Users dashboard

The Users dashboard is the launching point into user behavior analysis and threat prevention.

This dashboard provides visibility into user-behavior patterns across an organization. Using this data, you can proactively monitor, detect, and flag behavior that fall outside the norm, such as phishing or ransomware attacks. By default, this dashboard displays the user’s risk profiles for the last one month.

The Users dashboard contains the following sections:

  • Discovered users. Total number of users in your organization using the data sources for which you have enabled Analytics. Click the link on the dashboard to view the complete list of users discovered by Citrix Analytics.

  • Risky users. Users that have acted in a risky manner or presented risky behavior. List of risky users who have the highest risk score, highest risk score change, risk indicators, risk indicator occurrences, and risk indicator occurrence change associated with their account. Click the Risky Users link on top or the See More link on the Risky Users pane. You can view the list of all risky users and the risk indicators.

  • High risk users. Users that represent immediate threat to the organization. Click the link to view the list of all high risk users and the risk indicators they triggered.

  • Medium risk users. Users who might have multiple serious violations on their account and must be monitored closely. Click the link to view the list of all medium risk users and the risk indicators they triggered.

  • Low risk users. Users who have some violations detected on their account, but potentially not a threat. Click the link to view the list of all low risk users and the risk indicators they triggered.

  • Users in watchlist. Users monitored closely by administrators. Click the Users in Watchlist box or the See More link on the Users in Watchlist pane to view the list of users who are added to the watchlist.

  • Privileged users. Users who can view sensitive data and modify critical system settings in an organization. Click the Privileged users link or the See More link on the Privileged users pane to view the list of all privileged users.

  • Risk Indicators. Displays the top five default and the custom risk indicators. Click See More at the bottom of the pane to view the Risk Indicator Overview page.

  • Access Summary. Summarizes the total number of attempts that users have made to access the resources within your organization.

  • Policies and Actions. Displays the top five policies and actions applied on user profiles. Click the See More link on the Policies and Actions pane to view the list of policies and actions applied.

  • Risk Categories. Displays the risk categories that Citrix Analytics supports. Risk indicators with similar behavioral patterns are grouped into the categories. Click See More on the Risk Categories pane to view the details of each category.

Discovered users

Total number of users in your organization using the data sources for which you have enabled Analytics. They might or might not have a risk score associated with their account. It is possible that the number of discovered users on the Users dashboard is more than the number of risky users.

Click the link on the dashboard to view the complete list of users discovered by Citrix Analytics.

Discovered users

The Discovered Users page displays the list of all users discovered over a time period. You can view data for the last 1 hour, 12 hours, 1 day, 1 week, or 1 month.

Use the following interface map to learn how to interact with the Discovered Users page.

Discovered users section

View the following information:

User

List of all users discovered by Analytics. Click a user name to view the user information and risk timeline for the user. The user might or might not have triggered any risk indicator. If there are no risky events associated with this user, you see the following message.

No risky event

If there are risky events associated with a user, you see the risk timeline with risk indicator details.

For more information, see Risk timeline.

Devices

Number of devices used by the user to access the data sources. Citrix Analytics collects this data from Citrix Endpoint Management and Citrix Virtual Apps and Desktops. Click a user name, then navigate to User Info to view the name and number of devices used by the user. The Trend View link at the top right corner provides a graphical representation about the user’s device history for a specific time period.

User info devices

Locations

The places from which the user might have logged on to the data sources. Citrix Analytics collects the data from Citrix Content Collaboration and Citrix Gateway. Click a user name, then navigate to User Info to view the name and number of locations from where the user has accessed data. The Map View link at the top right corner provides user’s logon location history for a specific time period.

User info locations

Data Usage

Volume of data consumed by the user might include data uploaded or downloaded, files uploaded or downloaded, and files shared or deleted. Citrix Analytics collects this data from Citrix Content Collaboration. Click a user name, then navigate to User Info to view the details of data usage for the user. The Trend View link provides a graphical representation about the data usage history of a user for a specific time period.

User info data usage

Apps Used

Number of applications accessed by the user during this time period. Citrix Analytics collects this data from Citrix Virtual Apps and Desktops. Click a user name, then navigate to User Info to view the name and number of applications used by the user. The Trend View link at the top right corner provides a graphical representation about the user’s application history for a specific time period.

User info data usage

Accesses

Total number of times the user has accessed data from different locations. Click a user name, then navigate to User Info to view the number of times the user accessed the data.

For example, in the following image, you can see that the user “ShareFileUser” has “24” accesses.

Cross product heavy user

Now, click the user name and navigate to the User Info pane on the Risk Timeline page. You can see that this user has 24 accesses from two different locations.

User info access

Risky users

Risky users are discovered users who have risky events associated and have triggered at least one risk indicator. The level of risk a user poses to the network for a specific time period is determined by the risk score associated with the user. The risk score value is dynamic and is based on user behavior analytics. Based on the risk score, a risky user can fall into one of the three categories: high risk user, medium risk user, or low risk user.

On the Users dashboard, you can view the top five risky users sorted based on the highest score or the highest risk indicator occurrences.

  • Click Highest Score Change to view the top five risky users based on the highest score change over a time period.

Risky user link

  • Click Risk Indicators to view the top five risk indicators with maximum occurrences.

  • Click Risk Indicators Change to view the top five risk indicators with maximum change in occurrences.

Risky user dashboard

Click the Risky Users link on top or the See More link in the Risky Users pane to view the list of all risky users and the risk indicators.

The Risky Users page displays the list of all risky users over a time period. You can view data for the last 1 hour, 12 hours, 1 day, 1 week, or 1 month.

Use the following interface map to learn how to interact with the Risky Users page.

Risky users

View the following information:

Score

Score or risk score determines the level of risk a user poses to the network for a specific time period. The risk score value is dynamic and is based on user behavior analytics. Based on the risk score, a risky user can fall into one of the three categories: high risk user, medium risk user, or low risk user.

Change

Change is the risk score change over a time period. A risk score change can be positive or negative. A positive risk score change is represented with a minus ( - ) sign, which means the risk score of a user has decreased over a time period. A negative risk score change represented with a plus ( + ) sign, which means the risk score of a user has increased over a time period. For example, if the risk score of a user was 72 the previous day and the current risk score is 92, the risk score change is negative and is calculated as +20.

Risk score change

Access, Data, Application

Types of risk indicators triggered for a user. The columns show the number of different types of risk indicators raised on a user over a specific time period.

User

List of all risky users identified by machine learning algorithms of Citrix Analytics. Click a user name to view the user information and risk timeline for the user.

The risk indicators associated with a user and the time when a risk indicator was triggered are displayed in the risk timeline. Click each risk indicator to view details. Click User Info to view the detailed user information such as devices, locations, data usage, and application.

Learn more: Risk timeline

Discovered user's risk timeline

Discovered user's risk timeline

Note Currently, the Authentication and Domains data is not available on the User Info profile.

Groups

Displays the groups imported from your Active Directory. The user group names are displayed if you have integrated Citrix Analytics with Active Directory. The group name N/A indicates that you have not integrated Citrix Analytics wit Active Directory.

Occurrences and Occurrences Change

  • Occurrences: Total occurrences of default and custom risk indicators for a selected time period.

  • Occurrences Change: Change in occurrences of the default and custom risk indicators for a selected time period.

    A positive occurrences change is represented with a minus( - ) sign, which means the total occurrences of a risk indicator have decreased over a time period. A negative occurrences score change represented with a plus( + ) sign, which means the total occurrences of the risk indicator have increased over a time period. For example, if there are 4 occurrences of a risk indicator in the current hour or day, and there were 6 occurrences of the same risk indicator the previous hour or day, the change in risk indicator occurrences between these two is calculated as 4-6 and the occurrences change is displayed as -2.

Risky user occurrences and occurrences change

How to navigate to User Info from the Data Sources page?

  1. Go to Settings > Data sources.
  2. On the site card of any data source, select the number of users.
  3. On the Users page, select a user and then click User Info. The user information profile based on application, devices, location, and data usage are displayed.

High risk users

Users with risk score between 91 and 100. These users represent immediate threats to the organization.

On the Users dashboard, you can see the summary of the number of high risk users for a specific time. This shows the total number of high risk users and the number increase in the high risk users.

For example, the following image shows data for the last 12 hours. Currently, there are five high risk users out of which two were identified as high risk users in the last 12 hours.

High risk users

Click the box to view details about the high risk users such as risk score, score change, trend of score change, latest risk indicator triggered, and the types of risk indicators.

Learn more: Risky Users

High risk user details

Medium Risk Users

Users with risk score between 71 and 90. These users might have multiple serious violations on their account and must be monitored closely.

On the Users dashboard, you can see the summary of the number of medium risk users for a specific time. You can see the total number of medium risk users and the number increase in the medium risk users.

For example, the following image shows data for the last 12 hours. Currently, there are eight medium risk users out of which seven were identified as medium risk users in the last 12 hours.

Medium risk users

Click the box to view details about the medium risk users such as risk score, score change, trend of score change, latest risk indicator triggered, and the types of risk indicators.

Learn more: Risky Users

Medium risk user details

Low Risk Users

Users with risk score between 0 and 70. These users may have some violations detected on their account. They can also include users who were previously high or medium risk users who have been reevaluated over a pre-determined time period.

On the Users dashboard, you can see the summary of the number of low risk users for a specific time. You can see the total number of low risk users and the number increase in the low risk users.

For example, the following image shows data for the last 12 hours. Currently, there are 147 low risk users out of which 61 were identified as low risk users in the last 12 hours.

Low risk users

Click the box to view details about the low risk users such as risk score, score change, trend of score change, latest risk indicator triggered, and the types of risk indicators.

Learn more: Risky Users

Low risk user details

Users in watchlist

List of users monitored closely for potential threats. For example, you can monitor users who are not full-time employees within your organization by adding those users to the watchlist, or you can monitor users who trigger a specific risk indicator frequently.

You can either add a user to the watchlist manually, or you can define policies that when triggered adds a user to the watchlist. If there are no users added to the watchlist, you see the following screen on the Users dashboard.

Zero users in watchlists

If you have added users to the watchlist, on the Users dashboard, you can view the top five users in the watchlist sorted based on the highest score. You can also view the score change data and the trend of score change.

Click the Users in Watchlist box or the See More link on the Users in Watchlist pane to view the list of all users who are added to the watchlist.

Learn More: Watchlist

Users dashboard users in watchlist

Privileged users

Considering the legitimate access to sensitive data and system settings, malicious actions of privileged users are often indistinguishable from their everyday activity. Hence, the actions of privileged users remain undetected for a long time. Such actions expose organizations to a wide variety of risks. To overcome this challenge, Citrix Analytics introduces the privileged user monitoring functionality. This functionality enables you to closely monitor the behavior anomalies of privileged users.

On the Users dashboard, you can view the top five privileged users sorted based on the highest score.

Users dashboard privileged users

Click the Privileged Users link on top or the See More link in the Privileged Users pane. You can view the Users page that displays privileged users with Admins and Executives selected on the Filters pane, along with the latest risk indicator details. Privileged users are represented with an icon in the USER column. You can view data for the last 1 hour, 12 hours, 1 day, 1 week, or 1 month.

Users dashboard privileged users

Citrix Analytics supports the following types of privileged users:

  • Admins. Users who have administrator rights to a product or service. When a user’s privilege is elevated to Admin in the Content Collaboration service, this information is made available on the Users page. Citrix Analytics helps you to monitor the activities of its users as admins.

    Consider the user Maria Brown who was assigned admin privileges in the Content Collaboration service. Maria starts excessively deleting files and folders, and triggers the machine learning algorithm that detected unusual behavior. The Excessive file or folder deletion risk indicator is added to the user’s risk timeline. Citrix Analytics helps you to compare this risk indicator with information available on the Users page. You can determine if the risk indicator was triggered after the user was assigned admin privileges in Content Collaboration. If so, you can take appropriate actions on the privileged user’s profile.

  • Executives. Users, preferably from the top management in your organization. When you mark an Active Directory (AD) user group as an executive group, Citrix Analytics makes all the users in this group as privileged users. It even monitors the activities of these users as executives. For more information, see Marking an AD group as executive group and Removing an AD group as executive group.

    Consider the AD user group Domain Admins, marked as an executive group. A user starts deleting files and folders excessively, and triggers the machine learning algorithm that detected unusual behavior. The Excessive file or folder deletion risk indicator is added to the user’s risk timeline. Citrix Analytics helps you to compare the risk indicator with information available on the Users or the User Groups page. Once you compare the information, you can determine if the risk indicator was triggered after the AD group was marked as an executive group. If so, you can take appropriate actions on the privileged user’s profile.

    Users dashboard users in watchlist

The privileged user group page contains a list of privileged members, work location, and the organization.

Users dashboard users in watchlist

Marking an AD group as executive group

  1. Navigate to Settings > User Groups.

  2. Select the name of the user group to mark as an executive group.

  3. Under Actions, select Mark as Executive group.

Removing an AD group as executive group

  1. Navigate to Settings > User Groups.

  2. Select the name of the user group to remove as an executive group.

  3. Under Actions, select Remove as Executive group.

Risk Indicators

Summarizes the top five default and custom risk indicators for a user. For default risk indicators, Citrix Analytics collects data from data sources that are enabled.

For custom risk indicators, Citrix Analytics collects data from the following data sources based on the risky events generated:

  • Citrix Access Control
  • Citrix Content Collaboration
  • Citrix Virtual Apps and Desktops

You can view the top five risk indicators and even sort them based on total occurrences, change in occurrences, or severity.

Risk indicators dashboard

When you click See More on the Risk Indicators dashboard, you are redirected to the Risk Indicator Overview page.

The Risk Indicator Overview page provides insights into the default and the custom risk indicators for the corresponding data source. The top pane summarizes the risk indicator occurrences based on severity. The table provides a detailed view of all the default and the custom risk indicators for a selected time period. When you select a risk indicator, you are redirected to the Risk Indicator Details page. Alternatively, you can select a risk indicator on the Risk Indicators dashboard to view the Risk Indicator Details page.

Risk indicator overview

The Risk Indicator Details page summarizes the total occurrences of a risk indicator. It also provides details about the time of event, user name, and event details.

To view the details of the risk indicator, click View on the EVENT DETAILS column. You are redirected to that risk indicator on the user’s risk timeline. The user risk timeline displays the risk indicators generated for a selected time period.

Risk indicator overview

For information on the default user risk indicators, see Citrix user risk indicators. For information about custom risk indicators, see Custom risk indicators.

Access Summary

This dashboard summarizes all the Gateway access events. The graph indicates the number of access events for a selected time period.

When you select the pointers on the graph, you are redirected to the Self-service search for Gateway page. For successful sign-in scenarios, data is sorted by the status code on the Self-service search for Gateway page.

Access summary dashboard

Policies and Actions

Displays the top five policies and actions applied on user profiles. Click the See More link on the Policies and Actions pane to get detailed information about the policies and actions.

Policies and actions dashboard

Top Policies

The top five configured policies that are determined based on the number of occurrences. When you are in the Top Policies section of the dashboard and select See More, you are redirected to the All Policies page.

Policies and actions dashboard

All policies

This page provides detailed information about all the configured policies. When you select any policy, you are redirected to the Self-service search for Policies page. On the left pane, you can filter based on the actions applied.

When you select a user name, you are redirected to the risk timeline. The policy-based action is added to the user’s risk timeline. When you select the action, its details are displayed on the right pane of the risk timeline.

Top Actions

The top five actions that were performed on user profiles. The top actions are determined based on the number of occurrences. When you are in the Top Actions section of the dashboard and select See More, you are redirected to the Actions page.

Policies and actions dashboard

Actions

This page provides detailed information about every applied action, users impacted, occurrences, policies, and the time of action event. When you select any action, you are redirected to the All Policies page with data sorted based on the specified action on the left pane. For example, when you select Request user response on the Actions page, you are redirected to the All Policies page that displays all the configured policies associated with the Request user response action.

Policies and actions dashboard

Risk Categories

This dashboard provides an aggregated view of the level of risk exposure of an organization. Risk indicators are grouped into known categories based on the risks that are similar. Risk categorization is supported on default and custom risk indicators.

Risk categories dashboard

The purpose of the Risk Categories dashboard is to enable Citrix Virtual Apps and Desktops administrators to manage user risks and have simplified discussions with their security counterparts without the need to have an expert-level security knowledge. It allows security enforcement to take effect at an organizational level and is not limited to security administrators alone.

Use case

Consider that you are a Citrix Virtual Apps and Desktops administrator and you manage the application access rights of employees in your organization. If you go to the Risk Categories > Compromised users > Excessive authentication failures - Citrix Gateway risk indicator section, you can assess whether the employees to whom you had granted access have been compromised. If you navigate further, you can get more accurate insights into this risk indicator such as the failure reasons, sign-in locations, timeline details, and user summary. If you notice any discrepancies between the users that were granted access and users that were compromised, you can notify the security administrator about it. This timely notification to the security administrator contributes towards enforcement of security at an organizational level.

Risk categories use case

How to analyze the Risk Categories dashboard?

When you select See More on the Risk Categories dashboard, you are redirected to the page that summarizes details about the risk categories. This page contains the following details:

  • Risk category report: Represents the total risk indicator occurrences of each category for a selected time period.

    Risk categories page

  • Timeline details: Provides a graphical representation of the total risk indicator occurrences of every risk category for a selected time period. If you navigate to the bottom of this section, you can sort based on risk categories for more accurate insights about the risk indicators.

    Risk categories page

  • Risk category summary: This section provides details such as the impact, occurrences, and severity of the risk indicators associated with each category. Select any risk category to view details about the risk indicators associated with that category. For example, when you select the Compromised users category, you are redirected to the Compromised users page.

    Risk categories page

The Compromised users page displays the following details:

  • Risk Indicator Report: Displays the risk indicators that belong to the Compromised users category for a selected time period. It also displays the total occurrences of the risk indicators that were triggered during the selected time period.

    Compromised users page

  • Timeline Details: Provides a graphical representation of the risk indicator occurrences for a selected time period.

    Compromised users page

  • Risk Indicator Summary: Displays a summary of the risk indicators generated under the compromised users category. This section also displays the severity, data source, risk indicator type, occurrences, and the last occurrence.

    Compromised users page

When you select a risk indicator, you are redirected to the page that summarizes details of that indicator. For example, if you select the First time access from new device risk indicator, you are redirected to the page that summarizes details about this indicator. The summary includes timeline details about the occurrences of this event and a user summary that lists the users that triggered this risk indicator, risk indicator occurrences, and the time of event. When you select a user, you are redirected to the user’s risk timeline.

Compromised users page

Note

Citrix Analytics groups default risk indicators under the appropriate risk category. For custom risk indicators, you must select a risk category on the Create Indicator page. For more information, see Custom risk indicators.

Types of risk categories

Data exfiltration

This category groups risk indicators triggered by malware or by employees that perform unauthorized data transfers or data thefts to or from a device in an organization. You can get insights into all the data exfiltration activities that have taken place during a specified time period, and mitigate risks associated with this category by proactively applying actions on user profiles.

The Data exfiltration risk category groups the following risk indicators together:

Data Sources User Risk Indicators
Citrix Virtual Apps and Desktops Potential data exfiltration
Citrix Content Collaboration Excessive access to sensitive files
Citrix Content Collaboration Excessive file sharing
Citrix Access Control Unusual upload volume

Insider threats

This category groups risk indicators triggered by employees within an organization. Since employees have higher levels of access to company-specific applications, organizations are at higher chances of security risks. Risky activities might be intentionally caused by a malicious insider or might be a result of a human error. In either of the scenarios, the security impact on the organization is damaging. This category provides insights into all the insider threat activities that have taken place during a specified time period. With the help of these insights, you can mitigate risks associated with this category by proactively applying actions on user profiles.

The Insider threats risk category groups the following risk indicators together:

Data Sources User Risk Indicators
Citrix Virtual Apps and Desktops Unusual time of application access (Virtual)
Citrix Virtual Apps and Desktops Unusual time of application access (SaaS)
Citrix Content Collaboration Excessive file or folder deletion
Citrix Content Collaboration Excessive file uploads
Citrix Access Control Excessive data download
Citrix Access Control Attempt to access blacklisted URL
Citrix Access Control Risky website access

Compromised users

This category groups risk indicators in which users display unusual behavioral patterns such as suspicious sign-ins, sign-in failures. Alternatively, the unusual patterns might be a result of the user accounts being compromised. You can get insights into all the compromised user events that have taken place during a specified time period, and mitigate risks associated with this category by proactively applying actions on user profiles.

The Compromised users risk category groups the following risk indicators together:

Data Sources User Risk Indicators
Citrix Virtual Apps and Desktops First time access from new device
Citrix Content Collaboration First time access from new location
Citrix Content Collaboration Excessive authentication failures
Citrix Content Collaboration Ransomware activity suspected
Citrix Content Collaboration Excessive file downloads
Citrix Gateway Logon from suspicious IP
Citrix Gateway Excessive authentication failures
Citrix Gateway Excessive authorization failures
Citrix Gateway First time access from new location
Microsoft Graph Security Azure AD Identity Protection risk indicators
Microsoft Graph Security Windows Defender ATP risk indicators

Compromised endpoints

This category groups risk indicators that are triggered when devices exhibit unsecure behavior that might indicate a compromise.

The Compromised endpoints risk category groups the following risk indicators together:

Data Sources User Risk Indicators
Citrix Virtual Apps and Desktops Access from device with unsupported OS
Citrix Gateway End point analysis (EPA) scan failure
Citrix Endpoint Management Unmanaged device detected
Citrix Endpoint Management Jailbroken or rooted device detected
Citrix Endpoint Management Device with blacklisted apps detected