Citrix Virtual Apps and Desktops risk indicators

First time access from new device

Citrix Analytics detects access threats based on first time access from a new device and triggers the corresponding risk indicator.

The First time access from new device risk indicator is triggered when a Citrix Workspace user signs in from a device after a minimum of 90 days. This risk indicator is triggered because Citrix Receiver has no sign-in records for the user from this new or unfamiliar device for the last 90 days.

When is the First time access from new device risk indicator triggered?

The First time access from new device risk indicator is reported when a user signs in from a device after 90 days.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The First time access from new device risk indicator is added to the user’s risk timeline.

How to analyze the First time access from new device risk indicator?

Consider the user Adam Maxwell, who is signed in to a session through Citrix Receiver from a device that the user has not used for the last 90 days.

From Adam Maxwell’s timeline, you can select the First time access from new device risk indicator. The reason for the access from new device alert is displayed along with details such as the event time and the device ID.

To view the First time access from new device risk indicator reported for a user, navigate to Security > Users, and select the user.

First time access from new device

  • The WHAT HAPPENED section, you can view the summary of the first time access from new device event. You can view the number of sign-in instances that occurred from a new device and the time the event occurred.

First time access from new device what happened

  • In the EVENT DETAILS section, the access events coming from new device appear in a tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Time. The time the sign-in instance occurred.

    • Receiver Type. The type of Citrix Receiver used, such as Windows and Mac.

    • Device ID. The IP address of the device that is used for sign-in.

    Access from new device event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or later, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Potential data exfiltration

Citrix Analytics detects data threats based on excessive attempts to exfiltrate data and triggers the corresponding risk indicator.

The Potential data exfiltration risk indicator is triggered when a Citrix Receiver user attempts to download or transfer files to a drive or printer. This data might be a file-download event such as downloading a file to a local drive, mapped drives, or an external storage device. It can also be data that is exfiltrated using the clipboard or by the copy-paste action.

When is the Potential data exfiltration risk indicator triggered?

You can be notified when a user has transferred an excessive number of files to a drive or printer in a certain time period. This risk indicator is also triggered when the user uses the copy-paste action on their local computer.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Potential data exfiltration risk indicator is added to the user’s risk timeline.

How to analyze the Potential data exfiltration risk Indicator?

Consider the user Adam Maxwell, who is logged on to a session and attempts to print files that exceed the predefined limit. By this action, Adam Maxwell had exceeded his normal file transfer behavior based on machine learning algorithms.

From Adam Maxwell’s timeline, you can select the Potential data exfiltration risk indicator. The reason for the event is displayed along with the details such as the files transferred and the device used to transfer the file.

To view the Potential data exfiltration risk indicator reported for a user, navigate to Security > Users, and select the user.

Potential data exfiltration

  • The WHAT HAPPENED section, you can view the summary of the potential data exfiltration event. You can view the number of data exfiltration events during a specific time period.

Potential data exfiltration what happened

  • The EVENT DETAILS section, the data exfiltration attempts appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information:

    • Time. The time the data exfiltration event occurred.

    • Files. The file that was either downloaded, printed, or copied.

    • File type. The file type that was either downloaded, printed, or copied.

    • Action. The kinds of data exfiltration event that was performed – print, download, or copy.

    • Devices. The device used.

    • Size. The size of the file being exfiltrated.

    Potential data exfiltration event details

  • The ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

    • The number of files exfiltrated.

    • The actions performed.

    • The applications used.

    • Device used by the user.

    Potential data exfiltration additional contextual information

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Action menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Access from device with unsupported operating system (OS)

Citrix Analytics detects access threats based on a user’s access from a device running an unsupported operating system and triggers the corresponding risk indicator.

The Access from device with unsupported OS risk indicator is triggered when a Citrix Receiver user logs on from an unsupported operating system (OS) or browser. The alert is raised based on the set of OS and browser versions that are supported by Citrix Receiver.

When is the access from device with unsupported OS risk indicator triggered?

The Access from device with unsupported OS risk indicator is reported when a user logs on from a device running an unsupported OS or browser. When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Access from device with unsupported OS risk indicator is added to the user’s risk timeline.

Note

When a user switches to another operating system, but connects to the same session, the session logon event is retained.

How to analyze the access from a device with an unsupported OS risk indicator?

Consider the user Georgina Kalou, logged on to a session that is running on an OS or browser not supported by Citrix Receiver. Citrix Analytics detects this event and assigns a risk score to Georgina Kalou. The Access from device with unsupported OS risk indicator is added to the user’s risk timeline.

From Georgina Kalou’s timeline, you can select the Access from device with unsupported OS risk indicator. The reason for the event is displayed on the screen along with details of the event such as the OS version, browser version, and more.

To view the Access from device with unsupported OS risk indicator, navigate to Security > Users, and select the user.

Access from device with unsupported OS

  • The WHAT HAPPENED section, you can view the summary of the Access from device with unsupported OS risk indicator. You can view the number of devices with an unsupported OS or browser version used to launch Citrix Receiver and the time the events occurred.

Access from device with unsupported OS what happened

  • The EVENT DETAILS - DEVICE ACCESS section, the unsupported device access events appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

    • Launch time. The time the event occurred.

    • Receiver. The Receiver platform details.

    • Browser. The browser version used for logon.

    • OS. The operating system version used for logon.

    • Device ID. Information about the ID of the device that is used to log on to the session.

    • IP Address. The IP address of the device that is used for logon.

    Note

    If your device uses an unsupported browser for access, you cannot see any data under the IP address column.

    Access from device with unsupported OS event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

  • Log off user. When a user is logged off from their account, they cannot access the resource through Virtual Desktops.

  • Start session recording. If there is an unusual event on the user’s Virtual Desktops account, the administrator can begin recording the user’s activities of future logon sessions. However, if the user is on Virtual Apps and Desktops 7.18 or a greater version, the administrator can dynamically start and stop recording the user’s current logon session.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.