Citrix Analytics for Security

Self-service search for Content Collaboration

Use the self-service search to get insights into the user events received from the Content Collaboration data source. When users use the Content Collaboration service, events such as login, delete, download, and, upload are generated. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can track the users and their activities.

For more information on the search functionalities, see Self-service search.

Select the Content Collaboration data source

To view the Content Collaboration events, select Content Collaboration from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.

Content collaboration selects

Select the facets to filter events

Use the following facets that are associated to the Content Collaboration events.

  • Download File Size- Indicates the size of the file downloaded from Content Collaboration.

  • Event Type- Indicates the types of user activities such as file upload, file download, share link create, session login, folder create, and share link delete.

    Content collaboration facets

Specify search query to filter events

Place your cursor in the search box to view the list of dimensions for the Content Collaboration events. Use the dimensions and the operators to specify your query and search for the required events.

Content collaboration dimensions

For example, you want to search for the events originating from India and the file size is greater than 900,000 bytes. Specify the following query as shown in the figure.

  1. Enter “Co” in the search box to get the related suggestions.

    Content collaboration search query 1

  2. Select Country and enter the value “India” using the equal operator.

    Content collaboration search query 2

    Content collaboration search query 3

  3. Select the AND operator and then select the File-Size dimension. Select the > operator and enter the file size value in bytes.

    Content collaboration search query 4

  4. Select the time period and click Search to view the events on the DATA table.

Audit logs

The audit logs provide insights into the permissions and actions applied on the user accounts by the Content Collaboration administrators. Using these data, you can verify if the Content Collaboration administrators have taken valid actions on the user accounts.

You can view the following audit logs in the self-service search.

Note

To receive these logs on Citrix Analytics, you must integrate the Citrix Content Collaboration service with Citrix Workspace.

Event Attributes
Distribution Group Create Group ID, Group Shared, Client OS, Client IP, Group Name, Owner ID, User Email
Distribution Group Delete Group ID, Group Name
Distribution Group Update Group ID, Is Shared
DLP Update, DLP Policy Update DLP Enabled, Client OS, Client IP, Saved Format, Download Enabled for Anonymous User, Download Enabled for Client User, Download Enabled for Employee User, Sharing Enabled for Client User, Sharing Enabled for Employee User
Login and Security Policy Update Trusted Domains, User Name, Client OS, Client IP, Logout Users After Activity, Maximum Failed Logins, Locked Out Duration, Enabled Two Factor Auth for Users, Enabled Two Factor Auth for Employees, Enabled Two Factor Auth, User Email
Report Create, Report Update, Report Delete Created Date, End Date, Report Title, Recurring Frequency, Subfolders Included, Recurring, Schedule Report, Last Run Date, Report Type, Saved Format, Saved Folder, Start Date
SSO Settings Update Active Profile Cookies, Client OS, Client IP, IP Restrictions, Activated SSO, Login URL, Logout URL, IdP Type, SP-Initiated Auth Context, SP-Initiated Auth Method, User Email, SP-Initiated Redirect Method, Enabled Web Authentication

Malware logs

The malware event File.VirusInfected is triggered when a file uploaded by a Content Collaboration user is infected with a malware. The following logs are specific to the malware event.

Event Attributes
File.VirusInfected File Creator Name, File Owner Name, File Creator Email Address, File Owner Email Address, File Size, Shared Folder Name, File Path, File Creation Date, File Hash, File ID, Virus Name

Supported dimensions for your search query

The following table describes the dimensions that you can view in the self-service search events. You can use these dimensions for defining your search query.

Dimension Description Value type Example
Account-ID Indicates the account ID of the user. String adb8477a-6bf1-2108-fa4b-55dea0b8c44c
Active-Profile-Cookies Indicates if the advance settings are used by the Content Collaboration active clients such as mobile clients, sync engine, and Outlook plug-in. This parameter might be required to automate selection in certain IdP configurations. String  
Alias-ID Indicates the alias ID of the user. String testuser1
Bytes-Total Indicates the total size (KB) of the file that is downloaded. If multiple files are downloaded simultaneously (batch download), then the bytes total indicates the total size of all the downloaded files. Number 105
City Indicates the city from which the user has logged on to the Content Collaboration service. String Chicago
Client-IP Indicates the IP address of the user’s network. String 172.xxx.xxx.xx
Client-OS Indicates the operating system of the user’s device. String Windows 10
Country Indicates the country from which the user has logged on to the Content Collaboration service. String United States
Create-Date Indicates the date and time when the report is created. String 2021-05-25T13:54:36.167
Created-By Indicates the user who created the report. String user1
Creator-ID Indicates the ID of the user who created the report. String 77f300f8-8d89-4891-bb58
Download-Enabled-for-Anonymous-User Indicates whether an anonymous user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. Boolean “True” or “False”
Download-Enabled-for-Client-User Indicates whether a third party client user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. Boolean “True” or “False”
Download-Enabled-for-Employee-User Indicates whether an employee user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. Boolean “True” or “False”
Download-File-Size Indicates the size (in KB) of the file downloaded by the user Number 10.8 KB
Enabled-Web-Authentication Indicates if SAML IdP is configured for web-based authentication and the user account is using ShareFile Sync. for Windows, ShareFile Sync for Mac, or ShareFile Outlook plug-in. String “True” or “False”
Enabled-Two-Factor-Auth Indicates if the two factor authentication feature is enabled either for employee users or client users. String “True” or “False”
Enabled-Two-Factor-Auth-for-Employees Indicates if two factor authentication is enabled for employee users. String “True” or “False”
Enabled-Two-Factor-Auth-for-Users Indicates if two factor authentication is enabled for client users. String “True” or “False”
End-Date Indicates the date after which the report is not generated for your Content Collaboration account. “2021-05-23T04:00:00+00:00”  
Event-ID Indicates the unique identity associated with a user event. String 77f300f8-8d89-4891-bb58-53b05c44766d
Event-Type Indicates the types of user activities such as file upload, file download, share link create, session login, folder create, and share link delete. String File.Upload, Session.Login, Share.Create
Event-User-ID Indicates the ID of the user who triggered the event. String 8d89-4891-bb58-53b05
File-Creation-Date Indicates the date when the infected file is created. String 2021-05-25T13:54:36.16
File-Creator-Email-Address Indicates the email ID of the user who originally created the file that is infected with a malware. String user1@citrix.com
File-Creator-Name Indicates the user name who originally created the file that is infected with a malware. String User1
File-Hash Indicates the hash value of the infected file. String 88e300f8-8d89-4891-bb58
File-ID Indicates the unique ID of the infected file. String fib0257-1bd802-0707-44c12
File-Name Indicates the name of the file shared, uploaded, or downloaded by the user. String Usage Report 2021
File-Owner-Name Indicates the current owner of the infected file. String User2
File-Owner-Email-Address Indicates the email ID of the current owner of the infected file. String user2@citrix.com
File-Path Indicates the path of the infected file in Content Collaboration. String /testfolder/test-file.pdf
File-Size Indicates the size of the infected file in bytes. Number 10 B
Folder-ID Indicates the ID of the folder created on Content Collaboration. String 8d89-4891-bb58-53b05c
Frequency Indicates the recurring frequency of the report that is generated for your Content Collaboration account. String “Daily”, “Weekly”, or “Monthly”
Group-ID Indicates the ID of the Distribution Group. String g0183f52-f219-4816-9b8e-9584e504a083
Group-Name Indicates the name of the Distribution Group. String Test group 1
IdP-Type Indicates the type of identity provider configured for the user. String  
IP-Restrictions Indicates the IP addresses from which the users are restricted from signing in to their Content Collaboration accounts.    
Inactive-Logout-Duration Indicates the duration of inactivity after which the inactive users are logged out of their account. The duration is measured in minutes. By default, this duration is set to 1 hour (60 minutes). Number 60
Include-Sub Folders Indicates whether the report is created for a selected folder and its sub folders. Boolean “True” or “False”
Is-Active Indicates if single sign-on is enabled for non-administrator employees using your IdP. Boolean “True” or “False”
Is-Employee Indicates if the user is an employee of your organization. String “True” or “False”
Is-Enabled Indicates whether Data Loss Prevention is enabled for your Content Collaboration account. Boolean “True” or “False”
Is-Recurring Indicates whether the report generates after a regular interval. Boolean “True” or “False”
Is-Scheduled Indicates whether the report is scheduled. Boolean “True” or “False”
Is-Shared Indicates if the Distribution Group sharing is enabled for all employees. String “True” or “False”
Last-Run-Date Indicates when the report was last generated. String “0001-01-01T00:00:00”
Locked-Out-Duration Indicates the duration for which the user is locked out of their account when they failed to log on and exceeded the maximum allowed logon attempts. The duration is measured in seconds. Number 120
Login-URL Indicates the URL of the user’s IdP assertion consumer service. String https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=fa7a185d-d748-459
Logout-URL Indicates the URL that Content Collaboration use when a user logs out of their single sign-on session. String https://secure.sharefiletest.com
Maximum-Failed-Attempts Indicates the maximum number of attempts a user is allowed to enter an invalid password before being locked out of the account for a specific time period. Number 5
OAuth-Client-ID Indicates the unique ID of the user that uses the authorization server. String Dzi4UPUAg5l8beKjioecdchmHUTWWln9
Operation-Name Indicates the types of operations performed on Content Collaboration. String Create, Delete, Upload, Download, Share, Login, Copy, Update
Owner-ID Indicates the owner ID of the Distribution Group. String 10812e09-ab02-4115-8405-8uas5e71258f
Report-Type Indicates the type of report that is created. The following are the report type and its corresponding ID. Number 0, 2, 10
  0- Access report    
  1- Activity report    
  2- Storage report    
  3- Messaging report    
  4- Bandwidth detail report    
  5- Bandwidth summary report    
  6- Encrypted email report    
  7- Storage summary report    
  8- User summary report    
  9- Access change report    
  10- Share send report    
  11- Share request report    
Resource-ID Indicates the ID of the resource. String 6bf1-2108-fa4b-55dea0b
Resource-Type Indicates the resources on which operations are performed. String File, Users, Session, Account
Shared-Folder-Name Indicates the shared folder in which the infected file is uploaded. String testfolder
SP-Initiated Auth Context Indicates the comparison level for the authentication context. The IdP needs to match the selected authentication method when the “Exact” comparison is used. Or a higher relative strength method when the “Minimum” comparison is used. String “Minimum” or “Exact”
SP-Initiated-Auth-Method Indicates the method for the authentication context. Based on the selection, it can be Unspecified, User Name and Password, Password Protected Transport, Transport Layer Security Client, X.509 Certificate, Integrated Windows Authentication, or Kerberos. String urn:oasis:names:tc:SAML:2.0:ac:classes:Password
SP-Initiated-Redirect-Method Indicates the method of SP initiated redirection based on the size of the certificate provided by Content Collaboration. String “Default”, “HTTP” or “POST”
Save-Format Indicates the format of the saved report. String “Excel” or “CSV”
Save-To-Folder Indicates whether the report should be saved in a particular folder. Boolean “True” or “False”
Sharing-Enabled-for-Client User Indicates whether a third party client user can share a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. Boolean “True” or “False”
Sharing-Enabled-for-Employee-User Indicates whether an employee user can share a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan. Boolean “True” or “False”
Start-Date Indicates the date from which the report is generated for your Content Collaboration account. String “2021-05-23T04:00:00+00:00”
Title Indicates the title of the report generated for your Content Collaboration account. String Test report
Trusted-Domains Indicates the domains that are allowed for iframe embedding and Cross-Origin Resource Sharing. String citrix.com
Upload-File-Size Indicates the size (in Kilobytes) of the file uploaded by the user. Number 10 KB
User-Email Indicates the email address of the user who triggered the event. String testuser@citrix.com
User-Name Indicates the name of the user who triggered the event. String kevin.smith@citrix.com
Virus-Name Indicates the name of the malware that has infected the file. String {HEX}EICAR.TEST.3.UNOFFICIAL
Self-service search for Content Collaboration