User risk timeline

The User risk timeline on a user’s profile enables you, as a Citrix Analytics administrator to gain deeper insights into a user’s risky behavior. By default, the user risk timeline is displayed for the last one month. You can also see the corresponding actions taken on their account for a selected time period. From the User risk timeline, you can delve deeper into a user’s profile to understand the following:

  • Data usage

  • Device usage

  • Application usage

  • Location usage

Additionally, you can view the risk score and risk indicator trends for the user and determine if the user is a high-risk user or not.

When you go to a user’s risk timeline, you can select either a risk indicator or an action that has been applied to their account. If you choose one of the above, the right pane displays the risk indicator section or the action section.

Risk timeline

The Risk Timeline displays the following information:

  • Risk indicators. Risk Indicators are user activities that are suspicious or can pose a security threat to your organization. The indicators are triggered when the user’s behavior deviates from their normal behavior. The risk indicators can be for the following data sources:

    • Citrix Content Collaboration

    • Citrix Gateway

    • Citrix Endpoint Management

    • Citrix Virtual Apps and Desktops / Citrix Workspace

    • Citrix Access Control

    When you select a risk indicator from the user’s timeline, the risk indicator information section is displayed in the right pane. You can view the reason for the risk indicator along with details of the event. They are broadly categorized into the following sections:

    Risk timeline info section

    • What happened. You can view a summary of the risk indicator here. For example, if you have selected the Excessive file sharing risk indicator. In the What happened section, you can view the number of share links sent to recipients and when the sharing event occurred.

    • Event details. You can view individual event entries in graphical and tabular format along with details of the event. Click Event Search to access the self-service search page and view the events corresponding to the user’s risk indicator. For more information, see Self-service search.

    • Additional contextual information. You can view data shared, if any, during an event’s occurrence in this section.

    Learn more: Risk indicators

  • Actions. Actions help you respond to suspicious events and prevent future anomalous events from occurring. Actions that have been applied on a user’s profile are displayed on the risk timeline. These actions are either automatically applied to a user’s account through configured policies or you can apply a specific action manually.

    Learn more: Policies and actions.

    Risk timeline actions

  • Privileged user events. Privileged user events are triggered every time there is a change in Admin or Executive privilege status of a user. When a risk indicator is triggered for a user, you can co-relate it with the specified privilege status change event. If necessary, you can apply the appropriate action on the user profile. The Admin or Executive privilege events displayed on the user risk timeline are as follows:

    • Added to Executive group

    • Removed from Executive group

    • Privilege elevated to Admin

    • Admin privilege removed

    Consider the user Adam Maxwell who was added to the Executive privileged group CitrixAnalytics. The Added to Executive group event is added to the user’s risk timeline. Now, Adam starts excessively deleting files and folders and triggers the machine learning algorithm that detected unusual behavior. The Excessive file or folder deletion risk indicator is added to the user’s risk timeline. You can compare the event and the risk indicator on the risk timeline. After the comparison, you can determine if the risk indicator was triggered as a consequence of the event. If so, you can apply appropriate actions on Adam’s profile. For more information on privileged users, see Privileged users.

When you select an event from the user’s timeline, the event information section is displayed in the right pane.

For an Executive, the right pane displays information such as User status, Date and time, and Active Directory group.

Privileged users

For an Admin privilege event, the right pane displays information such as User status, Date and time, and In product.

User risk timeline