Self-service search for Apps and Desktops
Use the self-service search to get insights into the user events received from the Citrix Virtual Apps and Desktops data source and the Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) data source. When users use virtual apps or virtual desktops, events corresponding to their activities and actions are generated. Examples of user events are file download, account logon, and app start. Citrix Analytics for Security receives these user events and displays them on the self-service page. You can track the users and their activities.
For more information on the search functionalities, see Self-service search.
Select the Apps and Desktops data source
To view the events from Citrix Virtual Apps and Desktops or Citrix DaaS, select Apps and Desktops from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.
By default, the self-service page displays the events for the last one month. The page also provides you with several facets and a search box to filter and focus on the required events.
Select the facets to filter events
Use the following facets that are associated to the Apps and Desktops events.
-
Event Type- Search events based on the event type such as account logon, app end, and session end.
-
Domain- Search events based on the domains such as citrate.net.
-
OS- Search events based on the operating systems such as Chrome, iOS, and Windows used in the user’s device. Select the operating system name and versions to filter the events. For more information on the operating system versions, see Supported values for your search query.
Specify search query to filter events
Place your cursor in the search box to view the list of dimensions for the Apps and Desktops events. Use the dimensions and the operators to specify your query and search for the required events.
For example, you want to search events for the user “John Doe” who is using the Windows operating system.
-
Enter “U” in the search box to get the related suggestions.
-
Click User-Name and enter the value “John” using the equal operator.
-
Select the AND operator and the OS-Name dimension. Assign the value “Windows 7” using the equal operator.
-
Select the time period and click Search to view the events based on the DATA table.
Event types and supported fields
The following fields are available for all the event types except VDA.Print:
-
City
-
Client IP
-
Country
-
Device ID
-
OS Name
-
OS Version
-
OS Extra Info
-
Time
-
User Name
-
Workspace App Version
-
Workspace App Status
The following table describes the event types available for the Apps and Desktops data source and fields specific to each event type.
| Value | Description | Fields |
|---|---|---|
Account.Logon |
Triggers when you log on to Store through Citrix Workspace app. Note: Account.Logon is not available for the HTML5 client. | Check common fields as described above. |
Session.Logon |
Triggers when you log on to your virtual session. | App Protection Policies, Domain, Session Launch Type, Session Server Name, Session User Name |
Session.End |
Triggers when you terminate your virtual session. | Domain, Session Launch Type, Session Server Name, Session User Name |
App.Start |
Triggers when you start a virtual app session. Note: This event type is not applicable when the application is launched within the desktop session. | App Name, Domain, Session Launch Type, Session Server Name, Session User Name |
App.End |
Triggers when you terminate a virtual app session. Note: This event type is not applicable when the application is launched within the desktop session. | App Name, Domain, Session Launch Type, Session Server Name, Session User Name |
File.Download |
Triggers when a user copies a file from remote virtual session to client device. It doesn’t get triggered for file transfers happening within the virtual sessions. Note: This event type is sent only when the server allows file redirection (check File Redirection Settings for more details) and client workspace File Access preference is set to Read and Write. | Domain, Download Device Type, Download File Name, Download File Path, Download File Size, Session Server Name, Session User Name |
Printing |
Triggers when you print a file with the Citrix Workspace app launched session through a client printer. Note: There are two technical limitations with Citrix Workspace app that affect printing events. First, the Printed Document Name telemetry is not included in the printing event due to a known issue across all platform variants. Second, the Printed File Size telemetry is not included in the printing event for Windows because of another known technical limitation. To collect these data sets (file name/file size) use VDA.Print event. For more information, see Enabling print telemetry for Citrix DaaS. | Browser Name, Browser Version, Domain, Printer Name, Print File Format, Print File Size, Session Server Name, Session User Name |
AppProtection.ScreenCapture |
Triggers when a user tries to capture a screenshot while in a protected session. Note: For more information, see App Protection. | Protected App Titles, Screen Capture Tool Name, Screen Capture Tool Path |
App.SaaS.Launch |
Triggers when Citrix Workspace app launches a SaaS app in Citrix Enterprise Browser. | Browser Name, Browser Version, SaaS App Name, SaaS App URL |
App.SaaS.End |
Triggers when Citrix Workspace app closes a SaaS app in Citrix Enterprise Browser. | Browser Name, Browser Version, SaaS App URL |
App.SaaS.Clipboard |
Triggers when a clipboard operation is performed in Citrix Enterprise Browser. | Browser Name, Browser Version, Clipboard Details Format Size, Clipboard Details Format Type, Clipboard Details Initiator, Clipboard Details Result, Clipboard Operation, SaaS App URL |
App.SaaS.File.Download |
Triggers when a file is downloaded in Citrix Enterprise Browser. | Browser Name, Browser Version, Download Device Type, Download File Path, Download File Size |
App.SaaS.File.Print |
Triggers when print is initiated in Citrix Enterprise Browser. | Browser Name, Browser Version, Print File Name, SaaS App Name, SaaS App URL |
App.SaaS.Url.Navigate |
Triggers when Citrix Enterprise Browser navigates a URL. | Browser Name, Browser Version, SaaS App Name, SaaS App URL |
Citrix.EventMonitor.AppStart |
Triggers when an application added into the Session recording server’s app monitoring list is started within a virtual desktop session. | App Name |
Citrix.EventMonitor.AppEnd |
Triggers when an application added into the Session recording server’s app monitoring list) is stopped within a virtual desktop session. | App Name |
Citrix.EventMonitor.Clipboard |
Triggers when a clipboard action has been performed within a session recording. | Clipboard Data Format Type, Process Name, Window Title |
Citrix.EventMonitor.FileTransfer |
Triggers when a user transfers a file between a virtual desktop session and the user’s machine. | File Size, Operation Direction (Host to Client, Client to Host), Source Path, Destination Path |
Citrix.EventMonitor.RegistryChange |
Triggers when a registry operation is performed. The possible registry operations are create, delete, rename, set value, and delete value. | Registry Operation, Registry Name, Registry Path, Process ID, Process File Path |
Citrix.EventMonitor.SessionEnd |
Triggers when a session recording ends. | Description |
Citrix.EventMonitor.SessionLaunch |
Triggers when a session recording has started. | Session Recording Type |
Citrix.EventMonitor.TopMost |
Triggers when topmost window changes. | App Name |
Citrix.EventMonitor.IdleStart |
Triggers when session becomes idle. | Check common fields as described above. |
Citrix.EventMonitor.IdleEnd |
Triggers when idle session ends. | Check common fields as described above. |
Citrix.EventMonitor.WebBrowsing |
Triggers when user interacts with webpages on browsers within a virtual desktop session. | App Name, URL |
Citrix.EventMonitor.FileCreate |
Triggers when a file or a folder is created in virtual desktop session inside the monitored file system path. | File Name, File Path, File Size |
Citrix.EventMonitor.FileRename |
Triggers when a file or a folder is renamed in a virtual desktop session inside the monitored file system path. | Check common fields as described above. |
Citrix.EventMonitor.FileMove |
Triggers when a file or a folder from the monitored file system path is moved in a virtual desktop session or between session hosts (VDAs) and client devices. | Check common fields as described above. |
Citrix.EventMonitor.FileDelete |
Triggers when a file or a folder inside the monitored file system path is deleted in a virtual desktop session. | File Name, File Path, File Size |
Citrix.EventMonitor.CDMUSBDriveAttach |
Triggers when a Client Drive Mapping (CDM) mapped USB mass storage device is inserted in a client from which the virtual Apps and Desktop Session is connected. | Check common fields as described above. |
Citrix.EventMonitor.GenericUSBDriveAttach |
Triggers when a Generic redirected USB mass storage device is inserted in a client from which the virtual Apps and Desktop Session is connected. | Check common fields as described above. |
Citrix.EventMonitor.RDPConnection |
Triggers when a user creates a remote desktop connection within a VDA machine. | Destination IP, Process ID |
Citrix.EventMonitor.UserAccountModification |
Triggers for all type of user account operations that are - account creation, enablement, disablement, deletion, name changes, and password modification. | Description, Target User Name |
VDA.Print |
Triggers when a print job is initiated in Apps and Desktops. Note: This event is only applicable for Citrix DaaS data source. For more information, see Enabling print telemetry for Citrix DaaS. | Document User Name, Machine Name, Print File Name, Print File Size, Printer Name, Time, Total Copies Printed, Total Pages Printed |
VDA.Clipboard |
Triggers when a clipboard operation is performed in Apps and Desktops. Note: This event is only applicable for Citrix DaaS data source. For more information, see Enabling clipboard telemetry for Citrix DaaS. | Clipboard Format Type, Clipboard Operation, Clipboard Operation Direction, Clipboard Operation Permitted, Clipboard Size, Machine Name |
Note
All the session recording events require the policy for logging their events to be enabled on Session Recording server. For more information, see Create a custom event detection policy.
Supported values for your search query
Enter the following values for the dimensions to define your search query.
| Dimension | Value | Type | Description |
|---|---|---|---|
App-Name |
Application or desktop sessions. | String | Name of an application or desktop launched. |
Example application sessions: A session without farm name: #Cloud - Excel 2016 And a session with the farm name: XA65PROD#Concur
|
|||
Example desktop sessions: A session without farm name: #SINXIAP0616 $S1-1 And a session with the farm name: XA65PROD#SINXIAP0616 $S1-1
|
|||
App-Protection-Policies |
Example: AntiScreenCaptureEnabled
|
String | Active application protection policies for the session. |
Browser-Name |
Example: Google Chrome, Citrix Enterprise Browser, Microsoft Edge, FIREFOX, SAFARI | String | Browser name |
Browser-Version |
Example: 80.0.3987.122, 101.0.9999.0 | String | Browser version |
City |
Examples: Santa Clara, Houston, Chicago | String | The city name of a user. |
Client-IP |
An IP address. Example: 10.10.10.10 | String | IP address of the user endpoint. |
Client-Type |
Android, Windows, Macintosh, Chrome, HTML5, Unix/Linux, iOS, SessionRecording, Monitor | String | Indicates different types of Citrix Workspace app based on the operating systems or original data-source. |
Clipboard-Format-Type |
Examples: text, html, CF_UNICODETEXT | String | The data format copied to the clipboard. |
Clipboard-Initiator |
Examples: Keyboard, context menu, javascript | String | Indicates how the clipboard operation was initiated. Note: Supported only by the SaaS applications. |
Clipboard-Operation |
Copy, cut, paste, or place | String | Indicates which clipboard operation is performed. Note: The place operation indicates data being placed on the clipboard. This does not guarantee if the data in the clipboard was pasted or used by the client. This operation is supported only for VDA.Clipboard Event. |
Clipboard-Operation-Direction |
Client To Host, Host To Client | String | Indicates the direction of clipboard operation. Note: Supported only by Apps and Desktop (Citrix DaaS) Clipboard Operation. |
Clipboard-Operation-Permitted |
Allowed or Denied | String | Indicates whether the clipboard operation is permitted in Apps and Desktop Session. Note: Supported only by Apps and Desktop (Citrix DaaS) Clipboard Operation. |
Clipboard-Result |
Success or Blocked | String | Indicates the result of the clipboard operation. Note: Supported only by the SaaS applications. |
Clipboard-Size |
Examples: 10, 20 | Number | Size of the data (in bytes) that is currently stored in the clipboard. |
Country |
Examples: USA, India | String | The country name of a user. |
Description |
For Citrix.EventMonitor.UserAccountModification events: A user account was created, a user account was enabled, an attempt was made to reset an account’s password. |
String | Describes about user account modification status such as, the account was created, deleted, renamed, or an attempt was made to reset the password. |
For Citrix.EventMonitor.SessionEnd events: Unknown, Logoff, Rollover, Trigger, and Incomplete |
Describes the reason for end of the session recording. | ||
Destination-IP |
Example: 10.60.110.xxx | String | IP address of the remote desktop. |
Destination-Path |
Example: \H$\Desktop\Folder\example.txt | String | The final path of the file after the transfer is completed. |
Device-ID |
Example: cb781185-18ad-4f45-b75f | String | Device ID used for licensing, client name, or operating system hardware ID. |
Domain |
Example: example.com | Structure | The domain name of a server that sent a request. |
Download-Device-Type |
Examples: USB, Hard Disk Drive, RemoteDrive, cdrom, or browser downloads. | String | The device type where the file is downloaded or transferred. |
Download-File-Format |
Example: txt, PDF, xlsx, docx | String | The format of the file downloaded. |
Download-File-Name |
Example: example-file.txt | String | Name of the downloaded file. |
Download-File-Path |
Example: C:\Users\admin\Desktop | String | The path of the downloaded file. |
Download-File-Size |
Example: 8.05 | Number | The size of the downloaded file in kilobytes. |
Event-Type |
Account.Logon, Session.Logon, Session.End, App.Start, App.End, File.Download, Printing, AppProtection.ScreenCapture, App.SaaS.Launch, App.SaaS.End, App.SaaS.Clipboard, App.SaaS.File.Download, App.SaaS.File.Print, App.SaaS.Url.Navigate, Citrix.EventMonitor.AppStart, Citrix.EventMonitor.AppEnd, Citrix.EventMonitor.TopMost, Citrix.EventMonitor.WebBrowsing, Citrix.EventMonitor.FileCreate, Citrix.EventMonitor.FileRename, Citrix.EventMonitor.FileMove, Citrix.EventMonitor.FileDelete, Citrix.EventMonitor.CDMUSBDriveAttach, Citrix.EventMonitor.GenericUSBDriveAttach, Citrix.EventMonitor.RDPConnection, Citrix.EventMonitor.UserAccountModification, VDA.Print, VDA.Clipboard, Citrix.EventMonitor.RegistryChange, Citrix.EventMonitor.SessionLaunch, Citrix.EventMonitor.SessionEnd, Citrix.EventMonitor.Clipboard, Citrix.EventMonitor.FileTransfer | String | For more details, see Event types and supported fields. |
Jail-Broken |
Yes or No | String | Indicates if the device is rooted or not. Note: If this dimension is absent, the device is not rooted. This key applies to Citrix Workspace app for iOS and Android devices. |
Operation-Direction |
Host to Client/ Client to Host | String | Indicates the direction of the file transfer. |
OS-Extra-Info |
Example: 20G80, Service Pack 1, 19043 | String | Indicates the additional information of the operating system such as build numbers, service packs, and patches. |
OS-Name |
Example: macOS 11, Windows 7, Android 8.1, Windows 10 Enterprise | String | Indicates the name of the operating system. |
OS-Version |
Example: 11.5.1, 14.7.1, 2009 | String | Indicates the version of the operating system |
Print-File-Format |
Examples: PDF, PS, DOCX | String | Format of the printed file. |
Print-File-Name |
Example: example-file.pdf | String | Name of the printed file. |
Print-File-Size |
Examples: 10, 20 | String | Size of the printed file in bytes. |
Printer-Name |
Example: testprinter-1 | String | Name of the printer used. |
Process-ID |
Example: 11248 | String | Refers to the process ID that is used to identify the specific process that performs two actions: Creating a new process and Making a remote desktop connection. Process-ID is currently associated only with Citrix.EventMonitor.RDPConnection event. |
Protected-App-Titles |
Example: Admin Desktop - Citrix Workspace | String | Name of the application running in the protected session. |
Registry-Name |
Name of the modified registry | String | The name of the registry that was modified. |
Registry-Operation |
Rename, Create, Delete, SetValue, DeleteValue | String | Indicates which registry operation was performed. |
Registry-Path |
Path of the modified registry | String | The path of the registry that was modified. |
SaaS-App-Name |
Example: Workday | String | Name of the SaaS application. |
SaaS-App-URL |
Example: https://xyz.com|String
|
String | URL of the SaaS application or gateway/proxy URL. Note: The gateway/proxy URL appears in the App.SaaS.Launch Event when the SaaS application is launched initially. |
Screen-Capture-Tool-Name |
Example: ScreenShotTool.exe | String | Name of the screen capture tool. |
Screen-Capture-Tool-Path |
Example: c:\Program files (x86)\ScreenContent Client | String | Path of the screen capture tool. |
Session-Launch-Type |
Application or Desktop | String | Indicates if the launched session is an application or desktop type. |
Session-Recording-Type |
Traditional recording/ Event only recording | String | Indicates the type of the launched session recording. |
Session-Server-Name |
Examples: Hosted Desktop, Cloud-VDA-1 | String | Name of the application or desktop connected to as received from a server. |
Session-User-Name |
Examples: demo-user, test-user | String | User name received from the server. |
Source-Path |
Example: C:\Users\admin\Desktop\example.txt | String | The initial path of the file before it was transferred. |
Target-User-Name |
Examples: user01 | String | Currently, the Target-User-Name is only used for the Citrix.EventMonitor.UserAccountModification event, in which it’s the user account which was modified. |
Total-Copies-Printed |
Examples: 1, 2 | Number | Total number of copies printed by the user. |
Total-Pages-Printed |
Examples: 1,2 | Number | Total number of the document pages printed by the user. |
User-Name |
user name or Domain\username | String | The user name or domain\username. Used for StoreFront login. If the StoreFront logon is not through Citrix Workspace app for HTML5 or Chrome, then this value is same as the one received from server. |
VDA-Name |
Example: TSVDA-19-01.xd.local | String | Indicates the name of the VDA machine. |
Window-Title |
Example: Administrator - 01 Command Prompt | String | Indicates the title of the window in which the clipboard operation was performed. |
Workspace-App-Version |
Example: 20.8.0.3 (2008) | String | Citrix Workspace app or Citrix Receiver version installed on the user’s device and used to launch remote virtual Apps and Desktop Sessions. |
Workspace-App-Status |
Supported or Unsupported | String | Indicates whether the installed version of Citrix Workspace app or Citrix Receiver on the user’s device is supported or not supported by Citrix Analytics for Security. Hover over Unsupported when the Workspace App is not supported. A pop-up window appears with a link to view the list of supported versions. When a Workspace App version is approaching its unsupported status, a banner is displayed on the self-service search page, listing the available supported versions to which you can initiate an upgrade. |
Operating system naming format
Citrix Analytics receives the operating system (OS) details of a user device and translates them into OS Name, OS Version, and OS Extra Info.
-
OS Name indicates the name of the operating system.
-
OS Version indicates the release ID or the release version of the operating system.
-
OS Extra Info indicates the additional information of the operating system such as build numbers, service packs, and patches.
The following table provides a few examples of the version numbering format of operating systems.
| OS Name | OS Version | OS Extra Info |
|---|---|---|
| macOS 11 | 11.5.1 | 20G80 |
| iOS 14 | 14.7.1 | Not Available |
| Windows 10 Enterprise | 2009 | 19043 |
| Windows 7 | 6.1 | Service Pack 1 |
| Android 8.1 | 8.1.0 | Not Available |
Notes
To get the OS details for Mac version 11.x or later, the recommended client version is Citrix Workspace app for Mac 2108 or later.
The OS details for Windows 10 are currently not available.
Self-service search for Apps and Desktops
Copied!
Failed!