device and the time the event occurred.

First time access from new device what happened

  • In the EVENT DETAILS section, the access events coming from new device appear in a tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Time. The time the sign-in instance occurred.

    • Receiver Type. The type of Citrix Receiver used, such as Windows, Mac, and so on.

    • Device ID. The IP address of the device that is used for sign-in.

    Access from new device event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Potential data exfiltration

Citrix Analytics detects data threats based on excessive attempts to exfiltrate data and triggers the corresponding risk indicator.

The Potential data exfiltration risk indicator is triggered when a Citrix Receiver user attempts to download or transfer files to a drive or printer. This data might be a file-download event such as downloading a file to a local drive, mapped drives, to an external storage device, and so on. It can also be data that is exfiltrated using the clipboard or by the copy-paste action.

When is potential data exfiltration risk indicator triggered?

You can be notified when a user has transferred an excessive number of files to a drive or printer in a certain time period. This risk indicator is also triggered when the user uses the copy-paste action on their local computer.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Potential data exfiltration risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the potential data exfiltration risk Indicator?

Consider the user Adam Maxwell, who is logged on to a session and attempts to print files that exceed the predefined limit. By this action, Adam Maxwell had exceeded his normal file transfer behavior based on machine learning algorithms.

From Adam Maxwell’s timeline, you can select the Potential data exfiltration risk indicator. The reason for the event is displayed along with the details such as the files transferred, the device used to transfer the file, and so on.

To view the Potential data exfiltration risk indicator reported for a user, navigate to Security > Users, and select the user.

Potential data exfiltration

  • The WHAT HAPPENED section, you can view the summary of the potential data exfiltration event. You can view the number of data exfiltration events during a specific time period.

Potential data exfiltration what happened

  • The EVENT DETAILS section, the data exfiltration attempts appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information:

    • Time. The time the data exfiltration event occurred.

    • Files. The file that was either downloaded, printed, or copied.

    • File type. The file type that was either downloaded, printed, or copied.

    • Action. The kind of data exfiltration event that was performed – print, download, or copy.

    • Devices. The device used.

    • Size. The size of the file being exfiltrated.

    Potential data exfiltration event details

  • The ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

    • The number of files exfiltrated.

    • The actions performed.

    • The applications used.

    • Device used by the user.

    Potential data exfiltration additional contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Access from device with unsupported operating system (OS)

Citrix Analytics detects access threats based on a user’s access from a device running an unsupported operating system and triggers the corresponding risk indicator.

The Access from device with unsupported OS risk indicator is triggered when a Citrix Receiver user logs on from an unsupported operating system (OS) or browser. The alert is raised based on the set of OS and browser versions that are supported by Citrix Receiver.

When is the access from device with unsupported OS risk indicator triggered?

The Access from device with unsupported OS risk indicator is reported when a user logs on from a device running an unsupported OS or browser. When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Access from device with unsupported OS risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

Note

When a user switches to another operating system, but connects to the same session, the session logon event is retained.

How to analyze the access from device with unsupported OS risk indicator?

Consider the user Georgina Kalou, logged on to a session that is running on an OS or browser not supported by Citrix Receiver. Citrix Analytics detects this event and assigns a risk score to Georgina Kalou. You are then notified in the Alerts panel and the Access from device with unsupported OS risk indicator is added to the user’s risk timeline.

From Georgina Kalou’s timeline, you can select the reported the Access from device with unsupported OS risk indicator. The reason for the event is displayed on the screen along with details of the event such as the OS version, browser version, and more.

To view the Access from device with unsupported OS risk indicator, navigate to Security > Users, and select the user.

Access from device with unsupported OS

  • The WHAT HAPPENED section, you can view the summary of the Access from device with unsupported OS risk indicator. You can view the number of devices with an unsupported OS or browser version used to launch Citrix Receiver and the time the events occurred.

Access from device with unsupported OS what happened

  • The EVENT DETAILS - DEVICE ACCESS section, the unsupported device access events appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Launch time. The time the event occurred.

    • Receiver. The Receiver platform details.

    • Browser. The browser version used for logon.

    • OS. The operating system version used for logon.

    • Device ID. Information about the ID of the device that is used to log on to the session.

    • IP Address. The IP address of the device that is used for logon.

    Note

    If your device uses an unsupported browser for access, you cannot see any data under the IP address column.

    Access from device with unsupported OS event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Unusual time of application access (Virtual)

Citrix Analytics detects data threats based on a user’s access from a new application and triggers the corresponding risk indicator.

The Unusual time of application access risk indicator is triggered when a Citrix Receiver user exhibits unusual app usage behavior. Unusual behavior might be the first-ever launch of an HDX application during a particular time of the day.

When is the unusual time of application access risk indicator triggered?

The Unusual time of application access risk indicator is reported when the user attempts to access an application they have not previously used, factoring in time of day.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Unusual time of application access risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the unusual time of application access risk Indicator?

Consider the user Georgina Kalou, who is logged on to a session and attempts to access an application for the first time during non-working hours.

From Georgina Kalou’s timeline, you can select the reported the Unusual time of application access risk indicator. The reason for the event is displayed along with details such as the application’s name, the time zone it was accessed from, and so on.

To view the Unusual time of application access risk indicator reported for a user, navigate to Security > Users, and select the user.

Unusual time of application access

  • The WHAT HAPPENED section, you can view the summary of the event. You can view the number of new applications that were accessed and when they were accessed.

Unusual time of application access what happened

  • The EVENT DETAILS section, the event is displayed in graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Time. The time the application was accessed.

    • Application name. Name of the application accessed.

    • Time zone. Time zone from which the application is accessed.

    Unusual time of application access event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.