Citrix Virtual Apps and Desktops risk indicators

First time access from new device

Citrix Analytics detects access threats based on first time access from a new device and triggers the corresponding risk indicator.

The First time access from new device risk indicator is triggered when a Citrix Workspace user signs in from a device after a minimum of 90 days. This risk indicator is triggered because Citrix Receiver has no sign-in records for the user from this new or unfamiliar device for the last 90 days.

When is the First time access from new device risk indicator triggered?

The First time access from new device risk indicator is reported when a user signs in from a device after 90 days.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The First time access from new device risk indicator is added to the user’s risk timeline.

How to analyze the First time access from new device risk indicator?

Consider the user Adam Maxwell, who is signed in to a session through Citrix Receiver from a device that the user has not used for the last 90 days.

From Adam Maxwell’s timeline, you can select the First time access from new device risk indicator. The reason for the access from new device alert is displayed along with details such as the event time and the device ID.

To view the First time access from new device risk indicator reported for a user, navigate to Security > Users, and select the user.

First time access from new device

  • The WHAT HAPPENED section, you can view the summary of the first time access from new device event. You can view the number of sign-in instances that occurred from a new device and the time the event occurred.

    First time access from new device what happened

  • In the EVENT DETAILS section, the access events coming from new device appear in a tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Time. The time the sign-in instance occurred.

    • Receiver Type. The type of Citrix Receiver used, such as Windows and Mac.

    • Device ID. The IP address of the device that is used for sign-in.

      Access from new device event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or later, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Potential data exfiltration

Citrix Analytics detects data threats based on excessive attempts to exfiltrate data and triggers the corresponding risk indicator.

The Potential data exfiltration risk indicator is triggered when a Citrix Receiver user attempts to download or transfer files to a drive or printer. This data might be a file-download event such as downloading a file to a local drive, mapped drives, or an external storage device. It can also be data that is exfiltrated using the clipboard or by the copy-paste action.

When is the Potential data exfiltration risk indicator triggered?

You can be notified when a user has transferred an excessive number of files to a drive or printer in a certain time period. This risk indicator is also triggered when the user uses the copy-paste action on their local computer.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Potential data exfiltration risk indicator is added to the user’s risk timeline.

How to analyze the Potential data exfiltration risk Indicator?

Consider the user Adam Maxwell, who is logged on to a session and attempts to print files that exceed the predefined limit. By this action, Adam Maxwell had exceeded his normal file transfer behavior based on machine learning algorithms.

From Adam Maxwell’s timeline, you can select the Potential data exfiltration risk indicator. The reason for the event is displayed along with the details such as the files transferred and the device used to transfer the file.

To view the Potential data exfiltration risk indicator reported for a user, navigate to Security > Users, and select the user.

Potential data exfiltration

  • The WHAT HAPPENED section, you can view the summary of the potential data exfiltration event. You can view the number of data exfiltration events during a specific time period.

    Potential data exfiltration what happened

  • The EVENT DETAILS section, the data exfiltration attempts appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information:

    • Time. The time the data exfiltration event occurred.

    • Files. The file that was either downloaded, printed, or copied.

    • File type. The file type that was either downloaded, printed, or copied.

    • Action. The kinds of data exfiltration event that was performed – print, download, or copy.

    • Devices. The device used.

    • Size. The size of the file being exfiltrated.

      Potential data exfiltration event details

  • The ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

    • The number of files exfiltrated.

    • The actions performed.

    • The applications used.

    • Device used by the user.

      Potential data exfiltration additional contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Access from an unusual location

Citrix Analytics detects access-based threats based on unusual sign-ins from Citrix Workspace and triggers the corresponding risk indicator.

When is the Access from an unusual location risk indicator triggered?

You can be notified when a user in your organization signs-in from an unusual location that is contrary to their usual behavior.

Citrix Workspace detects these events and reports them to Citrix Analytics. Citrix Analytics receives the events and increases the user’s risk score. The Access from an unusual location risk indicator is added to the user’s risk timeline.

How to analyze the Access from an unusual location risk indicator?

Consider the user Georgina Kalou, who signed-in from the United Kingdom when she has only ever signed-in from Beijing, China. Citrix Workspace reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. The Access from an unusual location risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Access from an unusual location risk indicator. The reason for the event is displayed along with details such as time of the event, and sign-in location.

To view the Access from an unusual location risk indicator reported for a user, navigate to Security > Users, and select the user.

Unusual location

  • WHAT HAPPENED: Provides a brief summary that includes the number of sign-in attempts, unusual location, and time of event.

    What happened

  • SIGN IN locations: Displays a geographical map view of the usual and the unusual sign-in locations of the user. The usual location data is for the last 30 days. You can hover over the pointers on the map to view the exact details of each location.

    Sign-in

  • Ususual location – Last 30 days: Displays a pie chart view of the top six usual sign-in locations from where the user signed-in, during the last 30 days.

    Unusual location

  • Unusual location event details: Provides a timeline visualization of the unusual sign-in event that occurred for the user. Also, this table provides the following information about the unusual sign-in event:

    • Date and time. Date and time of the unusual sign-in location event.

    • Client IP. IP address of the client device.

    • Device OS. Operating system of the device using which the user signed-in to the unusual location.

    • Device browser. Web browser using which the user signed-in to the application.

      Event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or later, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Citrix Virtual Apps and Desktops risk indicators