Citrix Analytics for Security

Citrix Analytics data exports format for SIEM

January 11, 2023

Contributed by:

C R M

Citrix Analytics for Security allows you to integrate with your Security Information and Event Management (SIEM) services. This integration enables Citrix Analytics for Security to send data to your SIEM services and helps you to gain insight into your organization’s security risk posture.

Currently, you can integrate Citrix Analytics for Security with the following SIEM services:

The Data Exports option is now globally available under Settings. To view the Data source events, navigate to Settings > Data Exports > Data source events.

Data export

The risk insights data sent by Citrix Analytics for Security to your SIEM service are of two types:

Risk insights events (Default exports)
Data Source events (Optional exports)

Risk insights data for SIEM

Once you have completed the account configuration and SIEM set up, default data (risk insights events) start flowing to your SIEM deployment. Risk insights data contains user risk score, user profile, and risk indicator alerts. These are generated by Citrix Analytics machine learning algorithm, user behavior analysis, and based on user events.

The risk insights data of a user includes the following:

Risk score change - The difference between the current risk score and the previous risk score of a user. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
Risk indicator summary - The details of the risk indicator associated with a user.
Risk indicator event details - The details of the user events associated with a risk indicator. Citrix Analytics sends a maximum of 1000 event details for each risk indicator occurrence to your SIEM service. These events are sent in the chronological order of occurrence, where the first 1000 risk indicator event details are sent.
User risk score – The current risk score of a user. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
User profile - The user profile data can be categorized into:
- User apps - The applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to SIEM service every 12 hours.
- User data usage – The data uploaded and downloaded by a user through Citrix Content Collaboration. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
- User device - The devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to SIEM service every 12 hours.
- User location - The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Content Collaboration. Citrix Analytics for Security sends this information to your SIEM service every 12 hours.

If you are only able to view but unable to configure, then you do not have all the access permission and the account is disabled for you. In the following example, the Save Changes button is disabled. You can however get the detailed information that there are set of default events goes out to the SIEM environment and Risk Insights. The risk insight events are enabled by default.

Risk insights data

Schema details of the risk insights events

The following section describes the schema of the processed data generated by Citrix Analytics for Security.

Note

The field values shown in the following schema samples are only for representational purpose. The actual field values vary based on the user profile, user events, and the risk indicator.

The following table describes the field names that are common across the schema for all user profile data, user risk score, and risk score change.

Field name	Description
`entity_id`	The identity associated with the entity. In this case, the entity is the user.
`entity_type`	The entity at risk. In this case, the entity is the user.
`event_type`	The type of data sent to your SIEM service. For example: user’s location, user’s data usage, or user’s device access information.
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and time of the recent user activity.
`version`	The schema version of the processed data. The current schema version is 2.

User profile data schema

User location schema

{"tenant_id": "demo_tenant", "entity_id": "demo_user", "entity_type": "user", "timestamp": "2021-02-10T15:00:00Z", "event_type": "userProfileLocation", "country": "India", "city": "Bengaluru", "cnt": 4, "version": 2}

<!--NeedCopy-->

Field description for user location

Field name	Description
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s location.
`country`	The country from where the user has logged in.
`city`	The city from where the user has logged in.
`cnt`	The number of times the location was accessed in the last 12 hours.

User data usage schema

{"data_usage_bytes": 87555255, "deleted_file_cnt": 0, "downloaded_bytes": 87555255, "downloaded_file_cnt": 5, "entity_id": "demo@demo.com", "entity_type": "user", "event_type": "userProfileUsage", "shared_file_cnt": 0, "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "uploaded_bytes": 0, "uploaded_file_cnt": 0, "version": 2}

<!--NeedCopy-->

Field description for user data usage

Field name	Description
`data_usage_bytes`	The amount of data (in bytes) used by the user. It is the aggregate of the downloaded and uploaded volume for a user.
`deleted_file_cnt`	The number of files deleted by the user.
`downloaded_bytes`	The amount of data downloaded by the user.
`downloaded_file_count`	The number of files downloaded by the user.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s usage profile.
`shared_file_count`	The number of files shared by the user.
`uploaded_bytes`	The amount of data uploaded by the user.
`uploaded_file_cnt`	The number of files uploaded by the user.

User device schema

{"cnt": 2, "device": "user1612978536 (Windows)", "entity_id": "demo", "entity_type": "user", "event_type": "userProfileDevice", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "version": 2}

<!--NeedCopy-->

Field description for user device.

Field name	Description
`cnt`	The number of times the device is accessed in the last 12 hours.
`device`	The name of the device.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.

User app schema

{"tenant_id": "demo_tenant", "entity_id": "demo", "entity_type": "user", "timestamp": "2021-02-10T21:00:00Z", "event_type": "userProfileApp", "version": 2, "session_domain": "99e38d488136f62f828d4823edd120b4f32d724396a7410e6dd1b0", "user_samaccountname": "testnameeikragz779", "app": "Chromeeikragz779", "cnt": 189}

<!--NeedCopy-->

Field description for user app.

Field name	Description
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.
`session_domain`	The ID of the session that the user has logged on.
`user_samaccountname`	The logon name for clients and servers from a previous version of Windows such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. This name is used to log on to Citrix StoreFront and also logon to a remote Windows machine.
`app`	The name of the application accessed by the user.
`cnt`	The number of times the application is accessed in the last 12 hours.

User risk score schema

{"cur_riskscore": 7, "entity_id": "demo", "entity_type": "user", "event_type": "userProfileRiskscore", "last_update_timestamp": "2021-01-21T16:14:29Z", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T20:45:00Z", "version": 2}

<!--NeedCopy-->

Field description for user risk score.

Field name	Description
`cur_riskscore`	The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s risk score.
`last_update_timestamp`	The time when the risk score was last updated for a user.
`timestamp`	The time when the user risk score event is collected and sent to your SIEM service. This event is sent to your SIEM service after every 12 hours.

Risk score change schema

Sample 1:

{"alert_message": "Large risk score drop percent since last check", "alert_type": "riskscore_large_drop_pct", "alert_value": -21.73913, "cur_riskscore": 18, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T05:45:00Z", "version": 2}

<!--NeedCopy-->

Sample 2:

{"alert_message": "Risk score increase since last check", "alert_type": "riskscore_increase", "alert_value": 39.0, "cur_riskscore": 76, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T03:45:00Z", "version": 2}

<!--NeedCopy-->

Field description for risk score change.

Field name	Description
`alert_message`	The message displayed for the risk score change.
`alert_type`	Indicates whether the alert is for increase in risk score or significant drop in risk score percentage. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
`alert_value`	A numerical value assigned for the risk score change. The risk score change is the difference between the current risk score and the previous risk score for a user. The alert value varies from -100 to 100.
`cur_riskscore`	The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the change in the user’s risk score.
`timestamp`	The date and time when the latest change in the risk score is detected for the user.

Risk indicator schema

The risk indicator schema consists of two parts- indictor summary schema and indicator event details schema. Based on the risk indicator, the fields and their values in the schema change accordingly.

The following table describes the field names common across all indicator summary schema.

Field name	Description
`data source`	The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
`data_source_id`	The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`entity_type`	The entity at risk. It can be a user or a share link.
`entity_id`	The ID associated with the entity at risk.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
`indicator_category`	Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_category_id`	The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
`indicator_name`	The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
`indicator_type`	Indicates whether the risk indicator is default (built-in) or custom.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`indicator_vector_name`	Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
`indicator_vector_id`	The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
`occurrence_details`	The details about the risk indicator triggering condition.
`risk_probability`	Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
`severity`	Indicates the severity of the risk. It can be low, medium, or high.
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and the time when the risk indicator is triggered.
`ui_link`	The link to the user timeline view on the Citrix Analytics user interface.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.

The following table describes the field names common across all the indicator event details schema.

Field name	Description
`data_source_id`	The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`indicator_category_id`	The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
`entity_id`	The ID associated with the entity at risk.
`entity_type`	The entity that is at risk. It can be user or a share link.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`indicator_vector_name`	Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
`indicator_vector_id`	The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and the time when the risk indicator is triggered.
`version`	The schema version of the processed data. The current schema version is 2.
`client_ip`	The IP address of the user’s device.

Note

If an integer data type field value is unavailable, the value assigned is -999. For example, "latitude": -999, "longitude": -999.

If a string data type field value is unavailable, the value assigned is NA. For example, "city": "NA", "region": "NA".

Citrix Secure Private Access risk indicators schema

Attempt to access blacklisted URL risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "8f2a39bd-c7c2-5555-a86a-5cfe5b64dfef",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:59:58Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Attempt to access blacklisted URL",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-15T10:44:59Z",
    "relevant_event_type": "Blacklisted External Resource Access"
  }

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "c421f3f8-33d8-59b9-ad47-715b9d4f65f4",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:57:21Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "googleads.g.doubleclick.net",
  "executed_action": "blocked",
  "reason_for_action": "URL Category match",
  "client_ip": "157.xx.xxx.xxx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Attempt to access blacklisted URL.

Field name	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`executed_action`	The action applied on the blacklisted URL. The action includes Allow, Block.
`reason_for_action`	The reason for the applying the action for the URL.

Excessive data downloads risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive data download",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "downloaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive data downloads.

Field name	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`data_volume_in_bytes`	The amount of data in bytes that is downloaded.
`relevant_event_type`	Indicates the type of the user event.
`domain_name`	The name of the domain from which data is downloaded.
`downloaded_bytes`	The amount of data in bytes that is downloaded.

Unusual upload volume risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "4f2a249c-9d05-5409-9c5f-f4c764f50e67",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Unusual upload volume",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "c6abf40c-9b62-5db4-84bc-5b2cd2c0ca5f",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "uploaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual upload volume.

Field names	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`data_volume_in_bytes`	The amount of data in bytes that is uploaded.
`relevant_event_type`	Indicates the type of the user event.
`domain_name`	The name of the domain in which data is uploaded.
`uploaded_bytes`	The amount of data in bytes that is uploaded.

Citrix Content Collaboration risk indicators schema

Excessive access to sensitive files (DLP alert)

Indicator summary schema

{
  
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": 3,
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "indicator_uuid": "3847a1bb-666b-4f25-9aec-2307daf8d56c",
  "timestamp": "2021-03-22T09:46:11Z",
  "indicator_name": "Excessive access to sensitive files (DLP alert)",
  "indicator_category": "Data exfiltration",
  "risk_probability": 1.0,
  "version": 2,
  "severity": "low",
  "indicator_type": "builtin",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "occurrence_details": {
    "relevant_event_type": "Download",
    "event_count": 1,
    "observation_start_time": "2021-03-22T09:31:11Z"
    },
  "event_type": "indicatorSummary",
  "cas_consumer_debug_details": {"partition": 1, "offset":179528, "enqueued_timestamp": 1616406412459}
}

<!--NeedCopy-->

Indicator event details schema

{
  
  "tenant_id": "demo_tenant",
  "version": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": 3,
  "indicator_uuid": "3847a1bb-666b-4f25-9aec-2307daf8d56c",
  "timestamp": "2021-03-22T09:46:11Z",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "client_ip": "210.91.xx.xxx",
  "file_name": "filename.xls",
  "file_size_in_bytes": 178690,
  "event_type": "indicatorEventDetails",
}
<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive access to sensitive files (DLP alert).

Field name	Description
`relevant_event_type`	The type of event such as download.
`event_count`	The number of download events detected.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`file_name`	The name of the downloaded file.
`file_size_in_bytes`	The size of the downloaded file in bytes.

Excessive file or folder deletion risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 5,
  "indicator_uuid": "28c4bbab-f3ad-5886-81cd-26fef200d9d7",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2017-12-18T11:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive file / folder deletion",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "cumulative_event_count_day": 11,
    "relevant_event_type": "File and/or Folder Delete",
    "observation_start_time": "2017-12-18T11:00:00Z"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 5,
  "indicator_uuid": "be9af43f-29d2-51cd-81d6-c1d48b392bbb",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2017-12-18T01:45:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "client_ip": "210.91.xx.xxx",
  "version": 2,
  "resource_type": "File",
  "resource_name": "Filename21",
  "component_name": "Platform"
  "connector_type": "GFIS",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file or folder deletion.

Field names	Description
`cumulative_event_count_day`	The number of unique files or folders deletion events for the current day.
`relevant_event_type`	Indicates the type of event such as file or folder delete.
`resource_type`	Indicates whether the resource is a file or a folder.
`resource_name`	The name of the resource.
`component_name`	Indicates the ShareFile component- Platform or Connector. If a user deletes files from the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user deletes files from a storage zone, the component is shown as “Connector”.
`connector_type`	The type of storage zone connector used.
`city`	The city from which the user has logged on.
`country`	The country from which the user has logged on.
`region`	The region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 6,
  "indicator_uuid": "3d421659-ef4d-5434-94b8-90f792e81989",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-03T06:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.19621421,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive file sharing",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-03T06:00:00Z",
    "relevant_event_type": "Share Create and/or Send",
    "cumulative_event_count_day": 15
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 6,
  "indicator_uuid": "c5ea0b26-ce4c-55ad-b8ba-d562f128a2fb",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-03T02:22:04Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_tenant",
  "version": 2,
  "share_id": "share110",
  "operation_name": "Create",
  "tool_name": "SFWebApp",
  "component_name": "Platform",
  "client_ip": "99.xxx.xx.xx",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file sharing.

Field name	Description
`cumulative_event_count_day`	The number unique files shared during the day.
`relevant_event_type`	Indicates the type of event such as share links.
`share_id`	The ID associated with the share link.
`operation_name`	Indicates the user activities such as create share link, delete share link.
`tool_name`	The tool or application used to share the files.
`component_name`	Indicates the ShareFile component- Platform or Connector. If a user shares files from the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user shares files from a storage zone, the component is shown as “Connector”
`city`	The city from which the user has logged on.
`country`	The country from which the user has logged on.
`region`	The region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.

Excessive file uploads risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 4,
  "indicator_uuid": "e15ddbb3-f885-514b-81a1-ab84f4e542f1",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.64705884,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive file uploads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "tool_name": "tool3",
    "relevant_event_type": "Upload",
    "observation_start_time": "2018-01-02T10:00:00Z"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 4,
  "indicator_uuid": "e15ddbb3-f885-514b-81a1-ab84f4e542f1",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:37:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "File5.txt",
  "component_name": "Connector",
  "client_ip": "99.xxx.xx.xx",
  "connector_type": "GFIS",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file uploads.

Field name	Description
`tool_name`	The tool or application used to share the files.
`relevant_event_type`	Indicates the type of user event such as upload.
`file_name`	The name of the uploaded file.
`component_name`	Indicates the ShareFile component- Platform or Connector. If a user uploads files to the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user uploads files to a storage zone, the component is shown as “Connector”.
`connector_type`	The type of storage zone connector used.
`city`	The city from which the user has logged on.
`country`	The country from which the user has logged on.
`region`	The region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "13",
  "indicator_uuid": "f6974562-592f-5328-a2ac-adf7122a3qr7",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 0,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "pair_id": 2,
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "tenant_1",
  "indicator_id": "13",
  "indicator_uuid": "f6974562-592f-5328-a2ac-adf7122b8ac7",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 0,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "user1",
  "version": 2,
  "client_ip": "95.xxx.xx.xx",
  "ip_organization": "global telecom ltd",
  "ip_routing_type": "mobile gateway",
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "os": "NA",
  "tool_name": "SF_FTP"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name	Description
`distance`	The distance (km) between the events associated with impossible travel.
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`tool_name`	The tool or the application that is used to log on.
`os`	The operating system of the user’s device.
`ip_organization`	Registering organization of the client IP address
`ip_routing_type`	Client IP routing type

Unusual authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 10,
  "indicator_uuid": "274cedc0-a404-5abe-b95b-317c0209c9e8",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 0,
  "timestamp": "2018-01-26T01:29:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2018-01-26T00:30:00Z"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 10,
  "indicator_uuid": "e1bf5b91-b0e1-5145-aa5b-7731f31b56ac",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 0,
  "timestamp": "2018-01-26T01:01:01Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "operation_name": "LoginFailure",
  "tool_name": "webapp",
  "client_ip": "128.x.x.x",
  "os": "Android"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual authentication failure.

Field name	Description
`relevant_event_type`	Indicates the type of user event such as logon failure.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`tool_name`	The tool or application used to share the files.
`os`	The operating system of the user device.

Malware files detected risk indicator

Indicator summary schema

{
  "data_source": "Citrix Content Collaboration",
  "data_source_id": 0,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Insider threats",
  "indicator_category_id": 2,
  "indicator_id": "12",
  "indicator_name": "Malware file(s) detected",
  "indicator_type": "builtin",
  "indicator_uuid": "549f0dc6-2421-5d21-bafa-6180",
  "indicator_vector":
    {
      "id": 6,
      "name": "File-Based Risk Indicators",
    },
  "occurrence_details":
    {
      "event_count": 2,
      "file_hash": "ce59df8709e882e3f84",
      "observation_start_time": "2021-11-15T16:00:00Z",
      "relevant_event_type": "Malware Infected File Detected",
      "virus_name": " Win.Malware.Generic-9873973-0",
    },
  "risk_probability": 1.0,
  "severity": "high",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-11-15T16:14:59Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "data_source_id": 0,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "file_hash": "ce59df8709e882e3f84",
  "file_name": "test-file.exe",
  "file_path": "/abc@citrix.com/source/repos/test-folder/test-file.exe",
  "folder_name": "test-folder",
  "indicator_category_id": 2,
  "indicator_id": "12",
  "indicator_uuid": "549f0dc6-2421-5d21-bafa-6180",
  "indicator_vector":
    {
      "id": 6,
      "name": "File-Based Risk Indicators",
    },
  "tenant_id": "demo_tenant",
  "timestamp": "2021-11-15T16:01:51Z",
  "version": 2,
  "virus_name": " Win.Malware.Generic-9873973-0"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Malware files detected.

Field name	Description
File hash	The hash value of the infected file.
File name	The name of the infected file uploaded by the Content Collaboration user.
File path	The full path of the folder in the Content Collaboration service where the infected file is uploaded.
Folder name	The name of the folder in the Content Collaboration service where the infected file is uploaded.
Relevant event type	The type of event such as malware file detected.
Virus name	The name of the virus that infected the file.

Ransomware activity suspected (file replaced) risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 8,
  "indicator_uuid": "0afaa694-59ec-5a44-84df-3afcefad7b50",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:04:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Ransomware activity suspected (files replaced)",
  "severity": "high",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-29T10:50:00Z",
    "relevant_event_type": "Delete & Upload"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 8,
  "indicator_uuid": "580f8f03-c02b-5d0f-b707-1a0577ca2fec",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:00:06Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "file1",
  "client_ip": "99.xxx.xx.xx",
  "operation_name": "Upload",
  "file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Ransomware activity suspected (file replaced).

Field name	Description
`relevant_event_type`	Indicates the type of user event such as deleted the file and uploaded another file.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`file_name`	The name of the replaced file.
`operation_name`	The user activity such as upload or delete.
`file_path`	The path of the replaced file.

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 50,
  "indicator_uuid": "93a32d22-d14b-5413-94fc-47c44fe7c07f",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-27T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "share",
  "entity_id": "62795698",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Anonymous sensitive share link download",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/share-timeline/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-27T12:00:00Z",
    "relevant_event_type": "Download"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 50,
  "indicator_uuid": "11562a63-9761-55b8-8966-3ac81bc1d043",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-27T12:02:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "share",
  "entity_id": "46268753",
  "version": 2,
  "file_name": "file1.mp4",
  "file_size_in_bytes": 278,
  "city": "Miami",
  "country": "USA",
  "client_ip": "166.xxx.xxx.xxx",
  "device_type": "iPhone X"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Anonymous sensitive share link download.

Field names	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`relevant_event_type`	Indicates the type of user event such as deleted the file and uploaded another file.
`file_name`	The name of the sensitive file that is downloaded.
`file_size_in_bytes`	The file size in bytes that is downloaded.
`city`	The city from which the user activity has been detected.
`country`	The country from which the user activity has been detected.
`device_type`	The type of device used to download the file.

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 51,
  "indicator_uuid": "ed292b9c-622e-5904-9017-92632827bd22",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-28T18:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "share",
  "entity_id": "29510000",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive share link downloads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/share-timeline/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download",
    "lifetime_users_downloaded": 6,
    "observation_start_time": "2018-01-27T19:00:00Z",
    "lifetime_download_volume_in_bytes": 2718,
    "lifetime_download_count": 6,
    "link_first_downloaded": "2018-01-27T11:12:00Z"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 51,
  "indicator_uuid": "ed292b9c-622e-5904-9017-92632827bd22",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-28T18:47:50Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "share",
  "entity_id": "29510000",
  "version": 2,
  "file_name": "anom20.jep",
  "file_size_in_bytes": 106,
  "client_ip": "99.xxx.xx.xx",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74,
  "user_email": "new-user61@citrix.com",
  "lifetime_unique_user_emails": "new-user62@citrix.com user6e@citrix.com user6f@citrix.com new-user63@citrix.com new-user64@citrix.com new-user61@citrix.com",
  "lifetime_unique_user_count": 6,
  "lifetime_num_times_downloaded": 6,
  "lifetime_total_download_size_in_bytes": 2718,
  "lifetime_first_event_time": "2018-01-27T11:12:00Z"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive share link downloads.

Field names	Description
`relevant_event_type`	Indicates the type of event such as excessive download of a share link.
`lifetime_users_downloaded`	Indicates the total number of users who have downloaded the share link since the link was created.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`lifetime_download_volume_in_bytes`	Indicates the total volume of downloads in bytes since the share link was created.
`lifetime_download_count`	Indicates the total number of downloads since the share link was created.
`link_first_downloaded`	Indicates the date and the time when the share link was first downloaded.
`file_name`	Indicates the file name that is shared through the link.
`file_size_in_bytes`	Indicates the size of the shared file.
`user_email`	Indicates the email ID of the current user who has excessively downloaded the file through the share link.
`lifetime_unique_user_emails`	Indicates the email IDs of all users including the current user who have downloaded the file since the link was created.
`lifetime_unique_user_count`	Indicates the total number of unique users who have downloaded the file since the link was created.
`lifetime_num_times_downloaded`	Indicates the total number of times the file was downloaded since the link was created.
`lifetime_total_download_size_in_bytes`	Indicates the total file size that is downloaded since the link was created.
`lifetime_first_event_time`	Indicates the date and time of the first event of downloads since the link was created.
`city`	The city from which the user has logged on.
`country`	The country from which the user has logged on.
`region`	The region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.

Excessive file downloads risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 0,
  "indicator_uuid": "ebf19ac0-19a5-53cf-b8fa-e3c71858fef6",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive file downloads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "exfiltrated_data_volume_in_bytes": 24000,
    "relevant_event_type": "Download",
    "observation_start_time": "2018-01-02T10:00:00Z"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 0,
  "indicator_uuid": "ebf19ac0-19a5-53cf-b8fa-e3c71858fef6",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": "0",
  "timestamp": "2018-01-02T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "client_ip": "99.xxx.xx.xx",
  "version": 2,
  "file_name": "File1.txt",
  "file_size_in_bytes": 24000,
  "component_name": "Platform",
  "connector_type": "NA",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file downloads.

Field name	Description
`exfiltrated_data_volume_in_bytes`	The amount of data in bytes that is downloaded.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`file_name`	The name of the file that is downloaded.
`file_size_in_bytes`	The file size in bytes that is downloaded.
`component_name`	Indicates the ShareFile component- Platform or Connector. If a user downloads files from the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user downloads files from a storage zone, the component is shown as “Connector”.
`city`	The city from which the user has logged on.
`country`	The country from which the user has logged on.
`region`	The region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.

Ransomware activity suspected (file updated) risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 9,
  "indicator_uuid": "f21ef9c8-c379-5a96-ae90-e750d31a728c",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:04:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Ransomware activity suspected (files updated)",
  "severity": "high",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Update/Upload",
    "observation_start_time": "2018-01-29T10:50:00Z"
  }
}

<!--NeedCopy-->

Indicator event details

{
  "tenant_id": "demo_tenant",
  "indicator_id": 9,
  "indicator_uuid": "0509e432-527e-5c84-abb4-f397f2a5e02b",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:00:05Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "file1",
  "operation_name": "Update",
  "stream_id": "someid37",
  "client_ip": "11.xx.xx.xx",
  "file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Ransomware activity suspected (file updated).

Field name	Description
`relevant_event_type`	Indicates the type of user event such as update or upload a file.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`file_name`	The name of the updated file.
`operation_name`	The user activity such as upload, update, or delete.
`file_path`	The path of the file that is updated by the user.
`stream_id`	The ID for the item stream. An item represents a single version of a file system object. The stream identifies all versions of the same file system object. For example, when a user upload or modify an existing file, a new item is created with the same stream ID.

Suspicious logon risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "11",
  "indicator_uuid": "42aac530-b589-5338-8cbe-3a940921fce6",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 0,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.71,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2020-06-06T12:00:00Z",
    "relevant_event_type": "Logon",
    "event_count": 1,
    "historical_observation_period_in_days": 30,
    "country": "United States",
    "region": "Florida",
    "city": "Miami",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"New York\",\"city\":\"New York City\",\"latitude\":40.7128,\"longitude\":-74.0060,\"count\":9}]",
    "user_location_risk": 75,
    "device_id": "",
    "os": "Windows 10",
    "tool_name": "SFWebApp",
    "user_device_risk": 0,
    "client_ip": "99.xxx.xx.xx",
    "webroot_threat_categories": "Phishing",
    "user_network_risk": 75,
    "suspicious_network_risk": 89
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "11",
  "indicator_uuid": "42aac530-b589-5338-8cbe-3a940921fce6",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 0,
  "timestamp": "2020-06-06T12:08:40Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "United States",
  "region": "Florida",
  "city": "Miami",
  "latitude": 25.7617,
  "longitude": -80.1918,
  "tool_name": "SFWebApp",
  "os": "Windows 10",
  "device_id": "NA",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name	Description
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`occurrence_event_type`	Indicates the user event type such as account logon.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`tool_name`	The tool or the application that is used to log on.
`os`	The operating system of the user’s device.
`device_id`	The name of the device used by the user.
`user_location_risk`	Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_device_risk`	Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_network_risk`	Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`suspicious_network_risk`	Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
`webroot_threat_categories`	Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Citrix Endpoint Management risk indicators schema

Jailbroken or rooted device detected indicators schema

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 200,
  "indicator_name": "Jailbroken / Rooted Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "aa872f86-a991-4219-ad01-2a070b6e633d",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:05Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "indicator_id": 200,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "9aaaa9e1-39ad-4daf-ae8b-2fa2caa60732",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:35Z",
  "version": 2
}

<!--NeedCopy-->

Device with blacklisted apps detected

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 201,
  "indicator_name": "Device with Blacklisted Apps Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "3ff7bd54-4319-46b6-8b98-58a9a50ae9a7",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:23Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "indicator_id": 201,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "743cd13a-2596-4323-8da9-1ac279232894",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:39Z",
  "version": 2
}

<!--NeedCopy-->

Unmanaged Device Detected

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 203,
  "indicator_name": "Unmanaged Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "e28b8186-496b-44ff-9ddc-ae50e87bd757",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T12:56:30Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "indicator_id": 203,
  "client_ip": "127.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "dd280122-04f2-42b4-b9fc-92a715c907a0",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T18:41:30Z",
  "version": 2
}

<!--NeedCopy-->

Citrix Gateway risk indicators schema

EPA scan failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "EPA scan failure",
  "severity": "low",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "event_description": "Post auth failed, no quarantine",
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "EPA Scan Failure at Logon"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:12:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Post auth failed, no quarantine",
  "gateway_domain_name": "10.102.xx.xx",
  "gateway_ip": "56.xx.xxx.xx",
  "policy_name": "postauth_act_1",
  "client_ip": "210.91.xx.xxx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "cs_vserver_name": "demo_vserver",
  "device_os": "Windows OS",
  "security_expression": "CLIENT.OS(Win12) EXISTS",
  "vpn_vserver_name": "demo_vpn_vserver",
  "vserver_fqdn": "10.xxx.xx.xx"
}
<!--NeedCopy-->

The table describes the field names specific to the summary schema and the event details schema for the EPA scan failure risk indicator.

Field names	Description
`event_description`	Describes the reasons for EPA scan failure such as post authentication failed and no quarantine group.
`relevant_event_type`	Indicates the type of the EPA scan failure event.
`gateway_domain_name`	The domain name of Citrix Gateway.
`gateway_ip`	The IP address of Citrix Gateway.
`policy_name`	The EPA scan policy name configured on the Citrix Gateway.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.
`cs_vserver_name`	The name of the content switch virtual server.
`device_os`	The operating system of the user’s device.
`security_expression`	The security expression configured on the Citrix Gateway.
`vpn_vserver_name`	The name of the Citrix Gateway virtual server.
`vserver_fqdn`	The FQDN of the Citrix Gateway virtual server.

Excessive authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "4bc0f759-93e0-5eea-9967-ed69de9dd09a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Excessive authentication failures",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/”,
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "Logon Failure"
  }
}
<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "a391cd1a-d298-57c3-a17b-01f159b26b99",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:10:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo-user",
  "version": 2,
  "event_description": "Bad (format) password passed to nsaaad",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "auth_server_ip": "10.xxx.x.xx",
  "client_ip": "24.xxx.xxx.xx",
  "gateway_ip": "24.xxx.xxx.xx",
  "vserver_fqdn": "demo-fqdn.citrix.com",
  "vpn_vserver_name": "demo_vpn_vserver",
  "cs_vserver_name": "demo_cs_vserver",
  "gateway_domain_name": "xyz",
  "country": "United States",
  "region": "California",
  "city": "San Jose",
  "nth_failure": 5
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive authentication failure.

Field names	Description
`relevant_event_type`	Indicates the type of event such as logon failure.
`event_description`	Describes the reason for the excessive authentication failure event such as incorrect password.
`authentication_stage`	Indicates whether the authentication stage is primary, secondary, or tertiary.
`authentication_type`	Indicates the types of authentication such as LDAP, Local, or OAuth.
`auth_server_ip`	The IP address of the authentication server.
`gateway_domain_name`	The domain name of Citrix Gateway.
`gateway_ip`	The IP address of Citrix Gateway.
`cs_vserver_name`	The name of the content switch virtual server.
`vpn_vserver_name`	The name of the Citrix Gateway virtual server.
`vserver_fqdn`	The FQDN of the Citrix Gateway virtual server.
`nth_failure`	The number of times the user authentication has failed.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_os": "Linux OS",
  "device_browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name	Description
`distance`	The distance (km) between the events associated with impossible travel.
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`device_browser`	The web browser used by the user.
`device_os`	The operating system of the user’s device.
`ip_organization`	Registering organization of the client IP address
`ip_routing_type`	Client IP routing type

Logon from suspicious IP risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "0100e910-561a-5ff3-b2a8-fc556d199ba5",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.91,
  "indicator_category": "Compromised users",
  "indicator_name": "Logon from suspicious IP",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon",
    "client_ip": "1.0.xxx.xx",
    "observation_start_time": "2019-10-10T10:00:00Z",
    "suspicion_reasons": "brute_force|external_threat"
  }
}
<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "4ba77b6c-bac0-5ad0-9b4a-c459a3e2ec33",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:11:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "suspicion_reasons": "external_threat",
  "gateway_ip": "gIP1",
  "client_ip": "128.0.xxx.xxx",
  "country": "Sweden",
  "city": "Stockholm",
  "region": "Stockholm",
  "webroot_reputation": 14,
  "webroot_threat_categories": "Windows Exploits|Botnets|Proxy",
  "device_os": "Windows OS",
  "device_browser": "Chrome"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Login from suspicious IP.

Field name	Description
`suspicious_reasons`	The reason for the IP address to be identified as suspicious.
`webroot_reputation`	The IP reputation index provided by the threat intelligence provider- Webroot.
`webroot_threat_categories`	The threat category identified for the suspicious IP by the threat intelligence provider- Webroot.
`device_os`	The operating system of the user device.
`device_browser`	The web browser used.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.

Unusual authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "dc0174c9-247a-5e48-a2ab-d5f92cd83d0f",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:44:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2020-04-01T05:45:00Z"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "ef4b9830-39d6-5b41-bdf3-84873a77ea9a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:42:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Success",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "client_ip": "99.xxx.xx.xx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "device_os": "Windows OS ",
  "device_browser": "Chrome",
  "is_risky": "false"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual authentication failure.

Field names	Description
`relevant_event_type`	Indicates the type of event such as logon failure.
`event_description`	Indicates whether the logon is successful or unsuccessful
`authentication_stage`	Indicates whether the authentication stage is primary, secondary, or tertiary.
`authentication_type`	Indicates the types of authentication such as LDAP, Local, or OAuth.
`is_risky`	For a successful logon, the is_risky value is false. For an unsuccessful logon, the is_risky value is true.
`device_os`	The operating system of the user device.
`device_browser`	The web browser used by the user.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.

Suspicious logon risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd935-a6a3-5397-b596-636aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.71,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2020-06-06T12:00:00Z",
    "relevant_event_type": "Logon",
    "event_count": 1,
    "historical_observation_period_in_days": 30,
    "country": "United States",
    "region": "Florida",
    "city": "Miami",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"New York\",\"city\":\"New York City\",\"latitude\":40.7128,\"longitude\":-74.0060,\"count\":9}]",
    "user_location_risk": 75,
    "device_id": "",
    "device_os": "Windows OS",
    "device_browser": "Chrome",
    "user_device_risk": 0,
    "client_ip": "99.xxx.xx.xx",
    "user_network_risk": 75,
    "webroot_threat_categories": "Phishing",
    "suspicious_network_risk": 89
  }
}


<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd6935-a6a3-5397-b596-63856aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:08:40Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "United States",
  "region": "Florida",
  "city": "Miami",
  "latitude": 25.7617,
  "longitude": -80.1918,
  "device_browser": "Chrome",
  "device_os": "Windows OS",
  "device_id": "NA",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name	Description
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`occurrence_event_type`	Indicates the user event type such as account logon.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`device_browser`	The web browser used by the user.
`device_os`	The operating system of the user’s device.
`device_id`	The name of the device used by the user.
`user_location_risk`	Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_device_risk`	Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_network_risk`	Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`suspicious_network_risk`	Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
`webroot_threat_categories`	Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Citrix DaaS and Citrix Virtual Apps and Desktops risk indicators schema

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_id": "device1",
  "receiver_type": "XA.Receiver.Linux",
  "os": "Linux OS",
  "browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name	Description
`distance`	The distance (km) between the events associated with impossible travel.
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`browser`	The web browser used by the user.
`os`	The operating system of the user’s device.
`device_id`	The name of the device used by the user.
`receiver_type`	The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
`ip_organization`	Registering organization of the client IP address
`ip_routing_type`	Client IP routing type

Potential data exfiltration risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Potential data exfiltration",
  "severity": "low",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download/Print/Copy",
    "observation_start_time": "2018-04-02T10:00:00Z",
    "exfil_data_volume_in_bytes": 1172000
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:57:36Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "App.SaaS.Clipboard",
  "file_size_in_bytes": 98000,
  "file_type": "text",
  "device_id": "dvc5",
  "receiver_type": "XA.Receiver.Windows",
  "app_url": "https://www.citrix.com",
  "client_ip": "10.xxx.xx.xxx",
  "entity_time_zone": "Pacific Standard Time"
}

<!--NeedCopy-->

The following table describes the fields specific to the summary schema and the event details schema for Potential data exfiltration.

Field name	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`relevant_event_type`	Indicates the user activity such as download, print, or copy the data.
`exfil_data_volume_in_bytes`	The amount of data exfiltration.
`occurrence_event_type`	Indicates how the data exfiltration has happened such as the clipboard operation in a SaaS app.
`file_size_in_bytes`	The size of the file.
`file_type`	The type of the file.
`device_id`	The ID of the user device.
`receiver_type`	The Citrix Workspace app or Citrix Receiver installed on the user device.
`app_url`	The URL of the application that is accessed by the user.
`entity_time_zone`	The time zone of the user.

Suspicious logon risk indicator schema

Indicator summary schema

{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "risk_probability": 0.78,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details":
  {
    "user_location_risk": 0,
    "city": "Some_city",
    "observation_start_time": "2020-06-06T12:00:00Z",
    "event_count": 1,
    "user_device_risk": 75,
    "country": "United States",
    "device_id": "device2",
    "region": "Some_Region",
    "client_ip": "99.xx.xx.xx",
    "webroot_threat_categories": "'Spam Sources', 'Windows Exploits', 'Web Attacks', 'Botnets', 'Scanners', 'Denial of Service'",
    "historical_logon_locations": "[{\"country\":\"United States\",\"latitude\":45.0,\"longitude\":45.0,\"count\":12},{\"country\":\"United States\",\"region\":\"Some_Region_A\",\"city\":\"Some_City_A\",\"latitude\":0.0,\"longitude\":0.0,\"count\":8}]",
    "relevant_event_type": "Logon",
    "user_network_risk": 100,
    "historical_observation_period_in_days": 30,
    "suspicious_network_risk": 0
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06 12:02:30",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "city": "Some_city",
  "country": "United States",
  "region": "Some_Region",
  "latitude": 37.751,
  "longitude": -97.822,
  "browser": "Firefox 1.3",
  "os": "Windows OS",
  "device_id": "device2",
  "receiver_type": "XA.Receiver.Chrome",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name	Description
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`occurrence_event_type`	Indicates the user event type such as account logon.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`browser`	The web browser used by the user.
`os`	The operating system of the user’s device.
`device_id`	The name of the device used by the user.
`receiver_type`	The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
`user_location_risk`	Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_device_risk`	Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_network_risk`	Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`suspicious_network_risk`	Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
`webroot_threat_categories`	Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Microsoft Active Directory Indicator

Indicator summary schema

{
  "data_source": "Microsoft Graph Security",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_id": 1000,
  "indicator_name": "MS Active Directory Indicator",
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_type": "builtin",
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "ui_link": "https://analytics-daily.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_id": 1000,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "version": 2
}

<!--NeedCopy-->

Custom risk indicator schema

The following section describes the schema for custom risk indicator.

Note

Currently, Citrix Analytics sends the data related to the custom risk indicators of Citrix DaaS and Citrix Virtual Apps and Desktops to your SIEM service.

The following table describes the field names for the custom risk indicator summary schema.

Field name	Description
`data source`	The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
`data_source_id`	The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`entity_id`	The ID associated with the entity at risk.
`entity_type`	The entity at risk. In this case, the entity is a user.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
`indicator_category`	Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_category_id`	The ID associated with risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
`indicator_name`	The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
`indicator_type`	Indicates whether the risk indicator is default (built-in) or custom.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`occurrence_details`	The details about the risk indicator triggering condition.
`pre_configured`	Indicates whether the custom risk indicator is preconfigured.
`risk_probability`	Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
`severity`	Indicates the severity of the risk. It can be low, medium, or high.
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and the time when the risk indicator is triggered.
`ui_link`	The link to the user timeline view on the Citrix Analytics user interface.
`version`	The schema version of the processed data. The current schema version is 2.

The following table describes the field names common across the custom risk indicator event details schema.

Field name	Description
`data_source_id`	The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`indicator_category_id`	The ID associated with risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
`tenant_id`	The unique identity of the customer.
`entity_id`	The ID associated with the entity at risk.
`entity_type`	The entity that is at risk. In this case, it is the user.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`timestamp`	The date and the time when the risk indicator is triggered.
`version`	The schema version of the processed data. The current schema version is 2.
`event_id`	The ID associated with the user event.
`occurrence_event_type`	Indicates the type of user event such as session logon, session launch, and account logon.
`product`	Indicates the type of Citrix Workspace app such as Citrix Workspace app for Windows.
`client_ip`	The IP address of the user’s device.
`session_user_name`	The user name associated with the Citrix Apps and Desktops session.
`city`	The name of the city from which the user activity is detected.
`country`	The name of the country from which the user activity is detected.
`device_id`	The name of the device used by the user.
`os_name`	The operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
`os_version`	The version of the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
`os_extra_info`	The extra details associated with the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.

Custom risk indicator for Citrix DaaS and Citrix Virtual Apps and Desktops

Indicator summary schema

{
  "data_source": " Citrix Apps and Desktops",
  "data_source_id": 3,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_category_id": 3,
  "indicator_id": "ca97a656ab0442b78f3514052d595936",
  "indicator_name": "Demo_user_usage",
  "indicator_type": "custom",
  "indicator_uuid": "8e680e29-d742-4e09-9a40-78d1d9730ea5",
  "occurrence_details": {
    "condition": "User-Name ~ demo_user", "happen": 0, "new_entities": "", "repeat": 0, "time_quantity": 0, "time_unit": "", "type": "everyTime"},
  "pre_configured": "N",
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-02-10T14:47:25Z",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema for the session logon event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "SYD04-MS1-S102",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session logon event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.

Indicator event details schema for the session launch event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session launch event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.

Indicator event details schema for the account logon event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Account.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the account logon event.

Field name	Description
`app_name`	Name of an application or desktop launched.

Indicator event details schema for the session end event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session end event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.

Indicator event details schema for the app start event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.Start",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app start event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`module_file_path`	The path of the application that is being used.

Indicator event details schema for the app end event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app end event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`module_file_path`	The path of the application that is being used.

Indicator event details schema for the file download event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "File.Download",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "file_download_file_name": "File5.txt",
  "file_download_file_path": "/root/folder1/folder2/folder3",
  "file_size_in_bytes": 278,
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "device_type": "USB"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the file download event.

Field name	Description
`file_download_file_name`	Name of the download file.
`file_download_file_path`	The destination path where the file is downloaded.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`device_type`	Indicates the type of the device where the file is downloaded.

Indicator event details schema for the printing event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Printing",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "printer_name": "Test-printer",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "job_details_size_in_bytes": 454,
  "job_details_filename": "file1.pdf",
  "job_details_format": "PDF"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the printing event.

Field name	Description
`printer_name`	Name of the printer used for the printing job.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`job_details_size_in_bytes`	The size of the printed job such file or folder.
`job_details_filename`	Name of the printed file.
`job_details_format`	The format of the printed job.

Indicator event details schema for the app SaaS launch event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS launch event.

Field name	Description
`launch_type`	Indicates either application or desktop.

Indicator event details schema for the app SaaS end event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS end event.

Field name	Description
`launch_type`	Indicates either application or desktop.

Data source events

Additionally, you can configure the Data exports feature to export user events from your Citrix Analytics for Security enabled products data sources. When you perform any activity in the Citrix environment, the data source events are generated. The exported events are unprocessed real time user and product usage data as available in self-service view. The meta data contained in these events can further be used for deeper threat analysis, creating new dashboards, and co related with other non-Citrix data source events across your security and IT infra.

Currently, Citrix Analytics for Security sends user events to your SIEM for the following data sources:

Citrix Content Collaboration
Citrix Virtual Apps and Desktops

Schema details of the data source events

Citrix Content Collaboration events

Citrix Analytics receives the user events (logs) in real time, using the Citrix Content Collaboration service. The user events are processed to detect any security threats. For more information, see Citrix Content Collaboration data source. You can view the following user events associated with Citrix Content Collaboration in your SIEM:

All event types
Distribution group (create, delete, update)
DLP policy update
DLP update
File (delete, download, download start, upload, upload start, virus infected)
Login security policy update
Report (create, delete, update)
Session login
SSO setting update

For more information about the events and their attributes, see Self-service search for Content Collaboration.

Citrix Virtual Apps and Desktops events

The user events are received in real time in Citrix Analytics for Security when users use virtual apps or virtual desktops. For more information, see Citrix Virtual Apps and Desktops and Citrix DaaS data source. You can view the following user events associated with Citrix Virtual Apps and Desktops in your SIEM:

All event types
Account logon
App (start, launch, end)
Clipboard
File (print, download)
File download (SaaS)
HDX session source
Printing
Session (logon, launch, end, termination)
Url
VDA data
VDA process creation

For more information about the events and their attributes, see Self-service search for Virtual Apps and Desktops.

You can review what event types are enabled and flowing to SIEM. You can configure or remove the event type that is applicable for a tenant and click the Save Changes button to save your settings.

Data source event

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Citrix Analytics data exports format for SIEM

January 11, 2023

Contributed by:

C R M

January 11, 2023

Contributed by:

C R M

Citrix Analytics data exports format for SIEM

Risk insights data for SIEM

Schema details of the risk insights events

User profile data schema

User location schema

User data usage schema

User device schema

User app schema

User risk score schema

Risk score change schema

Risk indicator schema

Citrix Secure Private Access risk indicators schema

Attempt to access blacklisted URL risk indicator schema

Indicator summary schema

Indicator event details schema

Excessive data downloads risk indicator schema

Indicator summary schema

Indicator event details schema

Unusual upload volume risk indicator schema

Indicator summary schema

Indicator event details schema

Citrix Content Collaboration risk indicators schema

Excessive access to sensitive files (DLP alert)

Indicator summary schema

Indicator event details schema

Excessive file or folder deletion risk indicator schema

Indicator summary schema

Indicator event details schema

Excessive file sharing risk indicator schema

Indicator summary schema

Indicator event details schema

Excessive file uploads risk indicator schema

Indicator summary schema

Indicator event details schema

Impossible travel risk indicator

Indicator summary schema

Indicator event details schema

Unusual authentication failure risk indicator schema

Indicator summary schema

Indicator event details schema

Malware files detected risk indicator

Indicator summary schema

Indicator event details schema

Ransomware activity suspected (file replaced) risk indicator

Indicator summary schema

Indicator event details schema

Anonymous sensitive share link download risk indicator

Indicator summary schema

Indicator event details schema

Excessive share link downloads risk indicator

Indicator summary schema

Indicator event details schema

Excessive file downloads risk indicator

Indicator summary schema

Indicator event details schema

Ransomware activity suspected (file updated) risk indicator

Indicator summary schema

Indicator event details

Suspicious logon risk indicator

Indicator summary schema

Indicator event details schema

Citrix Endpoint Management risk indicators schema

Jailbroken or rooted device detected indicators schema

Indicator summary schema

Indicator event details schema

Device with blacklisted apps detected

Indicator summary schema

Indicator event details schema

Unmanaged Device Detected

Indicator summary schema

Indicator event details schema

Citrix Gateway risk indicators schema

EPA scan failure risk indicator schema

Indicator summary schema

Indicator event details schema

Excessive authentication failure risk indicator schema

Indicator summary schema

Indicator event details schema

Impossible travel risk indicator

Indicator summary schema