Citrix Analytics for Security

Citrix Analytics data exports format for SIEM

January 8, 2024

Contributed by:

C R

Citrix Analytics for Security allows you to integrate with your Security Information and Event Management (SIEM) services. This integration enables Citrix Analytics for Security to send data to your SIEM services and helps you gain insight into your organization’s security risk posture.

Currently, you can integrate Citrix Analytics for Security with the following SIEM services:

The Data Exports option is now globally available under Settings. To view the Data source events, navigate to Settings > Data Exports > Data source events.

Data export

The risk insights data sent by Citrix Analytics for Security to your SIEM service are of two types:

Risk insights events (Default exports)
Data Source events (Optional exports)

Risk insights data for SIEM

Once you have completed the account configuration and SIEM setup, default datasets (risk insights events) start flowing into your SIEM deployment. Risk insights datasets include user risk score events, user profile events, and risk indicator alerts. These are generated by Citrix Analytics machine learning algorithms and user behavior analysis, by leveraging user events.

The risk insights datasets of a user include the following:

Risk score change: Indicates a change in the user’s risk score. When a user’s risk score change is equal to or more than 3 and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
Risk indicator summary: The details of the risk indicator triggered for a user.
Risk indicator event details: The user events associated with a risk indicator. Citrix Analytics sends a maximum of 1000 event details for each risk indicator occurrence to your SIEM service. These events are sent in chronological order of occurrence.
User risk score event: The current risk score of a user. Citrix Analytics for Security sends this data to the SIEM service every 12 hours.
User profile: The user profile data can be categorized into:
- User apps: The applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to the SIEM service every 12 hours.
- User device: The devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to SIEM service every 12 hours.
- User location: The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). Citrix Analytics for Security sends this information to your SIEM service every 12 hours.
- User client IP: The client IP address of the user device. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service), and sends this information to your SIEM service every 12 hours.

If you are only able to view but unable to configure data source event preferences, then you do not have the necessary administrator permissions. To learn more, see Manage Administrator roles for Security Analytics.

In the following example, the Save Changes button is disabled. The risk insight events are enabled by default.

Risk insights data

Schema details of the risk insights events

The following section describes the schema of the processed data generated by Citrix Analytics for Security.

Note

The field values shown in the following schema samples are only for representational purposes. The actual field values vary based on the user profile, user events, and the risk indicator.

The following table describes the field names that are common across the schema for all user profile data, user risk score, and risk score change.

Field name	Description
`entity_id`	The identity associated with the entity. In this case, the entity is the user.
`entity_type`	The entity at risk. In this case, the entity is the user.
`event_type`	The type of data sent to your SIEM service. For example: user’s location, user’s data usage, or user’s device access information.
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and time of the recent user activity.
`version`	The schema version of the processed data. The current schema version is 2.

User profile data schema

User location schema

{
  "tenant_id": "demo_tenant", "entity_id": "demo_user", "entity_type": "user", "timestamp": "2021-02-10T15:00:00Z", "event_type": "userProfileLocation", "country": "India", "city": "Bengaluru", "cnt": 4, "version": 2
  }

<!--NeedCopy-->

Field description for user location

Field name	Description
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s location.
`country`	The country from where the user has logged in.
`city`	The city from where the user has logged in.
`cnt`	The number of times the location was accessed in the last 12 hours.

User client IP schema

{
  "client_ip": "149.147.136.10",
  "cnt": 3,
  "entity_id": "r2_up_user_1",
  "entity_type": "user",
  "event_type": "userProfileClientIps",
  "tenant_id": "xaxddaily1",
  "timestamp": "2023-09-18T10:45:00Z",
  "version": 2
}


<!--NeedCopy-->

Field description for client IP

Field name	Description
`client_ip`	The IP address of the user device.
`cnt`	The number of times the user has accessed the device in the last 12 hours.
`entity_id`	The identity associated with the entity. In this case, the entity is the user.
`entity_type`	The entity at risk. In this case, the event type is the user’s client IP.
`event_type`	The type of data sent to your SIEM service. For example: the user’s location, the user’s data usage, or the user’s device access information.
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and time of the recent user activity..
`version`	The schema version of the processed data. The current schema version is 2.

User data usage schema

{
  "data_usage_bytes": 87555255, "deleted_file_cnt": 0, "downloaded_bytes": 87555255, "downloaded_file_cnt": 5, "entity_id": "demo@demo.com", "entity_type": "user", "event_type": "userProfileUsage", "shared_file_cnt": 0, "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "uploaded_bytes": 0, "uploaded_file_cnt": 0, "version": 2
  }

<!--NeedCopy-->

Field description for user data usage

Field name	Description
`data_usage_bytes`	The amount of data (in bytes) used by the user. It is the aggregate of the downloaded and uploaded volume for a user.
`deleted_file_cnt`	The number of files deleted by the user.
`downloaded_bytes`	The amount of data downloaded by the user.
`downloaded_file_count`	The number of files downloaded by the user.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s usage profile.
`shared_file_count`	The number of files shared by the user.
`uploaded_bytes`	The amount of data uploaded by the user.
`uploaded_file_cnt`	The number of files uploaded by the user.

User device schema

{
  "cnt": 2, "device": "user1612978536 (Windows)", "entity_id": "demo", "entity_type": "user", "event_type": "userProfileDevice", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "version": 2
  }

<!--NeedCopy-->

Field description for user device.

Field name	Description
`cnt`	The number of times the device is accessed in the last 12 hours.
`device`	The name of the device.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.

User app schema

{
  "tenant_id": "demo_tenant", "entity_id": "demo", "entity_type": "user", "timestamp": "2021-02-10T21:00:00Z", "event_type": "userProfileApp", "version": 2, "session_domain": "99e38d488136f62f828d4823edd120b4f32d724396a7410e6dd1b0", "user_samaccountname": "testnameeikragz779", "app": "Chromeeikragz779", "cnt": 189
  }

<!--NeedCopy-->

Field description for user app.

Field name	Description
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.
`session_domain`	The ID of the session that the user has logged on.
`user_samaccountname`	The logon name for clients and servers from a previous version of Windows such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. This name is used to log on to Citrix StoreFront and also logon to a remote Windows machine.
`app`	The name of the application accessed by the user.
`cnt`	The number of times the application is accessed in the last 12 hours.

User risk score schema

{
  "cur_riskscore": 7, "entity_id": "demo", "entity_type": "user", "event_type": "userProfileRiskscore", "last_update_timestamp": "2021-01-21T16:14:29Z", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T20:45:00Z", "version": 2
  }

<!--NeedCopy-->

Field description for user risk score.

Field name	Description
`cur_riskscore`	The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the user’s risk score.
`last_update_timestamp`	The time when the risk score was last updated for a user.
`timestamp`	The time when the user risk score event is collected and sent to your SIEM service. This event is sent to your SIEM service after every 12 hours.

Risk score change schema

Sample 1:

{
  "alert_message": "Large risk score drop percent since last check", "alert_type": "riskscore_large_drop_pct", "alert_value": -21.73913, "cur_riskscore": 18, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T05:45:00Z", "version": 2
  }

<!--NeedCopy-->

Sample 2:

{
  "alert_message": "Risk score increase since last check", "alert_type": "riskscore_increase", "alert_value": 39.0, "cur_riskscore": 76, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T03:45:00Z", "version": 2
  }

<!--NeedCopy-->

Field description for risk score change.

Field name	Description
`alert_message`	The message displayed for the risk score change.
`alert_type`	Indicates whether the alert is for increase in risk score or significant drop in risk score percentage. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
`alert_value`	A numerical value assigned for the risk score change. The risk score change is the difference between the current risk score and the previous risk score for a user. The alert value varies from -100 to 100.
`cur_riskscore`	The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the change in the user’s risk score.
`timestamp`	The date and time when the latest change in the risk score is detected for the user.

Risk indicator schema

The risk indicator schema consists of two parts: indictor summary schema and indicator event details schema. Based on the risk indicator, the fields and their values in the schema change accordingly.

The following table describes the field names common across all indicator summary schema.

Field name	Description
`data source`	The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
`data_source_id`	The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`entity_type`	The entity at risk. It can be a user.
`entity_id`	The ID associated with the entity at risk.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
`indicator_category`	Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_category_id`	The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
`indicator_name`	The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
`indicator_type`	Indicates whether the risk indicator is default (built-in) or custom.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`indicator_vector_name`	Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
`indicator_vector_id`	The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
`occurrence_details`	The details about the risk indicator triggering condition.
`risk_probability`	Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
`severity`	Indicates the severity of the risk. It can be low, medium, or high.
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and the time when the risk indicator is triggered.
`ui_link`	The link to the user timeline view on the Citrix Analytics user interface.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.

The following table describes the field names common across all the indicator event details schema.

Field name	Description
`data_source_id`	The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`indicator_category_id`	The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
`entity_id`	The ID associated with the entity at risk.
`entity_type`	The entity that is at risk. It can be user.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`indicator_vector_name`	Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
`indicator_vector_id`	The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and the time when the risk indicator is triggered.
`version`	The schema version of the processed data. The current schema version is 2.
`client_ip`	The IP address of the user’s device.

Note

If an integer data type field value is unavailable, the value assigned is -999. For example, "latitude": -999, "longitude": -999.

If a string data type field value is unavailable, the value assigned is NA. For example, "city": "NA", "region": "NA".

Citrix Secure Private Access risk indicators schema

Attempt to access blacklisted URL risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "8f2a39bd-c7c2-5555-a86a-5cfe5b64dfef",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:59:58Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Attempt to access blacklisted URL",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-15T10:44:59Z",
    "relevant_event_type": "Blacklisted External Resource Access"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "c421f3f8-33d8-59b9-ad47-715b9d4f65f4",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:57:21Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "googleads.g.doubleclick.net",
  "executed_action": "blocked",
  "reason_for_action": "URL Category match",
  "client_ip": "157.xx.xxx.xxx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Attempt to access the blacklisted URL.

Field name	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`executed_action`	The action applied on the blacklisted URL. The action includes Allow and Block.
`reason_for_action`	The reason for the applying the action for the URL.

Excessive data downloads risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive data download",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "downloaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive data downloads.

Field name	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`data_volume_in_bytes`	The amount of data in bytes that is downloaded.
`relevant_event_type`	Indicates the type of the user event.
`domain_name`	The name of the domain from which data is downloaded.
`downloaded_bytes`	The amount of data in bytes that is downloaded.

Unusual upload volume risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "4f2a249c-9d05-5409-9c5f-f4c764f50e67",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Unusual upload volume",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "c6abf40c-9b62-5db4-84bc-5b2cd2c0ca5f",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "uploaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual upload volume.

Field names	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`data_volume_in_bytes`	The amount of data in bytes that is uploaded.
`relevant_event_type`	Indicates the type of the user event.
`domain_name`	The name of the domain in which the data is uploaded.
`uploaded_bytes`	The amount of data in bytes that is uploaded.

Citrix Endpoint Management risk indicators schema

Jailbroken or rooted device detected indicators schema

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 200,
  "indicator_name": "Jailbroken / Rooted Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "aa872f86-a991-4219-ad01-2a070b6e633d",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:05Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "indicator_id": 200,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "9aaaa9e1-39ad-4daf-ae8b-2fa2caa60732",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:35Z",
  "version": 2
}

<!--NeedCopy-->

Device with blacklisted apps detected

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 201,
  "indicator_name": "Device with Blacklisted Apps Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "3ff7bd54-4319-46b6-8b98-58a9a50ae9a7",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:23Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "indicator_id": 201,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "743cd13a-2596-4323-8da9-1ac279232894",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:39Z",
  "version": 2
}

<!--NeedCopy-->

Unmanaged Device Detected

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 203,
  "indicator_name": "Unmanaged Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "e28b8186-496b-44ff-9ddc-ae50e87bd757",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T12:56:30Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "indicator_id": 203,
  "client_ip": "127.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "dd280122-04f2-42b4-b9fc-92a715c907a0",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T18:41:30Z",
  "version": 2
}

<!--NeedCopy-->

Citrix Gateway risk indicators schema

EPA scan failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "EPA scan failure",
  "severity": "low",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "event_description": "Post auth failed, no quarantine",
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "EPA Scan Failure at Logon"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:12:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Post auth failed, no quarantine",
  "gateway_domain_name": "10.102.xx.xx",
  "gateway_ip": "56.xx.xxx.xx",
  "policy_name": "postauth_act_1",
  "client_ip": "210.91.xx.xxx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "cs_vserver_name": "demo_vserver",
  "device_os": "Windows OS",
  "security_expression": "CLIENT.OS(Win12) EXISTS",
  "vpn_vserver_name": "demo_vpn_vserver",
  "vserver_fqdn": "10.xxx.xx.xx"
}
<!--NeedCopy-->

The table describes the field names specific to the summary schema and the event details schema for the EPA scan failure risk indicator.

Field names	Description
`event_description`	Describes the reasons for EPA scan failure such as post authentication failed and no quarantine group.
`relevant_event_type`	Indicates the type of the EPA scan failure event.
`gateway_domain_name`	The domain name of Citrix Gateway.
`gateway_ip`	The IP address of Citrix Gateway.
`policy_name`	The EPA scan policy name configured on the Citrix Gateway.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.
`cs_vserver_name`	The name of the content switch virtual server.
`device_os`	The operating system of the user’s device.
`security_expression`	The security expression configured on the Citrix Gateway.
`vpn_vserver_name`	The name of the Citrix Gateway virtual server.
`vserver_fqdn`	The FQDN of the Citrix Gateway virtual server.

Excessive authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "4bc0f759-93e0-5eea-9967-ed69de9dd09a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Excessive authentication failures",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/”,
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "Logon Failure"
  }
}
<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "a391cd1a-d298-57c3-a17b-01f159b26b99",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:10:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo-user",
  "version": 2,
  "event_description": "Bad (format) password passed to nsaaad",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "auth_server_ip": "10.xxx.x.xx",
  "client_ip": "24.xxx.xxx.xx",
  "gateway_ip": "24.xxx.xxx.xx",
  "vserver_fqdn": "demo-fqdn.citrix.com",
  "vpn_vserver_name": "demo_vpn_vserver",
  "cs_vserver_name": "demo_cs_vserver",
  "gateway_domain_name": "xyz",
  "country": "United States",
  "region": "California",
  "city": "San Jose",
  "nth_failure": 5
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive authentication failure.

Field names	Description
`relevant_event_type`	Indicates the type of event such as logon failure.
`event_description`	Describes the reason for the excessive authentication failure event such as an incorrect password.
`authentication_stage`	Indicates whether the authentication stage is primary, secondary, or tertiary.
`authentication_type`	Indicates the types of authentication such as LDAP, Local, or OAuth.
`auth_server_ip`	The IP address of the authentication server.
`gateway_domain_name`	The domain name of Citrix Gateway.
`gateway_ip`	The IP address of Citrix Gateway.
`cs_vserver_name`	The name of the content switch virtual server.
`vpn_vserver_name`	The name of the Citrix Gateway virtual server.
`vserver_fqdn`	The FQDN of the Citrix Gateway virtual server.
`nth_failure`	The number of times the user authentication has failed.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_os": "Linux OS",
  "device_browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name	Description
`distance`	The distance (km) between the events associated with impossible travel.
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`device_browser`	The web browser used by the user.
`device_os`	The operating system of the user’s device.
`ip_organization`	Registering organization of the client IP address
`ip_routing_type`	Client IP routing type

Logon from suspicious IP risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "0100e910-561a-5ff3-b2a8-fc556d199ba5",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.91,
  "indicator_category": "Compromised users",
  "indicator_name": "Logon from suspicious IP",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon",
    "client_ip": "1.0.xxx.xx",
    "observation_start_time": "2019-10-10T10:00:00Z",
    "suspicion_reasons": "brute_force|external_threat"
  }
}
<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "4ba77b6c-bac0-5ad0-9b4a-c459a3e2ec33",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:11:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "suspicion_reasons": "external_threat",
  "gateway_ip": "gIP1",
  "client_ip": "128.0.xxx.xxx",
  "country": "Sweden",
  "city": "Stockholm",
  "region": "Stockholm",
  "webroot_reputation": 14,
  "webroot_threat_categories": "Windows Exploits|Botnets|Proxy",
  "device_os": "Windows OS",
  "device_browser": "Chrome"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Login from a suspicious IP.

Field name	Description
`suspicious_reasons`	The reason for the IP address to be identified as suspicious.
`webroot_reputation`	The IP reputation index provided by the threat intelligence provider- Webroot.
`webroot_threat_categories`	The threat category identified for the suspicious IP by the threat intelligence provider- Webroot.
`device_os`	The operating system of the user device.
`device_browser`	The web browser used.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.

Unusual authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "dc0174c9-247a-5e48-a2ab-d5f92cd83d0f",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:44:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2020-04-01T05:45:00Z"
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "ef4b9830-39d6-5b41-bdf3-84873a77ea9a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:42:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Success",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "client_ip": "99.xxx.xx.xx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "device_os": "Windows OS ",
  "device_browser": "Chrome",
  "is_risky": "false"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual authentication failure.

Field names	Description
`relevant_event_type`	Indicates the type of event such as logon failure.
`event_description`	Indicates whether the logon is successful or unsuccessful
`authentication_stage`	Indicates whether the authentication stage is primary, secondary, or tertiary.
`authentication_type`	Indicates the types of authentication such as LDAP, Local, or OAuth.
`is_risky`	For a successful logon, the is_risky value is false. For an unsuccessful logon, the is_risky value is true.
`device_os`	The operating system of the user device.
`device_browser`	The web browser used by the user.
`country`	The country from which the user activity has been detected.
`city`	The city from which the user activity has been detected.
`region`	The region from which the user activity has been detected.

Suspicious logon risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd935-a6a3-5397-b596-636aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.71,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2020-06-06T12:00:00Z",
    "relevant_event_type": "Logon",
    "event_count": 1,
    "historical_observation_period_in_days": 30,
    "country": "United States",
    "region": "Florida",
    "city": "Miami",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"New York\",\"city\":\"New York City\",\"latitude\":40.7128,\"longitude\":-74.0060,\"count\":9}]",
    "user_location_risk": 75,
    "device_id": "",
    "device_os": "Windows OS",
    "device_browser": "Chrome",
    "user_device_risk": 0,
    "client_ip": "99.xxx.xx.xx",
    "user_network_risk": 75,
    "webroot_threat_categories": "Phishing",
    "suspicious_network_risk": 89
  }
}


<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd6935-a6a3-5397-b596-63856aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:08:40Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "United States",
  "region": "Florida",
  "city": "Miami",
  "latitude": 25.7617,
  "longitude": -80.1918,
  "device_browser": "Chrome",
  "device_os": "Windows OS",
  "device_id": "NA",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name	Description
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`occurrence_event_type`	Indicates the user event type such as account logon.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`device_browser`	The web browser used by the user.
`device_os`	The operating system of the user’s device.
`device_id`	The name of the device used by the user.
`user_location_risk`	Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_device_risk`	Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_network_risk`	Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`suspicious_network_risk`	Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
`webroot_threat_categories`	Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Citrix DaaS and Citrix Virtual Apps and Desktops risk indicators schema

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_id": "device1",
  "receiver_type": "XA.Receiver.Linux",
  "os": "Linux OS",
  "browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name	Description
`distance`	The distance (km) between the events associated with impossible travel.
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`browser`	The web browser used by the user.
`os`	The operating system of the user’s device.
`device_id`	The name of the device used by the user.
`receiver_type`	The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
`ip_organization`	Registering organization of the client IP address
`ip_routing_type`	Client IP routing type

Potential data exfiltration risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Potential data exfiltration",
  "severity": "low",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download/Print/Copy",
    "observation_start_time": "2018-04-02T10:00:00Z",
    "exfil_data_volume_in_bytes": 1172000
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:57:36Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "App.SaaS.Clipboard",
  "file_size_in_bytes": 98000,
  "file_type": "text",
  "device_id": "dvc5",
  "receiver_type": "XA.Receiver.Windows",
  "app_url": "https://www.citrix.com",
  "client_ip": "10.xxx.xx.xxx",
  "entity_time_zone": "Pacific Standard Time"
}

<!--NeedCopy-->

The following table describes the fields specific to the summary schema and the event details schema for Potential data exfiltration.

Field name	Description
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`relevant_event_type`	Indicates the user activity such as download, print, or copy the data.
`exfil_data_volume_in_bytes`	The amount of data exfiltration.
`occurrence_event_type`	Indicates how the data exfiltration has happened such as the clipboard operation in a SaaS app.
`file_size_in_bytes`	The size of the file.
`file_type`	The type of the file.
`device_id`	The ID of the user device.
`receiver_type`	The Citrix Workspace app or Citrix Receiver installed on the user device.
`app_url`	The URL of the application that is accessed by the user.
`entity_time_zone`	The time zone of the user.

Suspicious logon risk indicator schema

Indicator summary schema

{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "risk_probability": 0.78,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details":
  {
    "user_location_risk": 0,
    "city": "Some_city",
    "observation_start_time": "2020-06-06T12:00:00Z",
    "event_count": 1,
    "user_device_risk": 75,
    "country": "United States",
    "device_id": "device2",
    "region": "Some_Region",
    "client_ip": "99.xx.xx.xx",
    "webroot_threat_categories": "'Spam Sources', 'Windows Exploits', 'Web Attacks', 'Botnets', 'Scanners', 'Denial of Service'",
    "historical_logon_locations": "[{\"country\":\"United States\",\"latitude\":45.0,\"longitude\":45.0,\"count\":12},{\"country\":\"United States\",\"region\":\"Some_Region_A\",\"city\":\"Some_City_A\",\"latitude\":0.0,\"longitude\":0.0,\"count\":8}]",
    "relevant_event_type": "Logon",
    "user_network_risk": 100,
    "historical_observation_period_in_days": 30,
    "suspicious_network_risk": 0
  }
}

<!--NeedCopy-->

Indicator event details schema

{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06 12:02:30",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "city": "Some_city",
  "country": "United States",
  "region": "Some_Region",
  "latitude": 37.751,
  "longitude": -97.822,
  "browser": "Firefox 1.3",
  "os": "Windows OS",
  "device_id": "device2",
  "receiver_type": "XA.Receiver.Chrome",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name	Description
`historical_logon_locations`	The locations accessed by the user and the number of times each location has been accessed during the observation period.
`historical_observation_period_in_days`	Each location is monitored for 30 days.
`relevant_event_type`	Indicates the type of event such as logon.
`observation_start_time`	The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
`occurrence_event_type`	Indicates the user event type such as account logon.
`country`	The country from which the user has logged on.
`city`	The city from which the user has logged on.
`region`	Indicates the region from which the user has logged on.
`latitude`	Indicates the latitude of the location from which the user has logged on.
`longitude`	Indicates the longitude of the location from which the user has logged on.
`browser`	The web browser used by the user.
`os`	The operating system of the user’s device.
`device_id`	The name of the device used by the user.
`receiver_type`	The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
`user_location_risk`	Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_device_risk`	Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`user_network_risk`	Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
`suspicious_network_risk`	Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
`webroot_threat_categories`	Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Microsoft Active Directory Indicator

Indicator summary schema

{
  "data_source": "Microsoft Graph Security",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_id": 1000,
  "indicator_name": "MS Active Directory Indicator",
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_type": "builtin",
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "ui_link": "https://analytics-daily.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_id": 1000,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "version": 2
}

<!--NeedCopy-->

Custom risk indicator schema

The following section describes the schema for the custom risk indicator.

Note

Currently, Citrix Analytics sends the data related to the custom risk indicators of Citrix DaaS and Citrix Virtual Apps and Desktops to your SIEM service.

The following table describes the field names for the custom risk indicator summary schema.

Field name	Description
`data source`	The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
`data_source_id`	The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`entity_id`	The ID associated with the entity at risk.
`entity_type`	The entity at risk. In this case, the entity is a user.
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
`indicator_category`	Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_category_id`	The ID associated with the risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
`indicator_name`	The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
`indicator_type`	Indicates whether the risk indicator is default (built-in) or custom.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`occurrence_details`	The details about the risk indicator triggering condition.
`pre_configured`	Indicates whether the custom risk indicator is preconfigured.
`risk_probability`	Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
`severity`	Indicates the severity of the risk. It can be low, medium, or high.
`tenant_id`	The unique identity of the customer.
`timestamp`	The date and the time when the risk indicator is triggered.
`ui_link`	The link to the user timeline view on the Citrix Analytics user interface.
`version`	The schema version of the processed data. The current schema version is 2.

The following table describes the field names common across the custom risk indicator event details schema.

Field name	Description
`data_source_id`	The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
`indicator_category_id`	The ID associated with the risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
`event_type`	The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
`tenant_id`	The unique identity of the customer.
`entity_id`	The ID associated with the entity at risk.
`entity_type`	The entity that is at risk. In this case, it is the user.
`indicator_id`	The unique ID associated with the risk indicator.
`indicator_uuid`	The unique ID associated with the risk indicator instance.
`timestamp`	The date and the time when the risk indicator is triggered.
`version`	The schema version of the processed data. The current schema version is 2.
`event_id`	The ID associated with the user event.
`occurrence_event_type`	Indicates the type of user event such as session logon, session launch, and account logon.
`product`	Indicates the type of Citrix Workspace app such as Citrix Workspace app for Windows.
`client_ip`	The IP address of the user’s device.
`session_user_name`	The user name associated with the Citrix Apps and Desktops session.
`city`	The name of the city from which the user activity is detected.
`country`	The name of the country from which the user activity is detected.
`device_id`	The name of the device used by the user.
`os_name`	The operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
`os_version`	The version of the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
`os_extra_info`	The extra details associated with the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.

Custom risk indicator for Citrix DaaS and Citrix Virtual Apps and Desktops

Indicator summary schema

{
  "data_source": " Citrix Apps and Desktops",
  "data_source_id": 3,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_category_id": 3,
  "indicator_id": "ca97a656ab0442b78f3514052d595936",
  "indicator_name": "Demo_user_usage",
  "indicator_type": "custom",
  "indicator_uuid": "8e680e29-d742-4e09-9a40-78d1d9730ea5",
  "occurrence_details": {
    "condition": "User-Name ~ demo_user", "happen": 0, "new_entities": "", "repeat": 0, "time_quantity": 0, "time_unit": "", "type": "everyTime"},
  "pre_configured": "N",
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-02-10T14:47:25Z",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema for the session logon event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "SYD04-MS1-S102",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session logon event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.

Indicator event details schema for the session launch event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session launch event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.

Indicator event details schema for the account logon event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Account.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the account logon event.

Field name	Description
`app_name`	Name of an application or desktop launched.

Indicator event details schema for the session end event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session end event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.

Indicator event details schema for the app start event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.Start",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app start event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`module_file_path`	The path of the application that is being used.

Indicator event details schema for the app end event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app end event.

Field name	Description
`app_name`	Name of an application or desktop launched.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`module_file_path`	The path of the application that is being used.

Indicator event details schema for the file download event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "File.Download",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "file_download_file_name": "File5.txt",
  "file_download_file_path": "/root/folder1/folder2/folder3",
  "file_size_in_bytes": 278,
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "device_type": "USB"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the file download event.

Field name	Description
`file_download_file_name`	Name of the download file.
`file_download_file_path`	The destination path where the file is downloaded.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`device_type`	Indicates the type of the device where the file is downloaded.

Indicator event details schema for the printing event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Printing",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "printer_name": "Test-printer",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "job_details_size_in_bytes": 454,
  "job_details_filename": "file1.pdf",
  "job_details_format": "PDF"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the printing event.

Field name	Description
`printer_name`	Name of the printer used for the printing job.
`launch_type`	Indicates either application or desktop.
`domain`	The domain name of the server that sent the request.
`server_name`	Name of the server.
`session_guid`	The GUID of the active session.
`job_details_size_in_bytes`	The size of the printed job such as file or folder.
`job_details_filename`	Name of the printed file.
`job_details_format`	The format of the printed job.

Indicator event details schema for the app SaaS launch event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS launch event.

Field name	Description
`launch_type`	Indicates either application or desktop.

Indicator event details schema for the app SaaS end event

{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS end event.

Field name	Description
`launch_type`	Indicates either application or desktop.

Data source events

Additionally, you can configure the Data exports feature to export user events from your Citrix Analytics for Security enabled product data sources. When you perform any activity in the Citrix environment, the data source events are generated. The exported events are unprocessed real-time user and product usage data as available in the self-service view. The metadata contained in these events can further be used for deeper threat analysis, creating new dashboards, and co-related with other non-Citrix data source events across your security and IT infra.

Currently, Citrix Analytics for Security sends user events to your SIEM for the Citrix Virtual Apps and Desktops data source.

Schema details of the data source events

Citrix Virtual Apps and Desktops events

The user events are received in real-time in Citrix Analytics for Security when users use virtual apps or virtual desktops. For more information, see Citrix Virtual Apps and Desktops and Citrix DaaS data source. You can view the following user events associated with Citrix Virtual Apps and Desktops in your SIEM:

All event types
Account logon
App (start, launch, end)
Clipboard
File (print, download)
File download (SaaS)
HDX session source
Printing
Session (logon, launch, end, termination)
Url
VDA data
VDA process creation

For more information about the events and their attributes, see Self-service search for Virtual Apps and Desktops.

You can review what event types are enabled and flowing to SIEM. You can configure or remove the event type that is applicable for a tenant and click the Save Changes button to save your settings.

Data source event

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Citrix Analytics data exports format for SIEM

January 8, 2024

Contributed by:

C R

January 8, 2024

Contributed by:

C R