Self-service search for Content Collaboration
Use the self-service search to get insights into the user events received from the Content Collaboration data source. When users use the Content Collaboration service, events such as login, delete, download, and, upload are generated. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can track the users and their activities.
For more information on the search functionalities, see Self-service search.
Select the Content Collaboration data source
To view the Content Collaboration events, select Content Collaboration from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.
Select the facets to filter events
Use the following facets that are associated to the Content Collaboration events.
-
Download File Size- Indicates the size of the file downloaded from Content Collaboration.
-
Event Type- Indicates the types of user activities such as file upload, file download, share link create, session login, folder create, and share link delete.
Specify search query to filter events
Place your cursor in the search box to view the list of dimensions for the Content Collaboration events. Use the dimensions and the operators to specify your query and search for the required events.
For example, you want to search for the events originating from India and the file size is greater than 900,000 bytes. Specify the following query as shown in the figure.
-
Enter “Co” in the search box to get the related suggestions.
-
Select Country and enter the value “India” using the equal operator.
-
Select the AND operator and then select the File-Size dimension. Select the > operator and enter the file size value in bytes.
-
Select the time period and click Search to view the events on the DATA table.
Audit logs
The audit logs provide insights into the permissions and actions applied on the user accounts by the Content Collaboration administrators. Using these data, you can verify if the Content Collaboration administrators have taken valid actions on the user accounts.
You can view the following audit logs in the self-service search.
Note
To receive these logs on Citrix Analytics, you must integrate the Citrix Content Collaboration service with Citrix Workspace.
| Event | Attributes |
|---|---|
| Distribution Group Create | Group ID, Group Shared, Client OS, Client IP, Group Name, Owner ID, User Email |
| Distribution Group Delete | Group ID, Group Name |
| Distribution Group Update | Group ID, Is Shared |
| DLP Update, DLP Policy Update | DLP Enabled, Client OS, Client IP, Saved Format, Download Enabled for Anonymous User, Download Enabled for Client User, Download Enabled for Employee User, Sharing Enabled for Client User, Sharing Enabled for Employee User |
| Login and Security Policy Update | Trusted Domains, User Name, Client OS, Client IP, Logout Users After Activity, Maximum Failed Logins, Locked Out Duration, Enabled Two Factor Auth for Users, Enabled Two Factor Auth for Employees, Enabled Two Factor Auth, User Email |
| Report Create, Report Update, Report Delete | Created Date, End Date, Report Title, Recurring Frequency, Subfolders Included, Recurring, Schedule Report, Last Run Date, Report Type, Saved Format, Saved Folder, Start Date |
| SSO Settings Update | Active Profile Cookies, Client OS, Client IP, IP Restrictions, Activated SSO, Login URL, Logout URL, IdP Type, SP-Initiated Auth Context, SP-Initiated Auth Method, User Email, SP-Initiated Redirect Method, Enabled Web Authentication |
Malware logs
The malware event File.VirusInfected is triggered when a file uploaded by a Content Collaboration user is infected with a malware. The following logs are specific to the malware event.
| Event | Attributes |
|---|---|
File.VirusInfected |
File Creator Name, File Owner Name, File Creator Email Address, File Owner Email Address, File Size, Shared Folder Name, File Path, File Creation Date, File Hash, File ID, Virus Name |
Supported dimensions for your search query
The following table describes the dimensions that you can view in the self-service search events. You can use these dimensions for defining your search query.
| Dimension | Description | Value type | Example |
|---|---|---|---|
Account-ID |
Indicates the account ID of the user. | String | adb8477a-6bf1-2108-fa4b-55dea0b8c44c |
Active-Account |
Indicates whether the user account is active. | Boolean | “True” or “False” |
Active-Profile-Cookies |
Indicates if the advance settings are used by the Content Collaboration active clients such as mobile clients, sync engine, and Outlook plug-in. This parameter might be required to automate selection in certain IdP configurations. | String | |
Alias-ID |
Indicates the alias ID of the user. | String | testuser1 |
Bytes-Total |
Indicates the total size (KB) of the file that is downloaded. If multiple files are downloaded simultaneously (batch download), then the bytes total indicates the total size of all the downloaded files. | Number | 105 |
City |
Indicates the city from which the user has logged on to the Content Collaboration service. | String | Chicago |
Client-IP |
Indicates the IP address of the user’s network. | String | 172.xxx.xxx.xx |
Client-OS |
Indicates the operating system of the user’s device. | String | Windows 10 |
Company-Name |
Indicates the company name of the user account. | String | Citrix |
Copy ID |
Indicates the identity of the file copy operation in Content Collaboration. | String | eif8c79f-fa87-0440-87b2-a0994eb029 |
Country |
Indicates the country from which the user has logged on to the Content Collaboration service. | String | United States |
Create-Date |
Indicates the date and time when the report is created. | String | 2021-05-25T13:54:36.167 |
Created-By |
Indicates the user who created the report. | String | user1 |
Creation-Date |
Indicates the date when the event occurred. | String | 2021-08-20T14:44:46.6161227+00:00 |
Creator-ID |
Indicates the ID of the user who created the report. | String | 77f300f8-8d89-4891-bb58 |
Delete-Single-Version |
Indicates whether a single file version is deleted. | Boolean | “True” or “False” |
Destination-File-Path |
Indicates the destination path where the file is moved or copied. | String | /0106-copy/123.xlsx |
Destination-Parent-Folder-ID |
Indicates the ID of the parent folder in the destination location where the file is copied or moved. | String | fo674450-087d-42a0-8d26-de8838a04dae |
Destination-Path-ID |
Indicates the ID of the destination path where the file is copied or moved. | String | /accountID/folderID/folderID/itemID |
Destination-Zone-ID |
Indicates the Zone ID of the destination path where the file is copied or moved. | String | zp16ffd530-c756-44ca-9f59-7ed3376e37 |
Device-ID |
Indicates the ID of the device associated with the two factor authentication event. | String | 450-087d-42a0-8d26-de88 |
Disable-User-Account |
Indicates whether the user account is disabled. | Boolean | “True” or “False” |
Download-Enabled-for-Anonymous-User |
Indicates whether an anonymous user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. | Boolean | “True” or “False” |
Download-Enabled-for-Client-User |
Indicates whether a third party client user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. | Boolean | “True” or “False” |
Download-Enabled-for-Employee-User |
Indicates whether an employee user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. | Boolean | “True” or “False” |
Download-File-Size |
Indicates the size (in KB) of the file downloaded by the user | Number | 10.8 KB |
Enabled-Web-Authentication |
Indicates if SAML IdP is configured for web-based authentication and the user account is using ShareFile Sync. for Windows, ShareFile Sync for Mac, or ShareFile Outlook plug-in. | String | “True” or “False” |
Enabled-Two-Factor-Auth |
Indicates if the two factor authentication feature is enabled either for employee users or client users. | String | “True” or “False” |
Enabled-Two-Factor-Auth-for-Employees |
Indicates if two factor authentication is enabled for employee users. | String | “True” or “False” |
Enabled-Two-Factor-Auth-for-Users |
Indicates if two factor authentication is enabled for client users. | String | “True” or “False” |
End-Date |
Indicates the date after which the report is not generated for your Content Collaboration account. | “2021-05-23T04:00:00+00:00” | |
Event-ID |
Indicates the unique identity associated with a user event. | String | 77f300f8-8d89-4891-bb58-53b05c44766d |
Event-Type |
Indicates the types of user activities such as file upload, file download, share link create, session login, folder create, and share link delete. | String |
File.Upload, Session.Login, Share.Create
|
Event-User-ID |
Indicates the ID of the user who triggered the event. | String | 8d89-4891-bb58-53b05 |
Expiration-Date |
Indicates the expiry date of the event. | String | 2022-01-10T13:35:22.313236Z |
File-Creation-Date |
Indicates the date when the infected file is created. | String | 2021-05-25T13:54:36.16 |
File-Creator-Email-Address |
Indicates the email ID of the user who originally created the file that is infected with a malware. | String | user1@citrix.com |
File-Creator-Name |
Indicates the user name who originally created the file that is infected with a malware. | String | User1 |
File-Download-ID |
Indicates the ID of the file download event. | String | dta152b49ddc7542a0a9fe2e |
File-Format |
Indicates the format of the file that is shared or downloaded. | String | .csv, .png, .jpeg, .txt |
File-Hash |
Indicates the MD5 hash of a file that is uploaded. | String | 88e300f8-8d89-4891-bb58 |
File-ID |
Indicates the unique ID of the infected file. | String | fib0257-1bd802-0707-44c12 |
File-Name |
Indicates the name of the file shared, uploaded, or downloaded by the user. | String | Usage Report 2021 |
File-Owner-Name |
Indicates the current owner of the infected file. | String | User2 |
File-Owner-Email-Address |
Indicates the email ID of the current owner of the infected file. | String | user2@citrix.com |
File-Path |
Indicates the path of the infected file in Content Collaboration. | String | /testfolder/test-file.pdf |
File-Size |
Indicates the size of the infected file in bytes. | Number | 10 B |
First-Name |
Indicates the first name of the user that is specified while creating the user account. | String | Joe |
Folder-ID |
Indicates the ID of the folder created on Content Collaboration. | String | 8d89-4891-bb58-53b05c |
Folder-Name |
Indicates the name of the folder that is being archived, created, deleted, or updated. | String | test-folder |
Folder-Path |
Indicates the path where the folder is created. | String | /analytics/security/sharefile/2022/new folder |
Frequency |
Indicates the recurring frequency of the report that is generated for your Content Collaboration account. | String | “Daily”, “Weekly”, or “Monthly” |
Group-ID |
Indicates the ID of the Distribution Group. | String | g0183f52-f219-4816-9b8e-9584e504a083 |
Group-Name |
Indicates the name of the Distribution Group. | String | Test group 1 |
IdP-Type |
Indicates the type of identity provider configured for the user. | String | |
IP |
Indicates the IP address of the user. | String | 172.xx.xxx.xxx |
IP-Restrictions |
Indicates the IP addresses from which the users are restricted from signing in to their Content Collaboration accounts. | ||
Inactive-Logout-Duration |
Indicates the duration of inactivity after which the inactive users are logged out of their account. The duration is measured in minutes. By default, this duration is set to 1 hour (60 minutes). | Number | 60 |
Include-Sub Folders |
Indicates whether the report is created for a selected folder and its sub folders. | Boolean | “True” or “False” |
Infected-File-Hash |
Indicates the hash value of the infected file. | String | 88e300f8-8d89-4891-bb58 |
Is-Active |
Indicates if single sign-on is enabled for non-administrator employees using your IdP. | Boolean | “True” or “False” |
Is-Employee |
Indicates if the user is an employee of your organization. | String | “True” or “False” |
Is-Enabled |
Indicates whether Data Loss Prevention is enabled for your Content Collaboration account. | Boolean | “True” or “False” |
Is-Recurring |
Indicates whether the report generates after a regular interval. | Boolean | “True” or “False” |
Is-Scheduled |
Indicates whether the report is scheduled. | Boolean | “True” or “False” |
Is-Shared |
Indicates if the Distribution Group sharing is enabled for all employees. | String | “True” or “False” |
Last-Name |
Indicates the last name of the user that is specified while creating the user account. | String | Smith |
Last-Run-Date |
Indicates when the report was last generated. | String | “0001-01-01T00:00:00” |
Lock-ID |
Indicates the ID of the file lock event. | String | cb36113c468a8c29c48 |
Lock-Type |
Indicates the type of file lock. | String | Coauth Lock: Multiple users can use the lock file in the specified way. |
| Hard Lock: Exclusive lock | |||
Locked-Out-Duration |
Indicates the duration for which the user is locked out of their account when they failed to log on and exceeded the maximum allowed logon attempts. The duration is measured in seconds. | Number | 120 |
Login-URL |
Indicates the URL of the user’s IdP assertion consumer service. | String | https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=fa7a185d-d748-459 |
Logout-URL |
Indicates the URL that Content Collaboration use when a user logs out of their single sign-on session. | String | https://secure.sharefiletest.com |
Maximum-Failed-Attempts |
Indicates the maximum number of attempts a user is allowed to enter an invalid password before being locked out of the account for a specific time period. | Number | 5 |
Maximum-Download-per-User |
Indicates the maximum number of downloads allowed per user from a share link. | 1, 2, 3 | |
Notify Sender |
Indicates whether the file share notification is sent to the sender. | Boolean | “True” or “False” |
OAuth-Client-ID |
Indicates the unique ID of the user that uses the authorization server. | String | Dzi4UPUAg5l8beKjioecdchmHUTWWln9 |
Operation-Name |
Indicates the types of operations performed on Content Collaboration. | String | Create, Delete, Upload, Download, Share, Login, Copy, Update |
Owner-ID |
Indicates the owner ID of the Distribution Group. | String | 10812e09-ab02-4115-8405-8uas5e71258f |
Parent-Folder-ID |
Indicates the ID of the parent folder in the source location from where the file is copied or moved | String | fo674450-087d-42a0-8d26-de8838a04dae |
Path ID |
Indicates the ID of the source path from where the file is copied or moved. | String | /accountID/folderID/folderID/itemID |
Permanently-Delete |
Indicates whether the file is deleted permanently. | Boolean | “True” or “False” |
Primary-Email |
Indicates the email of the user who triggered the event | String | testuser@citrix.com |
Recipient-ID |
Indicates the ID of the first recipient user in a share event. | String | 10812e09-ab02-4115-8405 |
Report-Type |
Indicates the type of report that is created. The following are the report type and its corresponding ID. | Number | 0, 2, 10 |
| 0- Access report | |||
| 1- Activity report | |||
| 2- Storage report | |||
| 3- Messaging report | |||
| 4- Bandwidth detail report | |||
| 5- Bandwidth summary report | |||
| 6- Encrypted email report | |||
| 7- Storage summary report | |||
| 8- User summary report | |||
| 9- Access change report | |||
| 10- Share send report | |||
| 11- Share request report | |||
Require-Login |
Indicates whether user login is required to access the share link. | Boolean | “True” or “False” |
Require-User-Info |
Indicates whether user information is required to access the share link. | Boolean | “True” or “False” |
Resource-ID |
Indicates the ID of the resource. | String | 6bf1-2108-fa4b-55dea0b |
Resource-Type |
Indicates the resources on which operations are performed. | String | File, Users, Session, Account |
Shared-Folder-Name |
Indicates the shared folder in which the infected file is uploaded. | String | test folder |
SP-Initiated Auth Context |
Indicates the comparison level for the authentication context. The IdP needs to match the selected authentication method when the “Exact” comparison is used. Or a higher relative strength method when the “Minimum” comparison is used. | String | “Minimum” or “Exact” |
SP-Initiated-Auth-Method |
Indicates the method for the authentication context. Based on the selection, it can be Unspecified, User Name and Password, Password Protected Transport, Transport Layer Security Client, X.509 Certificate, Integrated Windows Authentication, or Kerberos. | String | urn:oasis:names:tc:SAML:2.0:ac:classes:Password |
SP-Initiated-Redirect-Method |
Indicates the method of SP initiated redirection based on the size of the certificate provided by Content Collaboration. | String | “Default”, “HTTP” or “POST” |
Save-Format |
Indicates the format of the saved report. | String | “Excel” or “CSV” |
Save-To-Folder |
Indicates whether the report should be saved in a particular folder. | Boolean | “True” or “False” |
Server-Name |
Indicates the server from where the file is downloaded or shared. | String | Citrix-SZC |
Share-Type |
Indicates the type of share link. The type can be either “Send” or “Request”. Send shares are used to send files and folders to the specified users. Request shares are used to allow users to upload files to a location specified by the share owner. | 0: Request, 1: Send | 0, 1 |
Shared-Folder-Name |
Indicates the name of the shared folder. | String | test folder |
Sharing-Enabled-for-Client User |
Indicates whether a third party client user can share a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. | Boolean | “True” or “False” |
Sharing-Enabled-for-Employee-User |
Indicates whether an employee user can share a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. | Boolean | “True” or “False” |
Start-Date |
Indicates the date from which the report is generated for your Content Collaboration account. | String | “2021-05-23T04:00:00+00:00” |
Storage-Center-Server |
Indicates the host name of the client server from where the file is downloaded. | String | sf-downloadstreamer-sharefile-us.test.com |
Stream-ID |
Indicates the ID of the item stream. An item represents a single version of a file system object. The stream identifies all versions of the same file system object. For example, when users upload or modify an existing file, a new item is created with the same Stream ID. All item enumerations return only the latest version of a given stream. | String | st279e5d-cahg-4f8-824f-34a3704840c |
Support-File-Versioning |
Indicates whether there are multiple versions of the file that has been uploaded. | Boolean | “True” or “False” |
Template-Based-Folder |
Indicates whether the folder is created from a predefined folder template. | Boolean | “True” or “False” |
Title |
Indicates the title of the report generated for your Content Collaboration account. | String | Test report |
Trusted-Domains |
Indicates the domains that are allowed for iframe embedding and Cross-Origin Resource Sharing. | String | citrix.com |
Upload-File-Size |
Indicates the size (in Kilobytes) of the file uploaded by the user. | Number | 10 KB |
Upload-ID |
Indicates the ID of the file upload operation. | String | st279e5d-cahg-4f8-824f-34a3704840c |
User-Email |
Indicates the email address associated with the Citrix Analytics account. | String | testuser@citrix.com |
User-ID |
Indicates the ID of the user who shared the file. | String | test user |
User-Name |
Indicates the name of the user who triggered the event. | String | kevin.smith@citrix.com |
View-only |
Indicates whether the download file is in the read-only mode. | Boolean | “True” or “False” |
Virus-Name |
Indicates the name of the malware that has infected the file. | String | {HEX}EICAR.TEST.3.UNOFFICIAL |
Watermark |
Indicates whether the download file contains a watermark. | Boolean | “True” or “False” |
Zone-ID |
Indicates the ID of the storage zone where the folder is located | String | zpB65440AE-4FBC-4405-BE2F-2B9CDE962C82 |
Self-service search for Content Collaboration
Copied!
Failed!