Citrix Analytics for Security

Citrix Analytics data exports format for SIEM

Citrix Analytics for Security allows you to integrate with your Security Information and Event Management (SIEM) services. This integration enables Citrix Analytics for Security to send data to your SIEM services and helps you to gain insight into your organization’s security risk posture.

Currently, you can integrate Citrix Analytics for Security with the following SIEM services:

The Data Exports option is now globally available under Settings. To view the Data source events, navigate to Settings > Data Exports > Data source events.

Data export

The risk insights data sent by Citrix Analytics for Security to your SIEM service are of two types:

  • Risk insights events (Default exports)
  • Data Source events (Optional exports)

    Data exports

Risk insights data for SIEM

Once you have completed the account configuration and SIEM set up, default data (risk insights events) start flowing to your SIEM deployment. Risk insights data contains user risk score, user profile, and risk indicator alerts. These are generated by Citrix Analytics machine learning algorithm, user behavior analysis, and based on user events.

The risk insights data of a user includes the following:

  • Risk score change - The difference between the current risk score and the previous risk score of a user. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
  • Risk indicator summary - The details of the risk indicator associated with a user.
  • Risk indicator event details - The details of the user events associated with a risk indicator. Citrix Analytics sends a maximum of 1000 event details for each risk indicator occurrence to your SIEM service. These events are sent in the chronological order of occurrence, where the first 1000 risk indicator event details are sent.
  • User risk score – The current risk score of a user. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
  • User profile - The user profile data can be categorized into:

    • User apps - The applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to SIEM service every 12 hours.
    • User data usage – The data uploaded and downloaded by a user through Citrix Content Collaboration. Citrix Analytics for Security sends this data to SIEM service every 12 hours.
    • User device - The devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to SIEM service every 12 hours.
    • User location - The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Content Collaboration. Citrix Analytics for Security sends this information to your SIEM service every 12 hours.

If you are only able to view but unable to configure, then you do not have all the access permission and the account is disabled for you. In the following example, the Save Changes button is disabled. You can however get the detailed information that there are set of default events goes out to the SIEM environment and Risk Insights. The risk insight events are enabled by default.

Risk insights data

Schema details of the risk insights events

The following section describes the schema of the processed data generated by Citrix Analytics for Security.

Note

The field values shown in the following schema samples are only for representational purpose. The actual field values vary based on the user profile, user events, and the risk indicator.

The following table describes the field names that are common across the schema for all user profile data, user risk score, and risk score change.

Field name Description
entity_id The identity associated with the entity. In this case, the entity is the user.
entity_type The entity at risk. In this case, the entity is the user.
event_type The type of data sent to your SIEM service. For example: user’s location, user’s data usage, or user’s device access information.
tenant_id The unique identity of the customer.
timestamp The date and time of the recent user activity.
version The schema version of the processed data. The current schema version is 2.

User profile data schema

User location schema


{"tenant_id": "demo_tenant", "entity_id": "demo_user", "entity_type": "user", "timestamp": "2021-02-10T15:00:00Z", "event_type": "userProfileLocation", "country": "India", "city": "Bengaluru", "cnt": 4, "version": 2}

<!--NeedCopy-->

Field description for user location

Field name Description
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s location.
country The country from where the user has logged in.
city The city from where the user has logged in.
cnt The number of times the location was accessed in the last 12 hours.

User data usage schema


{"data_usage_bytes": 87555255, "deleted_file_cnt": 0, "downloaded_bytes": 87555255, "downloaded_file_cnt": 5, "entity_id": "demo@demo.com", "entity_type": "user", "event_type": "userProfileUsage", "shared_file_cnt": 0, "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "uploaded_bytes": 0, "uploaded_file_cnt": 0, "version": 2}

<!--NeedCopy-->

Field description for user data usage

Field name Description
data_usage_bytes The amount of data (in bytes) used by the user. It is the aggregate of the downloaded and uploaded volume for a user.
deleted_file_cnt The number of files deleted by the user.
downloaded_bytes The amount of data downloaded by the user.
downloaded_file_count The number of files downloaded by the user.
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s usage profile.
shared_file_count The number of files shared by the user.
uploaded_bytes The amount of data uploaded by the user.
uploaded_file_cnt The number of files uploaded by the user.

User device schema


{"cnt": 2, "device": "user1612978536 (Windows)", "entity_id": "demo", "entity_type": "user", "event_type": "userProfileDevice", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "version": 2}

<!--NeedCopy-->

Field description for user device.

Field name Description
cnt The number of times the device is accessed in the last 12 hours.
device The name of the device.
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.

User app schema


{"tenant_id": "demo_tenant", "entity_id": "demo", "entity_type": "user", "timestamp": "2021-02-10T21:00:00Z", "event_type": "userProfileApp", "version": 2, "session_domain": "99e38d488136f62f828d4823edd120b4f32d724396a7410e6dd1b0", "user_samaccountname": "testnameeikragz779", "app": "Chromeeikragz779", "cnt": 189}

<!--NeedCopy-->

Field description for user app.

Field name Description
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.
session_domain The ID of the session that the user has logged on.
user_samaccountname The logon name for clients and servers from a previous version of Windows such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. This name is used to log on to Citrix StoreFront and also logon to a remote Windows machine.
app The name of the application accessed by the user.
cnt The number of times the application is accessed in the last 12 hours.

User risk score schema


{"cur_riskscore": 7, "entity_id": "demo", "entity_type": "user", "event_type": "userProfileRiskscore", "last_update_timestamp": "2021-01-21T16:14:29Z", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T20:45:00Z", "version": 2}

<!--NeedCopy-->

Field description for user risk score.

Field name Description
cur_riskscore The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s risk score.
last_update_timestamp The time when the risk score was last updated for a user.
timestamp The time when the user risk score event is collected and sent to your SIEM service. This event is sent to your SIEM service after every 12 hours.

Risk score change schema

Sample 1:


{"alert_message": "Large risk score drop percent since last check", "alert_type": "riskscore_large_drop_pct", "alert_value": -21.73913, "cur_riskscore": 18, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T05:45:00Z", "version": 2}

<!--NeedCopy-->

Sample 2:


{"alert_message": "Risk score increase since last check", "alert_type": "riskscore_increase", "alert_value": 39.0, "cur_riskscore": 76, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T03:45:00Z", "version": 2}

<!--NeedCopy-->

Field description for risk score change.

Field name Description
alert_message The message displayed for the risk score change.
alert_type Indicates whether the alert is for increase in risk score or significant drop in risk score percentage. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
alert_value A numerical value assigned for the risk score change. The risk score change is the difference between the current risk score and the previous risk score for a user. The alert value varies from -100 to 100.
cur_riskscore The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
event_type The type of data sent to the SIEM service. In this case, the event type is the change in the user’s risk score.
timestamp The date and time when the latest change in the risk score is detected for the user.

Risk indicator schema

The risk indicator schema consists of two parts- indictor summary schema and indicator event details schema. Based on the risk indicator, the fields and their values in the schema change accordingly.

The following table describes the field names common across all indicator summary schema.

Field name Description
data source The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
data_source_id The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
entity_type The entity at risk. It can be a user or a share link.
entity_id The ID associated with the entity at risk.
event_type The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
indicator_category Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
indicator_id The unique ID associated with the risk indicator.
indicator_category_id The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
indicator_name The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
indicator_type Indicates whether the risk indicator is default (built-in) or custom.
indicator_uuid The unique ID associated with the risk indicator instance.
indicator_vector_name Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
indicator_vector_id The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
occurrence_details The details about the risk indicator triggering condition.
risk_probability Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
severity Indicates the severity of the risk. It can be low, medium, or high.
tenant_id The unique identity of the customer.
timestamp The date and the time when the risk indicator is triggered.
ui_link The link to the user timeline view on the Citrix Analytics user interface.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.

The following table describes the field names common across all the indicator event details schema.

Field name Description
data_source_id The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
indicator_category_id The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
entity_id The ID associated with the entity at risk.
entity_type The entity that is at risk. It can be user or a share link.
event_type The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
indicator_id The unique ID associated with the risk indicator.
indicator_uuid The unique ID associated with the risk indicator instance.
indicator_vector_name Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
indicator_vector_id The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
tenant_id The unique identity of the customer.
timestamp The date and the time when the risk indicator is triggered.
version The schema version of the processed data. The current schema version is 2.
client_ip The IP address of the user’s device.

Note

  • If an integer data type field value is unavailable, the value assigned is -999. For example, "latitude": -999, "longitude": -999.

  • If a string data type field value is unavailable, the value assigned is NA. For example, "city": "NA", "region": "NA".

Citrix Secure Private Access risk indicators schema

Attempt to access blacklisted URL risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "8f2a39bd-c7c2-5555-a86a-5cfe5b64dfef",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:59:58Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Attempt to access blacklisted URL",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-15T10:44:59Z",
    "relevant_event_type": "Blacklisted External Resource Access"
  }

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "c421f3f8-33d8-59b9-ad47-715b9d4f65f4",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:57:21Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "googleads.g.doubleclick.net",
  "executed_action": "blocked",
  "reason_for_action": "URL Category match",
  "client_ip": "157.xx.xxx.xxx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Attempt to access blacklisted URL.

Field name Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
executed_action The action applied on the blacklisted URL. The action includes Allow, Block.
reason_for_action The reason for the applying the action for the URL.

Excessive data downloads risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive data download",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "downloaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive data downloads.

Field name Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
data_volume_in_bytes The amount of data in bytes that is downloaded.
relevant_event_type Indicates the type of the user event.
domain_name The name of the domain from which data is downloaded.
downloaded_bytes The amount of data in bytes that is downloaded.

Unusual upload volume risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "4f2a249c-9d05-5409-9c5f-f4c764f50e67",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Unusual upload volume",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "c6abf40c-9b62-5db4-84bc-5b2cd2c0ca5f",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "uploaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual upload volume.

Field names Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
data_volume_in_bytes The amount of data in bytes that is uploaded.
relevant_event_type Indicates the type of the user event.
domain_name The name of the domain in which data is uploaded.
uploaded_bytes The amount of data in bytes that is uploaded.

Citrix Content Collaboration risk indicators schema

Excessive access to sensitive files (DLP alert)

Indicator summary schema
{
  
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": 3,
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "indicator_uuid": "3847a1bb-666b-4f25-9aec-2307daf8d56c",
  "timestamp": "2021-03-22T09:46:11Z",
  "indicator_name": "Excessive access to sensitive files (DLP alert)",
  "indicator_category": "Data exfiltration",
  "risk_probability": 1.0,
  "version": 2,
  "severity": "low",
  "indicator_type": "builtin",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "occurrence_details": {
    "relevant_event_type": "Download",
    "event_count": 1,
    "observation_start_time": "2021-03-22T09:31:11Z"
    },
  "event_type": "indicatorSummary",
  "cas_consumer_debug_details": {"partition": 1, "offset":179528, "enqueued_timestamp": 1616406412459}
}

<!--NeedCopy-->
Indicator event details schema
{
  
  "tenant_id": "demo_tenant",
  "version": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": 3,
  "indicator_uuid": "3847a1bb-666b-4f25-9aec-2307daf8d56c",
  "timestamp": "2021-03-22T09:46:11Z",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "client_ip": "210.91.xx.xxx",
  "file_name": "filename.xls",
  "file_size_in_bytes": 178690,
  "event_type": "indicatorEventDetails",
}
<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive access to sensitive files (DLP alert).

Field name Description
relevant_event_type The type of event such as download.
event_count The number of download events detected.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
file_name The name of the downloaded file.
file_size_in_bytes The size of the downloaded file in bytes.

Excessive file or folder deletion risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 5,
  "indicator_uuid": "28c4bbab-f3ad-5886-81cd-26fef200d9d7",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2017-12-18T11:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive file / folder deletion",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "cumulative_event_count_day": 11,
    "relevant_event_type": "File and/or Folder Delete",
    "observation_start_time": "2017-12-18T11:00:00Z"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 5,
  "indicator_uuid": "be9af43f-29d2-51cd-81d6-c1d48b392bbb",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2017-12-18T01:45:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "client_ip": "210.91.xx.xxx",
  "version": 2,
  "resource_type": "File",
  "resource_name": "Filename21",
  "component_name": "Platform"
  "connector_type": "GFIS",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file or folder deletion.

Field names Description
cumulative_event_count_day The number of unique files or folders deletion events for the current day.
relevant_event_type Indicates the type of event such as file or folder delete.
resource_type Indicates whether the resource is a file or a folder.
resource_name The name of the resource.
component_name Indicates the ShareFile component- Platform or Connector. If a user deletes files from the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user deletes files from a storage zone, the component is shown as “Connector”.
connector_type The type of storage zone connector used.
city The city from which the user has logged on.
country The country from which the user has logged on.
region The region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.

Excessive file sharing risk indicator schema

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 6,
  "indicator_uuid": "3d421659-ef4d-5434-94b8-90f792e81989",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-03T06:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.19621421,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive file sharing",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-03T06:00:00Z",
    "relevant_event_type": "Share Create and/or Send",
    "cumulative_event_count_day": 15
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 6,
  "indicator_uuid": "c5ea0b26-ce4c-55ad-b8ba-d562f128a2fb",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-03T02:22:04Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_tenant",
  "version": 2,
  "share_id": "share110",
  "operation_name": "Create",
  "tool_name": "SFWebApp",
  "component_name": "Platform",
  "client_ip": "99.xxx.xx.xx",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file sharing.

Field name Description
cumulative_event_count_day The number unique files shared during the day.
relevant_event_type Indicates the type of event such as share links.
share_id The ID associated with the share link.
operation_name Indicates the user activities such as create share link, delete share link.
tool_name The tool or application used to share the files.
component_name Indicates the ShareFile component- Platform or Connector. If a user shares files from the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user shares files from a storage zone, the component is shown as “Connector”
city The city from which the user has logged on.
country The country from which the user has logged on.
region The region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.

Excessive file uploads risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 4,
  "indicator_uuid": "e15ddbb3-f885-514b-81a1-ab84f4e542f1",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.64705884,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive file uploads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "tool_name": "tool3",
    "relevant_event_type": "Upload",
    "observation_start_time": "2018-01-02T10:00:00Z"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 4,
  "indicator_uuid": "e15ddbb3-f885-514b-81a1-ab84f4e542f1",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:37:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "File5.txt",
  "component_name": "Connector",
  "client_ip": "99.xxx.xx.xx",
  "connector_type": "GFIS",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file uploads.

Field name Description
tool_name The tool or application used to share the files.
relevant_event_type Indicates the type of user event such as upload.
file_name The name of the uploaded file.
component_name Indicates the ShareFile component- Platform or Connector. If a user uploads files to the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user uploads files to a storage zone, the component is shown as “Connector”.
connector_type The type of storage zone connector used.
city The city from which the user has logged on.
country The country from which the user has logged on.
region The region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "13",
  "indicator_uuid": "f6974562-592f-5328-a2ac-adf7122a3qr7",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 0,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "pair_id": 2,
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "tenant_1",
  "indicator_id": "13",
  "indicator_uuid": "f6974562-592f-5328-a2ac-adf7122b8ac7",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 0,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "user1",
  "version": 2,
  "client_ip": "95.xxx.xx.xx",
  "ip_organization": "global telecom ltd",
  "ip_routing_type": "mobile gateway",
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "os": "NA",
  "tool_name": "SF_FTP"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name Description
distance The distance (km) between the events associated with impossible travel.
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
tool_name The tool or the application that is used to log on.
os The operating system of the user’s device.
ip_organization Registering organization of the client IP address
ip_routing_type Client IP routing type

Unusual authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 10,
  "indicator_uuid": "274cedc0-a404-5abe-b95b-317c0209c9e8",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 0,
  "timestamp": "2018-01-26T01:29:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2018-01-26T00:30:00Z"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 10,
  "indicator_uuid": "e1bf5b91-b0e1-5145-aa5b-7731f31b56ac",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 0,
  "timestamp": "2018-01-26T01:01:01Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "operation_name": "LoginFailure",
  "tool_name": "webapp",
  "client_ip": "128.x.x.x",
  "os": "Android"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual authentication failure.

Field name Description
relevant_event_type Indicates the type of user event such as logon failure.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
tool_name The tool or application used to share the files.
os The operating system of the user device.

Malware files detected risk indicator

Indicator summary schema
{
  "data_source": "Citrix Content Collaboration",
  "data_source_id": 0,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Insider threats",
  "indicator_category_id": 2,
  "indicator_id": "12",
  "indicator_name": "Malware file(s) detected",
  "indicator_type": "builtin",
  "indicator_uuid": "549f0dc6-2421-5d21-bafa-6180",
  "indicator_vector":
    {
      "id": 6,
      "name": "File-Based Risk Indicators",
    },
  "occurrence_details":
    {
      "event_count": 2,
      "file_hash": "ce59df8709e882e3f84",
      "observation_start_time": "2021-11-15T16:00:00Z",
      "relevant_event_type": "Malware Infected File Detected",
      "virus_name": " Win.Malware.Generic-9873973-0",
    },
  "risk_probability": 1.0,
  "severity": "high",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-11-15T16:14:59Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema
{
  "data_source_id": 0,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "file_hash": "ce59df8709e882e3f84",
  "file_name": "test-file.exe",
  "file_path": "/abc@citrix.com/source/repos/test-folder/test-file.exe",
  "folder_name": "test-folder",
  "indicator_category_id": 2,
  "indicator_id": "12",
  "indicator_uuid": "549f0dc6-2421-5d21-bafa-6180",
  "indicator_vector":
    {
      "id": 6,
      "name": "File-Based Risk Indicators",
    },
  "tenant_id": "demo_tenant",
  "timestamp": "2021-11-15T16:01:51Z",
  "version": 2,
  "virus_name": " Win.Malware.Generic-9873973-0"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Malware files detected.

Field name Description
File hash The hash value of the infected file.
File name The name of the infected file uploaded by the Content Collaboration user.
File path The full path of the folder in the Content Collaboration service where the infected file is uploaded.
Folder name The name of the folder in the Content Collaboration service where the infected file is uploaded.
Relevant event type The type of event such as malware file detected.
Virus name The name of the virus that infected the file.

Ransomware activity suspected (file replaced) risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 8,
  "indicator_uuid": "0afaa694-59ec-5a44-84df-3afcefad7b50",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:04:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Ransomware activity suspected (files replaced)",
  "severity": "high",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-29T10:50:00Z",
    "relevant_event_type": "Delete & Upload"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 8,
  "indicator_uuid": "580f8f03-c02b-5d0f-b707-1a0577ca2fec",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:00:06Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "file1",
  "client_ip": "99.xxx.xx.xx",
  "operation_name": "Upload",
  "file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Ransomware activity suspected (file replaced).

Field name Description
relevant_event_type Indicates the type of user event such as deleted the file and uploaded another file.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
file_name The name of the replaced file.
operation_name The user activity such as upload or delete.
file_path The path of the replaced file.
Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 50,
  "indicator_uuid": "93a32d22-d14b-5413-94fc-47c44fe7c07f",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-27T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "share",
  "entity_id": "62795698",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Anonymous sensitive share link download",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/share-timeline/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-27T12:00:00Z",
    "relevant_event_type": "Download"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 50,
  "indicator_uuid": "11562a63-9761-55b8-8966-3ac81bc1d043",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-27T12:02:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "share",
  "entity_id": "46268753",
  "version": 2,
  "file_name": "file1.mp4",
  "file_size_in_bytes": 278,
  "city": "Miami",
  "country": "USA",
  "client_ip": "166.xxx.xxx.xxx",
  "device_type": "iPhone X"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Anonymous sensitive share link download.

Field names Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
relevant_event_type Indicates the type of user event such as deleted the file and uploaded another file.
file_name The name of the sensitive file that is downloaded.
file_size_in_bytes The file size in bytes that is downloaded.
city The city from which the user activity has been detected.
country The country from which the user activity has been detected.
device_type The type of device used to download the file.
Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 51,
  "indicator_uuid": "ed292b9c-622e-5904-9017-92632827bd22",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-28T18:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "share",
  "entity_id": "29510000",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive share link downloads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/share-timeline/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download",
    "lifetime_users_downloaded": 6,
    "observation_start_time": "2018-01-27T19:00:00Z",
    "lifetime_download_volume_in_bytes": 2718,
    "lifetime_download_count": 6,
    "link_first_downloaded": "2018-01-27T11:12:00Z"
  }
}

<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 51,
  "indicator_uuid": "ed292b9c-622e-5904-9017-92632827bd22",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-28T18:47:50Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "share",
  "entity_id": "29510000",
  "version": 2,
  "file_name": "anom20.jep",
  "file_size_in_bytes": 106,
  "client_ip": "99.xxx.xx.xx",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74,
  "user_email": "new-user61@citrix.com",
  "lifetime_unique_user_emails": "new-user62@citrix.com user6e@citrix.com user6f@citrix.com new-user63@citrix.com new-user64@citrix.com new-user61@citrix.com",
  "lifetime_unique_user_count": 6,
  "lifetime_num_times_downloaded": 6,
  "lifetime_total_download_size_in_bytes": 2718,
  "lifetime_first_event_time": "2018-01-27T11:12:00Z"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive share link downloads.

Field names Description
relevant_event_type Indicates the type of event such as excessive download of a share link.
lifetime_users_downloaded Indicates the total number of users who have downloaded the share link since the link was created.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
lifetime_download_volume_in_bytes Indicates the total volume of downloads in bytes since the share link was created.
lifetime_download_count Indicates the total number of downloads since the share link was created.
link_first_downloaded Indicates the date and the time when the share link was first downloaded.
file_name Indicates the file name that is shared through the link.
file_size_in_bytes Indicates the size of the shared file.
user_email Indicates the email ID of the current user who has excessively downloaded the file through the share link.
lifetime_unique_user_emails Indicates the email IDs of all users including the current user who have downloaded the file since the link was created.
lifetime_unique_user_count Indicates the total number of unique users who have downloaded the file since the link was created.
lifetime_num_times_downloaded Indicates the total number of times the file was downloaded since the link was created.
lifetime_total_download_size_in_bytes Indicates the total file size that is downloaded since the link was created.
lifetime_first_event_time Indicates the date and time of the first event of downloads since the link was created.
city The city from which the user has logged on.
country The country from which the user has logged on.
region The region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.

Excessive file downloads risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 0,
  "indicator_uuid": "ebf19ac0-19a5-53cf-b8fa-e3c71858fef6",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive file downloads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "exfiltrated_data_volume_in_bytes": 24000,
    "relevant_event_type": "Download",
    "observation_start_time": "2018-01-02T10:00:00Z"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 0,
  "indicator_uuid": "ebf19ac0-19a5-53cf-b8fa-e3c71858fef6",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": "0",
  "timestamp": "2018-01-02T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "client_ip": "99.xxx.xx.xx",
  "version": 2,
  "file_name": "File1.txt",
  "file_size_in_bytes": 24000,
  "component_name": "Platform",
  "connector_type": "NA",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive file downloads.

Field name Description
exfiltrated_data_volume_in_bytes The amount of data in bytes that is downloaded.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
file_name The name of the file that is downloaded.
file_size_in_bytes The file size in bytes that is downloaded.
component_name Indicates the ShareFile component- Platform or Connector. If a user downloads files from the ShareFile-managed cloud storage, the component is shown as “Platform”. If a user downloads files from a storage zone, the component is shown as “Connector”.
city The city from which the user has logged on.
country The country from which the user has logged on.
region The region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.

Ransomware activity suspected (file updated) risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 9,
  "indicator_uuid": "f21ef9c8-c379-5a96-ae90-e750d31a728c",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:04:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Ransomware activity suspected (files updated)",
  "severity": "high",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Update/Upload",
    "observation_start_time": "2018-01-29T10:50:00Z"
  }
}

<!--NeedCopy-->
Indicator event details

{
  "tenant_id": "demo_tenant",
  "indicator_id": 9,
  "indicator_uuid": "0509e432-527e-5c84-abb4-f397f2a5e02b",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:00:05Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "file1",
  "operation_name": "Update",
  "stream_id": "someid37",
  "client_ip": "11.xx.xx.xx",
  "file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Ransomware activity suspected (file updated).

Field name Description
relevant_event_type Indicates the type of user event such as update or upload a file.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
file_name The name of the updated file.
operation_name The user activity such as upload, update, or delete.
file_path The path of the file that is updated by the user.
stream_id The ID for the item stream. An item represents a single version of a file system object. The stream identifies all versions of the same file system object. For example, when a user upload or modify an existing file, a new item is created with the same stream ID.

Suspicious logon risk indicator

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "11",
  "indicator_uuid": "42aac530-b589-5338-8cbe-3a940921fce6",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 0,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.71,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2020-06-06T12:00:00Z",
    "relevant_event_type": "Logon",
    "event_count": 1,
    "historical_observation_period_in_days": 30,
    "country": "United States",
    "region": "Florida",
    "city": "Miami",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"New York\",\"city\":\"New York City\",\"latitude\":40.7128,\"longitude\":-74.0060,\"count\":9}]",
    "user_location_risk": 75,
    "device_id": "",
    "os": "Windows 10",
    "tool_name": "SFWebApp",
    "user_device_risk": 0,
    "client_ip": "99.xxx.xx.xx",
    "webroot_threat_categories": "Phishing",
    "user_network_risk": 75,
    "suspicious_network_risk": 89
  }
}

<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "11",
  "indicator_uuid": "42aac530-b589-5338-8cbe-3a940921fce6",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 0,
  "timestamp": "2020-06-06T12:08:40Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "United States",
  "region": "Florida",
  "city": "Miami",
  "latitude": 25.7617,
  "longitude": -80.1918,
  "tool_name": "SFWebApp",
  "os": "Windows 10",
  "device_id": "NA",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name Description
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
occurrence_event_type Indicates the user event type such as account logon.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
tool_name The tool or the application that is used to log on.
os The operating system of the user’s device.
device_id The name of the device used by the user.
user_location_risk Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_device_risk Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_network_risk Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
suspicious_network_risk Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
webroot_threat_categories Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Citrix Endpoint Management risk indicators schema

Jailbroken or rooted device detected indicators schema

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 200,
  "indicator_name": "Jailbroken / Rooted Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "aa872f86-a991-4219-ad01-2a070b6e633d",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:05Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema
{
  "indicator_id": 200,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "9aaaa9e1-39ad-4daf-ae8b-2fa2caa60732",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:35Z",
  "version": 2
}

<!--NeedCopy-->

Device with blacklisted apps detected

Indicator summary schema
{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 201,
  "indicator_name": "Device with Blacklisted Apps Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "3ff7bd54-4319-46b6-8b98-58a9a50ae9a7",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:23Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema
{
  "indicator_id": 201,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "743cd13a-2596-4323-8da9-1ac279232894",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:39Z",
  "version": 2
}

<!--NeedCopy-->

Unmanaged Device Detected

Indicator summary schema
{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 203,
  "indicator_name": "Unmanaged Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "e28b8186-496b-44ff-9ddc-ae50e87bd757",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T12:56:30Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema
{
  "indicator_id": 203,
  "client_ip": "127.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "dd280122-04f2-42b4-b9fc-92a715c907a0",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T18:41:30Z",
  "version": 2
}

<!--NeedCopy-->

Citrix Gateway risk indicators schema

EPA scan failure risk indicator schema

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "EPA scan failure",
  "severity": "low",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "event_description": "Post auth failed, no quarantine",
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "EPA Scan Failure at Logon"
  }
}

<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:12:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Post auth failed, no quarantine",
  "gateway_domain_name": "10.102.xx.xx",
  "gateway_ip": "56.xx.xxx.xx",
  "policy_name": "postauth_act_1",
  "client_ip": "210.91.xx.xxx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "cs_vserver_name": "demo_vserver",
  "device_os": "Windows OS",
  "security_expression": "CLIENT.OS(Win12) EXISTS",
  "vpn_vserver_name": "demo_vpn_vserver",
  "vserver_fqdn": "10.xxx.xx.xx"
}
<!--NeedCopy-->

The table describes the field names specific to the summary schema and the event details schema for the EPA scan failure risk indicator.

Field names Description
event_description Describes the reasons for EPA scan failure such as post authentication failed and no quarantine group.
relevant_event_type Indicates the type of the EPA scan failure event.
gateway_domain_name The domain name of Citrix Gateway.
gateway_ip The IP address of Citrix Gateway.
policy_name The EPA scan policy name configured on the Citrix Gateway.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.
cs_vserver_name The name of the content switch virtual server.
device_os The operating system of the user’s device.
security_expression The security expression configured on the Citrix Gateway.
vpn_vserver_name The name of the Citrix Gateway virtual server.
vserver_fqdn The FQDN of the Citrix Gateway virtual server.

Excessive authentication failure risk indicator schema

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "4bc0f759-93e0-5eea-9967-ed69de9dd09a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Excessive authentication failures",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/”,
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "Logon Failure"
  }
}
<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "a391cd1a-d298-57c3-a17b-01f159b26b99",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:10:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo-user",
  "version": 2,
  "event_description": "Bad (format) password passed to nsaaad",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "auth_server_ip": "10.xxx.x.xx",
  "client_ip": "24.xxx.xxx.xx",
  "gateway_ip": "24.xxx.xxx.xx",
  "vserver_fqdn": "demo-fqdn.citrix.com",
  "vpn_vserver_name": "demo_vpn_vserver",
  "cs_vserver_name": "demo_cs_vserver",
  "gateway_domain_name": "xyz",
  "country": "United States",
  "region": "California",
  "city": "San Jose",
  "nth_failure": 5
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive authentication failure.

Field names Description
relevant_event_type Indicates the type of event such as logon failure.
event_description Describes the reason for the excessive authentication failure event such as incorrect password.
authentication_stage Indicates whether the authentication stage is primary, secondary, or tertiary.
authentication_type Indicates the types of authentication such as LDAP, Local, or OAuth.
auth_server_ip The IP address of the authentication server.
gateway_domain_name The domain name of Citrix Gateway.
gateway_ip The IP address of Citrix Gateway.
cs_vserver_name The name of the content switch virtual server.
vpn_vserver_name The name of the Citrix Gateway virtual server.
vserver_fqdn The FQDN of the Citrix Gateway virtual server.
nth_failure The number of times the user authentication has failed.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_os": "Linux OS",
  "device_browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name Description
distance The distance (km) between the events associated with impossible travel.
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
device_browser The web browser used by the user.
device_os The operating system of the user’s device.
ip_organization Registering organization of the client IP address
ip_routing_type Client IP routing type

Logon from suspicious IP risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "0100e910-561a-5ff3-b2a8-fc556d199ba5",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.91,
  "indicator_category": "Compromised users",
  "indicator_name": "Logon from suspicious IP",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon",
    "client_ip": "1.0.xxx.xx",
    "observation_start_time": "2019-10-10T10:00:00Z",
    "suspicion_reasons": "brute_force|external_threat"
  }
}
<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "4ba77b6c-bac0-5ad0-9b4a-c459a3e2ec33",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:11:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "suspicion_reasons": "external_threat",
  "gateway_ip": "gIP1",
  "client_ip": "128.0.xxx.xxx",
  "country": "Sweden",
  "city": "Stockholm",
  "region": "Stockholm",
  "webroot_reputation": 14,
  "webroot_threat_categories": "Windows Exploits|Botnets|Proxy",
  "device_os": "Windows OS",
  "device_browser": "Chrome"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Login from suspicious IP.

Field name Description
suspicious_reasons The reason for the IP address to be identified as suspicious.
webroot_reputation The IP reputation index provided by the threat intelligence provider- Webroot.
webroot_threat_categories The threat category identified for the suspicious IP by the threat intelligence provider- Webroot.
device_os The operating system of the user device.
device_browser The web browser used.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.

Unusual authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "dc0174c9-247a-5e48-a2ab-d5f92cd83d0f",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:44:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2020-04-01T05:45:00Z"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "ef4b9830-39d6-5b41-bdf3-84873a77ea9a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:42:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Success",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "client_ip": "99.xxx.xx.xx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "device_os": "Windows OS ",
  "device_browser": "Chrome",
  "is_risky": "false"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual authentication failure.

Field names Description
relevant_event_type Indicates the type of event such as logon failure.
event_description Indicates whether the logon is successful or unsuccessful
authentication_stage Indicates whether the authentication stage is primary, secondary, or tertiary.
authentication_type Indicates the types of authentication such as LDAP, Local, or OAuth.
is_risky For a successful logon, the is_risky value is false. For an unsuccessful logon, the is_risky value is true.
device_os The operating system of the user device.
device_browser The web browser used by the user.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.

Suspicious logon risk indicator

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd935-a6a3-5397-b596-636aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.71,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2020-06-06T12:00:00Z",
    "relevant_event_type": "Logon",
    "event_count": 1,
    "historical_observation_period_in_days": 30,
    "country": "United States",
    "region": "Florida",
    "city": "Miami",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"New York\",\"city\":\"New York City\",\"latitude\":40.7128,\"longitude\":-74.0060,\"count\":9}]",
    "user_location_risk": 75,
    "device_id": "",
    "device_os": "Windows OS",
    "device_browser": "Chrome",
    "user_device_risk": 0,
    "client_ip": "99.xxx.xx.xx",
    "user_network_risk": 75,
    "webroot_threat_categories": "Phishing",
    "suspicious_network_risk": 89
  }
}


<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd6935-a6a3-5397-b596-63856aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:08:40Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "United States",
  "region": "Florida",
  "city": "Miami",
  "latitude": 25.7617,
  "longitude": -80.1918,
  "device_browser": "Chrome",
  "device_os": "Windows OS",
  "device_id": "NA",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name Description
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
occurrence_event_type Indicates the user event type such as account logon.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
device_browser The web browser used by the user.
device_os The operating system of the user’s device.
device_id The name of the device used by the user.
user_location_risk Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_device_risk Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_network_risk Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
suspicious_network_risk Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
webroot_threat_categories Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Citrix DaaS and Citrix Virtual Apps and Desktops risk indicators schema

Impossible travel risk indicator

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_id": "device1",
  "receiver_type": "XA.Receiver.Linux",
  "os": "Linux OS",
  "browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name Description
distance The distance (km) between the events associated with impossible travel.
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
browser The web browser used by the user.
os The operating system of the user’s device.
device_id The name of the device used by the user.
receiver_type The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
ip_organization Registering organization of the client IP address
ip_routing_type Client IP routing type

Potential data exfiltration risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Potential data exfiltration",
  "severity": "low",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download/Print/Copy",
    "observation_start_time": "2018-04-02T10:00:00Z",
    "exfil_data_volume_in_bytes": 1172000
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:57:36Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "App.SaaS.Clipboard",
  "file_size_in_bytes": 98000,
  "file_type": "text",
  "device_id": "dvc5",
  "receiver_type": "XA.Receiver.Windows",
  "app_url": "https://www.citrix.com",
  "client_ip": "10.xxx.xx.xxx",
  "entity_time_zone": "Pacific Standard Time"
}

<!--NeedCopy-->

The following table describes the fields specific to the summary schema and the event details schema for Potential data exfiltration.

Field name Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
relevant_event_type Indicates the user activity such as download, print, or copy the data.
exfil_data_volume_in_bytes The amount of data exfiltration.
occurrence_event_type Indicates how the data exfiltration has happened such as the clipboard operation in a SaaS app.
file_size_in_bytes The size of the file.
file_type The type of the file.
device_id The ID of the user device.
receiver_type The Citrix Workspace app or Citrix Receiver installed on the user device.
app_url The URL of the application that is accessed by the user.
entity_time_zone The time zone of the user.

Suspicious logon risk indicator schema

Indicator summary schema
{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "risk_probability": 0.78,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details":
  {
    "user_location_risk": 0,
    "city": "Some_city",
    "observation_start_time": "2020-06-06T12:00:00Z",
    "event_count": 1,
    "user_device_risk": 75,
    "country": "United States",
    "device_id": "device2",
    "region": "Some_Region",
    "client_ip": "99.xx.xx.xx",
    "webroot_threat_categories": "'Spam Sources', 'Windows Exploits', 'Web Attacks', 'Botnets', 'Scanners', 'Denial of Service'",
    "historical_logon_locations": "[{\"country\":\"United States\",\"latitude\":45.0,\"longitude\":45.0,\"count\":12},{\"country\":\"United States\",\"region\":\"Some_Region_A\",\"city\":\"Some_City_A\",\"latitude\":0.0,\"longitude\":0.0,\"count\":8}]",
    "relevant_event_type": "Logon",
    "user_network_risk": 100,
    "historical_observation_period_in_days": 30,
    "suspicious_network_risk": 0
  }
}

<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06 12:02:30",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "city": "Some_city",
  "country": "United States",
  "region": "Some_Region",
  "latitude": 37.751,
  "longitude": -97.822,
  "browser": "Firefox 1.3",
  "os": "Windows OS",
  "device_id": "device2",
  "receiver_type": "XA.Receiver.Chrome",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name Description
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
occurrence_event_type Indicates the user event type such as account logon.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
browser The web browser used by the user.
os The operating system of the user’s device.
device_id The name of the device used by the user.
receiver_type The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
user_location_risk Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_device_risk Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_network_risk Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
suspicious_network_risk Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
webroot_threat_categories Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Microsoft Active Directory Indicator

Indicator summary schema

{
  "data_source": "Microsoft Graph Security",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_id": 1000,
  "indicator_name": "MS Active Directory Indicator",
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_type": "builtin",
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "ui_link": "https://analytics-daily.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_id": 1000,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "version": 2
}

<!--NeedCopy-->

Custom risk indicator schema

The following section describes the schema for custom risk indicator.

Note

Currently, Citrix Analytics sends the data related to the custom risk indicators of Citrix DaaS and Citrix Virtual Apps and Desktops to your SIEM service.

The following table describes the field names for the custom risk indicator summary schema.

Field name Description
data source The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
data_source_id The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
entity_id The ID associated with the entity at risk.
entity_type The entity at risk. In this case, the entity is a user.
event_type The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
indicator_category Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
indicator_id The unique ID associated with the risk indicator.
indicator_category_id The ID associated with risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
indicator_name The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
indicator_type Indicates whether the risk indicator is default (built-in) or custom.
indicator_uuid The unique ID associated with the risk indicator instance.
occurrence_details The details about the risk indicator triggering condition.
pre_configured Indicates whether the custom risk indicator is preconfigured.
risk_probability Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
severity Indicates the severity of the risk. It can be low, medium, or high.
tenant_id The unique identity of the customer.
timestamp The date and the time when the risk indicator is triggered.
ui_link The link to the user timeline view on the Citrix Analytics user interface.
version The schema version of the processed data. The current schema version is 2.

The following table describes the field names common across the custom risk indicator event details schema.

Field name Description
data_source_id The ID associated with a data source. ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
indicator_category_id The ID associated with risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
event_type The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
tenant_id The unique identity of the customer.
entity_id The ID associated with the entity at risk.
entity_type The entity that is at risk. In this case, it is the user.
indicator_id The unique ID associated with the risk indicator.
indicator_uuid The unique ID associated with the risk indicator instance.
timestamp The date and the time when the risk indicator is triggered.
version The schema version of the processed data. The current schema version is 2.
event_id The ID associated with the user event.
occurrence_event_type Indicates the type of user event such as session logon, session launch, and account logon.
product Indicates the type of Citrix Workspace app such as Citrix Workspace app for Windows.
client_ip The IP address of the user’s device.
session_user_name The user name associated with the Citrix Apps and Desktops session.
city The name of the city from which the user activity is detected.
country The name of the country from which the user activity is detected.
device_id The name of the device used by the user.
os_name The operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
os_version The version of the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
os_extra_info The extra details associated with the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.

Custom risk indicator for Citrix DaaS and Citrix Virtual Apps and Desktops

Indicator summary schema

{
  "data_source": " Citrix Apps and Desktops",
  "data_source_id": 3,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_category_id": 3,
  "indicator_id": "ca97a656ab0442b78f3514052d595936",
  "indicator_name": "Demo_user_usage",
  "indicator_type": "custom",
  "indicator_uuid": "8e680e29-d742-4e09-9a40-78d1d9730ea5",
  "occurrence_details": {
    "condition": "User-Name ~ demo_user", "happen": 0, "new_entities": "", "repeat": 0, "time_quantity": 0, "time_unit": "", "type": "everyTime"},
  "pre_configured": "N",
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-02-10T14:47:25Z",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema for the session logon event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "SYD04-MS1-S102",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session logon event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
Indicator event details schema for the session launch event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session launch event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
Indicator event details schema for the account logon event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Account.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the account logon event.

Field name Description
app_name Name of an application or desktop launched.
Indicator event details schema for the session end event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session end event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
Indicator event details schema for the app start event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.Start",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app start event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
module_file_path The path of the application that is being used.
Indicator event details schema for the app end event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app end event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
module_file_path The path of the application that is being used.
Indicator event details schema for the file download event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "File.Download",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "file_download_file_name": "File5.txt",
  "file_download_file_path": "/root/folder1/folder2/folder3",
  "file_size_in_bytes": 278,
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "device_type": "USB"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the file download event.

Field name Description
file_download_file_name Name of the download file.
file_download_file_path The destination path where the file is downloaded.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
device_type Indicates the type of the device where the file is downloaded.
Indicator event details schema for the printing event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Printing",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "printer_name": "Test-printer",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "job_details_size_in_bytes": 454,
  "job_details_filename": "file1.pdf",
  "job_details_format": "PDF"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the printing event.

Field name Description
printer_name Name of the printer used for the printing job.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
job_details_size_in_bytes The size of the printed job such file or folder.
job_details_filename Name of the printed file.
job_details_format The format of the printed job.
Indicator event details schema for the app SaaS launch event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS launch event.

Field name Description
launch_type Indicates either application or desktop.
Indicator event details schema for the app SaaS end event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS end event.

Field name Description
launch_type Indicates either application or desktop.

Data source events

Additionally, you can configure the Data exports feature to export user events from your Citrix Analytics for Security enabled products data sources. When you perform any activity in the Citrix environment, the data source events are generated. The exported events are unprocessed real time user and product usage data as available in self-service view. The meta data contained in these events can further be used for deeper threat analysis, creating new dashboards, and co related with other non-Citrix data source events across your security and IT infra.

Currently, Citrix Analytics for Security sends user events to your SIEM for the following data sources:

  • Citrix Content Collaboration
  • Citrix Virtual Apps and Desktops

Schema details of the data source events

Citrix Content Collaboration events

Citrix Analytics receives the user events (logs) in real time, using the Citrix Content Collaboration service. The user events are processed to detect any security threats. For more information, see Citrix Content Collaboration data source. You can view the following user events associated with Citrix Content Collaboration in your SIEM:

  • All event types
  • Distribution group (create, delete, update)
  • DLP policy update
  • DLP update
  • File (delete, download, download start, upload, upload start, virus infected)
  • Login security policy update
  • Report (create, delete, update)
  • Session login
  • SSO setting update

For more information about the events and their attributes, see Self-service search for Content Collaboration.

Citrix Virtual Apps and Desktops events

The user events are received in real time in Citrix Analytics for Security when users use virtual apps or virtual desktops. For more information, see Citrix Virtual Apps and Desktops and Citrix DaaS data source. You can view the following user events associated with Citrix Virtual Apps and Desktops in your SIEM:

  • All event types
  • Account logon
  • App (start, launch, end)
  • Clipboard
  • File (print, download)
  • File download (SaaS)
  • HDX session source
  • Printing
  • Session (logon, launch, end, termination)
  • Url
  • VDA data
  • VDA process creation

For more information about the events and their attributes, see Self-service search for Virtual Apps and Desktops.

You can review what event types are enabled and flowing to SIEM. You can configure or remove the event type that is applicable for a tenant and click the Save Changes button to save your settings.

Data source event

Citrix Analytics data exports format for SIEM