Citrix Analytics for Security

Self-service search for Virtual Apps and Desktops

Use the self-service search to get insights into the user events received from the Virtual Apps and Desktops data source. When users use virtual apps and virtual desktops, events corresponding to their activities and actions are generated. Examples of user events are file download, account logon, and app start. Citrix Analytics for Security receives these user events and displays them on the self-service page. You can track the users and their activities.

For more information on the search functionalities, see Self-service search.

Select Virtual Apps and Desktops data source

To view the events, select Apps and Desktops from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.

Select Citrix Virtual Apps and Desktops

By default, the self-service page displays the events for the last one month. The page also provides you with several facets and a search box to filter and focus on the required events.

Select the facets to filter events

Use the following facets that are associated to the Virtual Apps and Desktops events.

Virtual Apps and Desktops facets

  • Event Type- Search events based on the event type such as account logon, app end, session end.

  • Domain- Search events based on the domains such as citrate.net.

  • OS- Search events based on the operating systems such as Chrome, iOS, and Windows used in the user’s device. Select the major versions or the minor versions associated with the operation systems and filter the events. For more information on the operating system versions, see Supported values for your search query.

Specify search query to filter events

Place your cursor in the search box to view the list of dimensions for the Virtual Apps and Desktops events. Use the dimensions and the operators to specify your query and search for the required events.

Virtual Apps and Desktops dimensions

For example, you want to search events for the user “John Doe” who is using the Windows operating system.

  1. Enter “U” in the search box to get the related suggestions.

    Virtual Apps and Desktop search query 1

  2. Click User-Name and enter the value “John” using the equal operator.

    Virtual Apps and Desktop search query 2

  3. Select the AND operator and the OS-Major-Version dimension. Assign the value “Android 10” using the equal operator.

    Virtual Apps and Desktop search query 3

  4. Select the time period and click Search to view the events based on the DATA table.

Event types and supported fields

The following table describes the event types available for Citrix Virtual Apps and Desktops.

Value Description
Account.Logon Triggers when you log on to StoreFront through Citrix Workspace app.
App.Start Triggers when you start an app session. Note: This dimension is not applicable when the application is launched within the desktop session.
App.End Triggers when you terminate an app session.
App.SaaS.Launch Triggers when Citrix Workspace app launches a SaaS app in Embedded browser Engine (BE).
App.SaaS.End Triggers when Citrix Workspace app closes a SaaS app in BE.
App.SaaS.Clipboard Triggers when a clipboard operation is performed in BE.
App.SaaS.File.Download Triggers when a file is downloaded in BE.
App.SaaS.File.Print Triggers when print is initiated in BE.
App.SaaS.Url.Navigate Triggers when BE navigates a URL.
File.Download Triggers when you download or transfer a file through CDM or when you transfer a file within the Citrix Workspace app launched session.
Printing Triggers when you print a file with the Citrix Workspace app launched session.
Session.Launch Triggers when you launch your session through Citrix Workspace app.
Session.Logon Triggers when you log on to your session.
Session.End Triggers when you terminate your session.

The following table shows the fields specific to each event type.

Event type Fields
App.Start App Name, Domain, Session Launch Type, Session User Name, Session Server Name
App.End App Name, Domain, Session Launch Type, Session User Name, Session Server Name
App.SaaS.Launch Browser, SaaS App Name, SaaS App URL
App.SaaS.End Browser, SaaS App URL
App.SaaS.Clipboard Clipboard Details Format Type, Clipboard Operation, Clipboard Details Format Size, Clipboard Details Result, Clipboard Details Initiator, Browser, SaaS App URL
App.SaaS.File.Download Browser, Download File Path, Download File Size, Download Device Type
App.SaaS.File.Print Print File Name, Browser, SaaS App Name, SaaS App URL
App.SaaS.Url.Navigate Browser, SaaS App Name, SaaS App URL
File.Download Domain, Download Device Type, Download File Name, Download File Path, Download File Size, Session User Name, Session Server Name
Printing Browser, Printer Name, Print File Format, Print File Size, Session User Name, Domain, Session Server Name
Session.Logon Domain, Session Launch Type, Session User Name, Session Server Name
Session.Launch App Name, Session Launch Type
Session.End Domain, Session Launch Type, Session User Name, Session Server Name

The following fields are available for all the event types:

  • City

  • Client IP

  • Country

  • Device ID

  • OS Major Version

  • OS Minor Version

  • OS Extra Details

  • Time

  • User Name

  • Workspace App Version

Supported values for your search query

Enter the following values for the dimensions to define your search query.

App-Name

For the App-Name dimension, enter the following value:

Value Type Description
Application or desktop sessions. String Name of an application or desktop launched. Also, specify the farm name if it is present.

Example application sessions:

  • A session without farm name:

     #Cloud - Excel 2016
    
  • A session with the farm name:

     XA65PROD#Concur
    

Example desktop sessions:

  • A session without farm name:

     #SINXIAP0616 $S1-1
    
  • A session with the farm name:

     XA65PROD#SINXIAP0616 $S1-1
    

Browser

For the Browser dimension, enter the following value:

Value Type Description
Example: Chrome 62.0.3202.89 String Browser name and version.

This dimension applies to Citrix Workspace app and for Chrome HTML5.

City

For the City dimension, enter the following value:

Value Type Description
Examples: Santa Clara, Houston, Chicago String The city name of a user.

Client-IP

For the Client-IP dimension, enter the following value:

Value Type Description
An IP address. Example: 10.10.10.10 String IP address of the user endpoint.

Client-Type

For the Client-Type dimension, enter the following value:

Value Type Description
XA.Receiver.Windows, XA.Receiver.Mac, XA.Receiver.Chrome, XA.Receiver.Android, XA.Receiver.Linux, or XA.Receiver.iOS String Indicates different types of Citrix Workspace app based on the operating systems.

Clipboard-Format-Type

For the Clipboard-Format-Type dimension, enter the following value:

Value Type Description
Examples: text, html String The data format copied to the clipboard.

Note

Supported only by the SaaS applications.

Clipboard-Initiator

For the Clipboard-Initiator dimension, enter the following value:

Value Type Description
Examples: Keyboard, context menu, javascript String Indicates how the clipboard operation was initiated.

Note

Supported only by the SaaS applications.

Clipboard-Operation

For the Clipboard-Operation dimension, enter the following value:

Value Type Description
Copy, cut, or paste. String Indicates which clipboard operation is performed.

Note

Supported only by the SaaS applications.

Clipboard-Result

For the Clipboard-Result dimension, enter the following value:

Value Type Description
Success or Blocked String Indicates the result of the clipboard operation.

Clipboard-Size

For the Clipboard-Size dimension, enter the following value:

Value Type Description
Examples: 10, 20 Number Size of the data (in bytes) that is currently stored in the clipboard.

Country

For the Country dimension, enter the following value:

Value Type Description
Examples: USA, India String The country name of a user.

Device-ID

For the Device-ID dimension, enter the following value:

Value Type Description
Example: cb781185-18ad-4f45-b75f String Device ID used for licensing, client name, or operating system hardware ID.

Domain

For the Domain dimension, enter the following value:

Value Type Description
Example: example.com Structure The domain name of a server that sent a request.

Download-Device-Type

For the Download-Device-Type dimension, enter the following value:

Value Type Description
Examples: USB, hard drive, remote drive, CD-ROM, or browser downloads. String The device type where the file is downloaded or transferred.

Download-File-Name

For the Download-File-Name dimension, enter the following value:

Value Type Description
Example: example-fle.txt String Name of the downloaded file.

Download-File-Path

For the Download-File-Path dimension, enter the following value:

Value Type Description
Example: C:\Users\admin\Desktop String The path of the downloaded file.

Download-File-Size

For the Download-File-Size dimension, enter the following value:

Value Type Description
Example: 8.05 Number The size of the downloaded file in kilobytes.

Event-Type

For the Event-Type dimension, enter one of the following values based on your requirement:

Value Type Description
Account.Logon String Triggers when you log on to StoreFront through Citrix Workspace app.
App.Start String Triggers when you start an app session. Note: This dimension is not applicable when the application is launched within the desktop session.
App.End String Triggers when you terminate an app session.
App.SaaS.Launch String Triggers when Citrix Workspace app launches a SaaS app in Embedded browser Engine (BE).
App.SaaS.End String Triggers when Citrix Workspace app closes a SaaS app in BE.
App.SaaS.Clipboard String Triggers when a clipboard operation is performed in BE.
App.SaaS.File.Download String Triggers when a file is downloaded in BE.
App.SaaS.File.Print String Triggers when print is initiated in BE.
App.SaaS.Url.Navigate String Triggers when BE navigates a URL.
File.Download String Triggers when you download or transfer a file through CDM or when you transfer a file within the Citrix Workspace app launched session.
Printing String Triggers when you print a file with the Citrix Workspace app launched session.
Session.Launch String Triggers when you launch your session through Citrix Workspace app.
Session.Logon String Triggers when you log on to your session.
Session.End String Triggers when you terminate your session.

Jail-Broken

For the Jail-Broken dimension, enter the following value:

Value Type Description
Yes or No String Indicates if the device is rooted or not.

If this dimension is absent, the device is not rooted. This key applies to Citrix Workspace app for iOS and Android devices.

Operating system (OS) version format: OS-Major-Version, OS-Minor-Version, and OS-Extra-Details

Citrix Analytics receives the operating system (OS) details of a user device and translates them into OS Major Version, OS Minor Version, and OS Extra Details.

The following table provides a few examples of the version numbering format of operating systems.

OS details from user event OS Major Version OS Minor Version OS Extra Details
Microsoft Windows NT 6.1.7600.0 Windows NT 6.1 7600 Not available (NA)
Windows 10 Service Pack 3 Windows 10 NA Service Pack 3
Windows 10 Windows 10 NA NA
Windows 8.1 Windows 8.1 NA NA
Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 NA Service Pack 1
Windows Server 2012 R2 Windows Server 2012 R2 NA NA
Windows 10 Server Windows 10 Server NA NA
Windows 2012 Server Windows 2012 Server NA NA
Microsoft Windows NT 6.1.7601 Service Pack 1 Windows NT 6.1 7601 Service Pack 1
Microsoft Windows XP Windows XP NA NA
macOS Version 10.13.6 (Build 17G14033) macOS 10.13 6 Build 17G14033
iOS(14.0.1) iOS 14.0 1 NA
IPAD 12.0.1 iOS 12.0 1 NA
IPHONE 14.1.0 iOS 14.1 0 NA
ANDTAB 5.0.2 Android 5.0 2 NA
ANDPHONE 8.1.0 Android 8.1 0 NA
MAC 10_13_2 macOS 10.13 2 NA
Chrome 86.0.4240.18 Chrome OS 86.0 4240 18
Linux 5.4.0-48-generic-x86_64-Linux Mint 20 Linux Mint 20 NA 5.4.0-48-generic
Linux Mint 19.3 Tricia Linux Mint 19.3 Tricia NA NA

For the Print-File-Format dimension, enter the following value:

Value Type Description
Examples: PDF, PS, DOCX String Format of the printed file.

For the Print-File-Name dimension, enter the following value:

Value Type Description
Example: example-file.pdf String Name of the printed file.

For the Print-File-Size dimension, enter the following value:

Value Type Description
Examples: 10, 20 String Size of the printed file in bytes.

Printer-Name

For the Printer-Name dimension, enter the following value:

Value Type Description
Example: testprinter-1 String Name of the printer used.

SaaS-App-Name

For the SaaS-App-Name dimension, enter the following value:

Value Type Description
Example: Workday String Name of the SaaS application.

SaaS-App-URL

For the SaaS-App-URL dimension, enter the following value:

Value Type Description
Example: https://xyz.com String URL of the SaaS application.

Session-Launch-Type

For the Session-Launch-Type dimension, enter the following value:

Value Type Description
Application or Desktop String Indicates if the launched session is an application or desktop type.

Session-Server-Name

For the Session-Server-Name dimension, enter the following value:

Value Type Description
Examples: Hosted Desktop, Cloud-VDA-1 String Name of the application or desktop connected to as received from a server.

Session-User-Name

For the Session-User-Name dimension, enter the following value:

Value Type Description
Examples: demo-user, test-user String User name received from the server.

User-Name

For the User-Name dimension, enter the following value:

Value Type Description
Specify username or domain\\username String The user name or domain\\username. Used for StoreFront login. If the StoreFront logon is not through Citrix Workspace app for HTML5 or Chrome, then this value is same as the one received from server.

Important

If the data source is Citrix Workspace app for HTML5 or Chrome, the Account.Logon and Session.Launch dimensions do not have this field.

Workspace-App-Version

For the Workspace-App-Version dimension, enter the following value:

Value Type Description
Example: 20.8.0.3 (2008) String Citrix Workspace app or Citrix Receiver version installed on the user’s device.
Self-service search for Virtual Apps and Desktops