What’s new

A goal of Citrix is to deliver new features and product updates to Citrix Analytics customers when they are available. New releases provide more value, so there’s no reason to delay updates.

To you, the customer, this process is transparent. Initial updates are applied to Citrix internal sites only, and are then applied to customer environments gradually. Delivering updates incrementally in waves helps to ensure product quality and to maximize the availability.

July 09, 2020

New features

Virtual Apps and Desktops site card displays users with supported and unsupported clients

On the site card, you can now view the number of users who are using supported and unsupported versions of Citrix Workspace app or Citrix Receiver clients on their endpoints.

  • Click the user count for the supported clients to view the User page that displays all the discovered users.

  • Click the user count for the unsupported clients to download a CSV file. The file lists the users and their unsupported client versions. Analytics does not receive user events from the unsupported clients and therefore, does not add the users as discovered users. Using the CSV file, you identify the users who need to upgrade their clients to a supported version so that Analytics can provide security insight into their behavior.

To view the list of supported clients, see Citrix Virtual Apps and Desktops data source.

Client status

Access from an unusual location risk indicator

  • The Citrix Gateway risk indicator First time access from new location is renamed as Access from an unusual location.

  • On the user risk timeline, a geographical map and a pie chart are introduced in the event details section.

    • Sign in locations: This section displays a geographical map view of the user’s usual and unusual locations. The usual and unusual locations are indicated by a color code on the top right section of the geo map. You can zoom the geo map to get a closer look of the location.

      Access from unusual location

    • Usual locations - last 30 days: This section displays a pie chart that gives a view of the top 6 usual locations that the user has signed in from. Each location is marked with a different color code. You can sort the section by the location to get a detailed view of the selected location.

      Access from unusual location

For more information, see Access from an unusual location.

Users dashboard data

The number of risky users, discovered users, privileged users, and users in the watchlist are displayed for the last 13 months irrespective of the time period selected on the Users dashboard and the Users page. When you select the time period, the risk indicator occurrences change.

For more information, see Users dashboard.

User dashboard data

Redesigned Users page

The Users page has been enhanced for a better user experience. It provides a consolidated summary of the user events based on the user risk scores, data source, and user type.

To support a more focused search, the Users page contains the Filters section on the left pane and the search bar on top. You can search for user events for a preset time or a customized time range.

Discovered users section

To view the Users page:

  • Go to Security > Users to view the Users dashboard and do the following:

    • Click one of the following links or the cards.

      Users page

    • On the Risky Users pane, click See More.

    • On the Users in Watchlist pane, click See More.

    • On the Privileged Users pane, click See More.

  • Go to Settings > Data Sources > Security. Click the number of users on any data source site card.

For more information, see Users dashboard.

Risky Users pane enhancements

The Change column is replaced with the Risk Indicators column. The Risk Indicators column displays the total risk indicator occurrences of a user for a specific time period.

For more information, see Risky Users.

Risky user pane

Users in Watchlist pane enhancements

The Change column is replaced with the Risk Indicators column. The Risk Indicators column displays the total risk indicator occurrences of a user for a specific time period.

For more information, see Users in watchlist.

Watchlist pane

Privileged Users pane enhancements

  • The Change column is replaced with the Risk Indicators column. The Risk Indicators column displays the total risk indicator occurrences of a user for a specific time period.

  • Click See More to view the Users page. The Users page that displays the list of admin and executive privileged users. On this page, you can add or remove a user as a privileged user.

For more information, see Privileged users.

Privileged users pane

Deprecated features

Alerts

The Alerts feature is now deprecated and no longer available on the Analytics user interface.

Alerts

Risky Users and Watchlist page

The Risky Users and Watchlist pages are deprecated. They are replaced with the Users page that summarizes all the risky user events and the users in the watchlist.

Risky user page

Watchlist page

Risky Users pane

The Highest Score Change and Risk Indicator Change tabs are removed from the Risky Users pane.

Risky user pane

Risk Indicator pane

  • The Occurrence Change tab and the CHANGE column are removed.

    Risk indicator pane

  • The Risk Indicator Details page is deprecated. Previously, this page was displayed when a risk indicator was selected on the Risk Indicators pane or on the Risk Indicator Overview page.

    Risk indicator detail page

Trend view

On the Users dashboard, the trend view of user count is removed from the High Risk Users, Medium Risk Users, Low Risk Users, and Users in Watchlist cards.

Trend view

User Groups page

The User Groups page under the Settings option is deprecated. You can no longer add or remove a user group as a privileged group. However, you can add or remove individual users as privileged users. For more details, see Privileged users.

User group page

June 26, 2020

Deprecated features

Unusual time of application access (Virtual/SaaS) risk indicators removed

The Citrix Virtual Apps and Desktops risk indicators - Unusual time of application access (Virtual) and Unusual time of application access (SaaS) have been deprecated. You can only view historic data related to these indicators.

The following changes are applicable as part of this deprecation:

  • Analytics no longer generates these risk indicators.
  • Analytics no longer generates policies with these risk indicators as the conditions.
  • Default policies with these risk indicators as the conditions no longer take effect.

For more information on the Citrix Virtual Apps and Desktops risk indicators, see Citrix Virtual Apps and Desktops risk indicators.

June 02, 2020

Fixed issues

  • On the user risk timeline, the status of the Virtual Apps and Desktops actions (policy-based or manually applied) appears as “Failure” even though the actions are successfully applied on the user account. For example, the Start session recording action is successfully applied on the user account, but the result is shown as “Failure”. [CAS-32773]

    CVAD action failure status

May 11, 2020

Fixed issues

  • For some users, the policy-based actions are not triggered and the policy enforcement mode cannot be applied. This issue occurs when the customer IDs are not in lower case.

    [CAS-34209], [CAS-34141]

  • Unable to create custom risk indicators for some users. This issue occurs when the customer IDs are not in lower case.

    [CAS-34139]

April 29, 2020

Fixed issues

  • Actions applied on Citrix Virtual Apps and Desktops risk indicators fail to take effect although Analytics displays a message that the actions are successfully applied. This issue is observed in the Citrix Virtual Apps and Desktops 7 1912 version.

    [CAS-31544]

April 02, 2020

New features

Disable data processing when StoreFront is not added

On the Settings > Data Sources > Security > Virtual Apps and Desktops data source site card, the Turn on Data Processing button does not get enabled if you have not onboarded StoreFront. You see the StoreFront not connected warning message on the site card. If you have an active on-prem site from where you want Analytics to receive data, you must verify that you have onboarded StoreFront to Citrix Analytics. It ensures that your user accounts are protected.

On the Virtual Apps and Desktops site card, select the vertical ellipsis (⋮) and click Connect StoreFront deployment. On the screen that is displayed, follow the instructions and complete the StoreFront configuration.

For more information, see Onboard Virtual Apps and Desktops sites using StoreFront.

StoreFront warning

Fixed issues

  • For Citrix Content Collaboration users, policy-based actions fail to take effect under the following conditions:

    • When custom risk indicator conditions are defined

    • Until a risk indicator is generated for a user

    [CAS-29226]

March 04, 2020

Fixed issues

  • When Gateway users onboard to Analytics for the first time, they see the error Citrix ADC is unresponsive or credentials are incorrect. Upon retrying, they see the error Device with this IP address already exists.

[CAS-31180]

February 20, 2020

New features

Citrix Analytics for Security offering

Citrix Analytics for Security is now available for individual subscription. You can subscribe to Citrix Analytics for Security and get insights that are specific to this offering. For more information, see Get started.

Risk Categories dashboard

Citrix Analytics introduces categorization of risk indicators based on risks that have a similar impact on the organization’s security aspect. This dashboard provides a comprehensive view of the risk exposures and critical risks that require immediate attention. For default risk indicators, Analytics automatically assigns a risk category based on the risk exposure. For custom risk indicators, you must select an appropriate risk category based on the risk exposure.

Analytics supports the following risk categories:

  • Data exfiltration
  • Insider threats
  • Compromised users
  • Compromised endpoints

For more information, see Risk Categories.

Risk categories dashboard

Risk Category column on the Custom Indicators page

The Risk Category column is introduced on the Custom Risk Indicator page. Based on type of risk exposure, you can select a risk category for your custom risk indicator. Previously created custom risk indicators are displayed on the Risk Categories dashboard if you modify them by selecting a risk category.

For more information, see Custom risk indicators.

Risk categories drop-down list

Change in risk indicator names

The following risk indicator names have been changed:

Data Source Old Name New Name  
Citrix Virtual Apps and Desktops Unusual application usage (Virtual) Unusual time of application access (Virtual)  
Citrix Virtual Apps and Desktops Unusual application usage (SaaS) Unusual time of application access (SaaS)  
Citrix Content Collaboration Excessive logon failures Excessive authentication failures  
Citrix Content Collaboration Unusual logon access First time access from new location  
Citrix Access Control Unusual download volume Excessive data download  
Citrix Gateway Logon failures Excessive authentication failures  
Citrix Gateway Authorization failures Excessive authorization failures  
Citrix Gateway Unusual logon access First time access from new location  

For more information, see Risk indicators.

Fixed issues

  • For some users, Citrix Analytics is unable to receive any data from Virtual Apps and Desktops even though the data source is successfully onboarded and StoreFront is enabled. [CAS-24134]

  • Citrix Analytics is unable to receive download events from Citrix Content Collaboration. Therefore, the following risk indicators are not triggered:

    • Anonymous sensitive download

    • Excessive downloads

    • Excessive access to sensitive files

    • Excessive file downloads

    [CAS-29207]

  • For newly onboarded users, manual and policy-based actions applied on Citrix Gateway risk indicators do not take any effect. [CAS-29029]

  • Some users are unable to view the site cards on the Data Sources page. This issue is resolved by repopulating the cache. [CAS-28781]

January 09, 2020

New features

Continuous risk assessment

Some challenges Citrix Workspace users face are that, remote access exposes sensitive data to security risks through cyber-criminal activities like data exfiltration, theft, vandalism, and service disruptions. Employees within organizations are also likely to contribute to this damage.

Some ways of addressing these risks are to implement multifactor authentication, enforce short sign-in timeouts, and so on. Although these risk assessment methods ensure a higher level of security, they do not provide complete security after the initial validation.

To enhance the security aspect and to ensure a better user experience, Citrix Analytics introduces the solution of continuous risk assessment. This solution helps you to continuously monitor user profiles and take various actions when risky events are detected.

For more, information, see Continuous risk assessment.

Continuous risk assessment

Policy configuration

Citrix Analytics helps you to manage policy configurations more efficiently. You can protect user accounts from malicious attacks with the help of the following capabilities:

  • Default policies: Citrix Analytics supports the following default policies:

    • Successful credential exploit
    • Potential data exfiltration
    • Unusual access from a suspicious IP
    • Unusual app access from an unusual location
    • Low risk user - first time access from new IP
    • First time access from device

    You can modify the default policies based on your requirements.

    Default policies

  • Multiple conditions: A policy can contain up to four conditions. The conditions can be set with combinations of risk scores and risk indicators, or both.

    Add and remove condition

  • Default and custom risk indicators: The conditions menu on the Create Policy page is now segregated based on default and custom risk indicators. When creating a policy, you can switch between the default and custom risk indicators tabs, and set the risk indicator conditions.

    Add and remove condition

  • Request user response: Citrix Analytics introduces the Request user response action. Using this action, you can send an email notification to the user regarding the risky activity detected. Once the user responds about the activity, you can determine the next course of action to be taken on their account. You can also set the user response time. If no response is received, Citrix Analytics considers No response as the status.

    Request user response

  • Apply disruptive actions: You can notify the users when a disruptive action such as Log off user or Lock user, is applied. A notification is sent to the user with details of the activity and the action applied. This action temporarily disrupts services to the user’s account to prevent further misuse. To continue accessing the account, the user must contact the administrator for assistance.

    Apply disruptive action

  • Enforcement and monitor modes: You can set enforcement or monitor modes to your policies.

    Policy modes

For more information on policy enhancements, see Policies and actions.

Lock user and Unlock user actions

Citrix Analytics introduces the following Gateway actions:

  • Lock user
  • Unlock user

You can apply these actions either manually or when you configure policies.

For more information, see What are actions.

Then do the following

Access summary dashboard

Citrix Analytics introduces the Access Summary panel on the Users dashboard. It summarizes the total number of attempts that users have made to access the resources within an organization.

For more information, see Access summary.

Access summary dashboard

Policies and actions dashboard

Citrix Analytics introduces the Policies and Actions panel on the Users dashboard. It displays the top five policies and actions applied on user profiles. You can sort data based on the top policies and the top actions for a selected time period.

For more information, see Policies and actions.

Policies and actions dashboard

Self-service search for policies

Use the self-service search to view the user events that met your defined policies. You can also view the actions that Analytics has applied for these anomalous events. Use the facets and the search box to search for the required events.

To view the events, in the search box, select Policies from the list, select the time period, and then click Search.

For more information, see Self-service search for Policies.

Policies search page

Deprecated features

Risk score change policy-based condition removed

When you configure policies, you cannot use the Risk score change policy-based condition anymore. Citrix Analytics does not support this condition.

For more information, see Policies and actions.

Multiple policy-based actions removed

When you configure policies, you cannot apply multiple actions anymore. Citrix Analytics supports only one action for each policy.

For more information, see Policies and actions.

Fixed issues

  • Delegated read-only administrators encounter an error while accessing the User Access and App Access dashboards. [CAS-16297]

December 12, 2019

New features

Splunk version support

Citrix Analytics supports the following versions of Splunk:

  • Splunk 8.0 64-bit
  • Splunk 7.3 64-bit

To get the maximum security benefits of Splunk integration, upgrade to the latest version of the Splunk add-on app from the Download page.

For more information on supported Splunk versions, see Supported versions.

Citrix Analytics configuration

December 04, 2019

New features

Custom risk indicator for Citrix Gateway

Using custom risk indicators, you can now define the conditions and the frequency for triggering risk indicators for Citrix Gateway events. When a user event meets the conditions, Analytics triggers the risk indicators. For more information on how to create custom risk indicator, see Custom risk indicators.

Gateway custom indicator

November 22, 2019

New features

First time access from new device – Citrix Virtual Apps and Desktops risk indicator

Citrix Analytics detects access threats based on access from a new device and triggers the corresponding risk indicator.

The First time access from new device risk indicator is triggered when a user signs in from a device after 90 days. This event is triggered because Citrix Receiver has no sign-in records from this new or unfamiliar device for the last 90 days. For more information, see Citrix Virtual Apps and Desktops risk indicators.

First time access from new device

First time access from new IP - Citrix Gateway risk indicator

Citrix Analytics detects access threats based on access from a new IP address and triggers the corresponding risk indicator.

The First time access from new IP risk indicator is triggered when a user signs in from an IP address after 90 days. This event is triggered because Citrix Receiver has no sign-in records from the new or unfamiliar IP address for the last 90 days.

For more information, see Citrix Gateway risk indicators.

First time access from new IP

Logon from suspicious IP - Citrix Gateway risk indicator

Citrix Analytics detects user access threats based on the suspicious IP sign-in activity and triggers the Logon from suspicious IP risk indicator.

This risk indicator is triggered when a user attempts to access the network from a suspicious IP address. Analytics considers an IP address as suspicious based on any of the following conditions:

  • Is listed on the external IP threat intelligence feed

  • Has multiple user sign-in records from an unusual location

  • Has excessive failed sign-in attempts that might indicate a brute-force attack

For more information, see Citrix Gateway risk indicators.

Logon from suspicious IP

Self-service search for Citrix Gateway events

Use the self-service search feature to get insight into user events received from the Citrix Gateway data source. Citrix Analytics receives events such as authentication stage, authorization type, VPN session code, VPN session state for Citrix Gateway users. Use the facets and the search box to search for the required events and explore the underlying data.

To view the events, in the search box, select Gateway from the list, select the time period, and then click Search.

For more information, see Self-service search for Gateway.

Gateway search page

Self-service search for Citrix Secure Browser events

Use the self-service search feature to get insight into the browsing events received from the Citrix Secure Browser Service. Citrix Analytics receives events such as session connect, session launch, published applications, deleted applications for each user connection. Use the search box to search for the required events and explore the underlying data.

To view the events, in the search box, select Secure Browser from the list, select the time period, and then click Search.

For more information, see Self-service search for Secure Browser.

Secure Browser search page

Remove from watch list action

You can remove a user from the watchlist either by applying the manual method or by applying a policy-based method. For more information, see Watchlist.

Improved onboarding messages when configuring a StoreFront deployment

Citrix Analytics now provides the following messages to help you configure your StoreFront deployments:

  • After downloading the configuration file, you can see a message indicating the date and time of the download and the user name. When you refresh this page, the Download file button changes to Download file again.

    StoreFront download file

  • If your StoreFront configuration is incomplete, you see a warning message instructing you to follow configuration steps and connect your StoreFront deployment with Analytics.

    StoreFront incomplete config warning

For more information on how to configure your StoreFront deployment, see Onboard your Virtual Apps and Desktops Sites using StoreFront.

Deprecated features

Risk indicator - Access from new device remove

Citrix Analytics no longer triggers the Access from new device risk indicator. However, on the user dashboard, user timeline, and the policy dashboard, you can view historic data related to this risk indicator.

For previously created policies based on Access from new device, you must either modify the policy or create a policy with the new risk indicator First time access from new device.

For more information, see First time access from new device risk indicator.

Fixed issues

  • The self-service search for authentication fails to display the events. [CAS-24959]

November 08, 2019

Fixed issues

  • For Citrix Content Collaboration risk indicators, users are unable to apply actions on the risk timeline. [CAS-24844]

  • Citrix Workspace app for Chrome prior to version 1911 fail to send event details to Citrix Analytics. [CAS-24938]

October 21, 2019

New features

Modified name for analytics agent

The agent name is now mentioned as Analytics policy agent on the user interfaces to indicate its role. When onboarding the on-premises Citrix Virtual Apps and Desktops data sources, Citrix Analytics clearly notifies that a policy agent is required only to configure policies and actions for your Site. This agent has no role in transmitting data from the data source. For more information, see Citrix Virtual Apps and Desktops data source.

Policy agent

Support for the time dimension for custom report

You can now group the events based on time by selecting the Time dimension for the x-axis. The report displays the total events received based on the time intervals for the selected period. For more information on how to create reports, see Custom reports.

Custom report time dimension

Audit logs enhancements

The user experience of the Audit Log page is enhanced.

  • You can view the date and time details when the Audit Log page was last updated and refresh the page to view the latest audit logs.

  • You can clear all the filters that were applied on the audit logs.

For more information on the audit data, see Audit logs.

Refresh audit logs

Fixed issues

  • Citrix Analytics is unable to generate the Anonymous IP address risk indicator even though Microsoft Graph Security is successfully onboarded. [CAS-21329]

  • Citrix Workspace app for HTML5 prior to version 1910 fail to send event details to Citrix Analytics. [CAS-24938]

September 23, 2019

Fixed issues

  • On the data sources site cards, the Latest event field displays incorrect date and time information. [CAS-24087]

August 30, 2019

New features

Change in default time period across dashboards

The default time period on the following dashboards is changed from Last 1 Hour to Last 1 Month:

  • Users

  • Risk Timeline

  • User Access

  • App Access

  • Share Links

  • Alerts History

Now the dashboards display the events for the last one month by default. You get a more engaging experience while using these dashboards. For example, when you open the App Access dashboard, the dashboard displays the app access events for the last one month by default.

Default time period selection

Fixed issues

  • For Content Collaboration risk indicators, the Disable user policy-based action cannot be applied successfully. [CAS-17304]

  • Citrix Analytics cannot process events from Citrix Gateway 13.0. This issue occurs because Citrix Gateway 13.0 fails to provide user names in the logon events sent to Citrix Analytics. [CAS-21339]

August 20, 2019

New features

Self-service search enhancements

  • The user experience of the self-service page is enhanced. You can now seamlessly switch back and forth between the user risk timeline and the self-service search page.

  • You can now sort your events by time. By default, the latest events appear first in the event table. Click the sort icon on the TIME column to sort the events based on either latest time or earliest time.

For more information on how to use self-service search, see Self-service search.

Custom report enhancements

  • New dimensions are added for the Access Control, Content Collaboration, and Virtual Apps and Desktops data sources. You can choose these dimensions to create reports. The following dimensions are added for the data sources:

    • Access Control: User Agent, User Name

    • Content Collaboration: User Email, User Name, Created by, Account Id, OAuth Client Id, Event Id, Folder Id, Folder Name, Resource Id, Form Id, Client IP

    • Virtual Apps and Desktops: User Name, IP Address, Device Id, Jail Broken, Session Launch Type, Session Server Name, Session User Name, Download File Name, Download File Path, Printing Printer Name, Printing Job Details File Name, SaaS App Launch URL, Clipboard Operation, Clipboard Details Result

  • The custom report user interface is enhanced with support for pagination and a Clear All option for the filters.

For more information on how to create a custom report using these dimensions, see Custom reports.

Risk Indicators dashboard

The Risk Indicators dashboard is introduced on the Users page. It summarizes the top five default and custom risk indicators for a user. A See More link redirects you to the Risk Indicator Overview page. This page provides detailed information about the risk indicators generated for a selected time period.

For more information, see Users dashboard.

Risk indicators dashboard

Risky Users dashboard enhancements

Citrix Analytics introduces the Risk Indicators and Risk Indicators Change tabs on the Risky Users dashboard. You can view the top five risky users based on these tabs. The dashboard also introduces the Risk Indicators column. It shows the number of risk indicators for a user.

The Risky Users page introduces the Occurrences and Occurrences Change columns. These columns summarize the total occurrences and the change in occurrences of the custom and the default risk indicators.

For more information, see Users dashboard.

Risky users

Citrix Analytics detects access threats based on excessive downloads on a share link and triggers the Excessive downloads risk indicator. By identifying share links with excessive downloads, based on previous behavior, you can monitor the share link for potential attacks. This risk indicator helps you identify an excessive file download activity.

For more information, see Excessive downloads.

Self-service search for the Authentication data

Use self-service search to get insights into the authentication events. Citrix Analytics receives the authentication events such as user login, user logoff, and client update from the Identity and Access Management service of Citrix Cloud. The search provides a detailed report on the authentication events, helps you to identify any authentication issues, and troubleshoot them. You can also define a search query to retrieve events that match your defined criteria.

To view the events, select Authentication from the list, select the time period, and then click Search.

For more information, see Self-service search for Authentication.

Authentication page

July 11, 2019

New features

Custom risk indicators

The default risk indicators that Citrix Analytics generates are based on machine learning algorithms. Citrix Analytics now allows you to create custom risk indicators. Based on user events, you can define the conditions and create custom risk indicators.

When the defined conditions are met, Citrix Analytics generates the custom risk indicators similar to default risk indicators, and displays them on the user’s risk timeline. Custom risk indicators are denoted with a label on the user’s risk timeline.

For more information, see Custom risk indicators.

Privileged status on risk timeline

The user risk timeline displays the following events whenever there is a change in Admin or Executive privilege status of a user:

  • Added to Executive group

  • Removed from Executive group

  • Privilege elevated to Admin

  • Admin privilege removed

When a risk indicator is triggered for a user, you can co-relate it with the specified privilege status change event. If necessary, you can apply appropriate actions on the user profile.

For more information, see User risk timeline.

Citrix Analytics enables you to apply actions on share link risk indicators. Currently, the supported action is Expire share link.

For more information, see Citrix share link risk indicators.

Self-service search enhancements

  • Support for wild card character * in search query: Use the asterisk (*) character in your search query to match any character zero or more times. For example, the search query User-Name = “John*” displays events for the all user names that begin with John.

  • Added the Clear All option for facets: Click Clear All to remove all the selected facets at a time.

  • View hidden column data in the event list: After removing a column from the event table, you can view the corresponding data in the user event list. Expand the event row for a user and view the data.

For more information, see Self-service search.

Data error status on the site cards

The Site cards display the No data received label in red when Citrix Analytics does not receive events for the last one hour from the data source. It also displays the number of events received and is linked to the corresponding self-service search page. This feature helps you view the corresponding events on the self-service search page and check for any data transmission issues.

Note

Currently, self-service search is available only for the Access, Content Collaboration, and Virtual Apps and Desktop data sources.

For more information, see Enable Analytics on Citrix data sources.

Fixed issues

  • For the Access Control data source, the number of events on the site card does not match the self-service search results. [CAS-18286]

June 19, 2019

Fixed issues

  • The Audit Log page displays the data transmission on or off status every time the Active Directory data source is discovered. [CAS-17575]

  • The time period menu on the Users dashboard does not load accurately. It displays a timeout error message. [CAS-19467]

  • Users get an error message on Citrix Analytics while connecting to a tenant from Splunk. Occasionally, onboarding of new data sources fails. [CAS-19429]

June 17, 2019

New features

StoreFront configuration

If your organization uses on-premises StoreFront, you can now configure StoreFront to connect to Citrix Analytics. Configuration is performed using a configuration file imported from Citrix Analytics. After the configuration is successful, Citrix Workspace app sends user events to Citrix Analytics for generating actionable insights into user behaviors. The insights help you to detect any anomalous user behaviors and proactively handle security threats in your organization. For more information, see Onboard Virtual Apps and Desktops Sites using StoreFront.

May 30, 2019

New features

Excessive logon failures

Citrix Analytics detects access threats based on excessive logon activity and triggers the Excessive logon failures risk indicator. This risk indicator is triggered when a user experiences multiple failed logon attempts to access Content Collaboration. By identifying users with excessive logon failures, based on previous behavior, administrators can monitor the user’s account for brute force attacks.

For more information, see Excessive authentication failures.

Note

Excessive logon failures is now renamed as Excessive authentication failures.

Fixed issues

  • For some user events transmitted by Citrix Workspace apps, the data source is incorrectly identified as Endpoint Management instead of Citrix Virtual Apps and Desktops.

    [CAS-17323]

  • The Users dashboard takes a long time to load for the Last 1 Month time period. This issue occurs when the number of users are high. In some instances, you might even encounter 601 errors.

    [CAS-16300]

  • Citrix Content Collaboration is not discovered as a data source although some users subscribe to the service on Citrix Cloud.

    [CAS-16299]

May 09, 2019

New features

Creating custom reports

You can now create custom reports based on your operational requirements. Citrix Analytics provides a list of dimensions and metrics according to the selected data source. Choose the required parameters and the visualization types such as bar chart, event chart, line chart, or table to create your reports. Creating reports help you to organize and analyze your data graphically.

To create a custom report, from the Security tab, click Reports > Create Report. To view your previously created reports, from the Security tab, click Reports. For more information, see Custom reports.

Privileged user monitoring

Citrix Analytics enables you to closely monitor the behavior anomalies of privileged users in an organization. As privileged users are highly vulnerable to security threats, it becomes challenging to distinguish their daily activities from the malicious ones. Hence, the malicious activities of privileged users remain undetected for a long time. This feature enables you to proactively monitor such activities and take appropriate actions on the appropriate user accounts. Privileged users are represented with an icon on the Users dashboard.

Citrix Analytics supports monitoring for the following types of privileged users:

  • Admins - Users who are assigned Admin privileges by the respective Citrix service. Currently, Citrix Analytics supports privileged user monitoring for users with Admin privileges in the Content Collaboration service.

  • Executives - On Citrix Analytics, you can mark an AD group as an Executives group. Marking an AD group as an Executive group makes all the users in the group as privileged users. If there is no need to further support the behavior anomalies of users in an AD group, you can remove the group as an Executive group.

For more information, see Privileged users.

Weekly email summary

Citrix Analytics sends a weekly email to the administrators summarizing the security risk exposures in their organization’s IT environment. The email notification is sent every Tuesday to the administrators and it highlights the security events that have occurred in the previous week. This email ensures that the administrators are informed about the security risk exposures without signing in to Citrix Analytics. For more information, see Weekly email summary.

April 26, 2019

New features

Delegated administrators

Citrix Analytics now supports delegated administrator roles. This functionality enables you to invite other administrators to your Citrix Cloud account to manage Citrix Analytics for your organization. If you are a Citrix Analytics administrator with full access permission, you can add other administrators to your Citrix Cloud account. These additional administrators are called delegated administrators. You can currently assign read-only access to the delegated administrators. For more information, see Delegated administrators.

Fixed issues

Few risk indicators for the data sources that use data streaming do not generate alerts. You do not get any alert notifications and policy-based actions are not applied automatically if any one of the following risk indicators is triggered:

  • Citrix Endpoint Management risk indicators - Unmanaged device, Jailbroken or rooted device, and Device with blacklisted apps.

  • Citrix Virtual Apps and Desktops risk indicator - Access from device with unsupported operating system (OS).

  • Citrix Content Collaboration risk indicator - Excessive access to sensitive files.

[CAS-14590]

February 19, 2019

New features

Splunk integration

Citrix Analytics integrates with Splunk to enhance your security incident monitoring and troubleshooting experiences. This integration augments your existing data sources with the intelligence of Citrix Analytics’ risk analysis capabilities such as risk indicators, risk scores, and user profiles. Citrix Analytics exports risk analysis information to a channel. Splunk pulls the same from this channel.

Splunk integration involves configuration on Citrix Analytics, installation of the Citrix Analytics Add-on for Splunk app, and configuration of the app. Ensure to turn on data processing for at least one data source. It helps Citrix Analytics to begin the Splunk integration process.

For more information, see Splunk integration.

Splunk configuration

Dynamic session recording

Citrix Analytics introduces the ability to trigger session recording dynamically on the users’ current Virtual Apps and Desktops sessions. It helps to capture evidences required for risk analysis and take appropriate incident response actions such as disconnect sessions and block user.

For more information, see Policies and actions.

Citrix Analytics introduces the risk visibility to Share Links based on data collected from Citrix Content Collaboration. It helps you to understand the risk exposure of share links through the risk indicators that the share links trigger.

For more information, see Share Links dashboard.

Share Links dashboard

Currently, the Anonymous sensitive share download risk indicator is triggered for a share link. When Content Collaboration detects this risky behavior, Citrix Analytics receives the events. You are notified in the Alerts panel and the Anonymous Sensitive Download risk indicator is added to the share link’s risk timeline.

For more information, see Share Link risk timeline and Citrix Share Link risk indicators.

Risk timeline

Microsoft Active Directory integration

You can now integrate Microsoft Active Directory with Citrix Analytics. This integration enhances the context of risky users with additional information such as job title, organization, office location, email, and contact details. You can get a better visibility of a user on the user profile page in Citrix Analytics.

For more information, see Integrate Analytics with Microsoft Active Directory.

Active directory user

January 04, 2019

New features

Addition of SOURCE column for existing risk indicators

The SOURCE column has been introduced in the EVENT DETAILS section for the following risk indicators:

  • Excessive file uploads

  • Excessive file downloads

  • Excessive file sharing

  • Excessive file or folder deletion

For more information, see Citrix Content Collaboration risk indicators.

Advanced user profile

The User Info view on the user profile has been enhanced. The Trend View link has been introduced at the top right corner of the Application, Devices, and Data Usage sections. The Map View link has been introduced at the top right corner of the Locations section. These links provide a graphic representation about the user’s historical behavior during a specific time period. You can navigate to User Info from the user’s risk timeline or from the Data Sources page.

Note

The Authentication and Domains data are currently not available on the User Info profile.

For more information, see User risk timeline and profile.

Advanced user profile

Microsoft Graph Security risk indicators

The onboarded Microsoft Graph Security can receive risk indicator details from one of the following security providers, and forwards it to Citrix Analytics:

  • Azure AD Identity Protection

  • Windows Defender Advanced Threat Protection

For more information, see Microsoft Graph Security risk indicators.

Ways to enter the self-service search page

You can now access the self-service search page using the following options:

  • Top bar: Click Search on the top bar to directly access the search page.

    Top bar search

  • Risk timeline on user profile page: Click Event Search to access the search page and view the events corresponding to a specific user’s risk indicator and the data source. For more information, see Self-service search.

    Risk timeline

Self-service search for Content Collaboration

Use self-service search to get insight into the events associated with the Content Collaboration data source. To view the events, select Content Collaboration from the list, select the time period, and then click Search. For more information, see Self-service search for Content Collaboration.

Content collaboration search

Self-service search for Virtual Apps and Desktops

Use self-service search to get insight into the events associated with the Virtual Apps and Desktops data source. To view the events, select Apps and Desktops from the list, select the time period, and then click Search. For more information, see Self-service search for Virtual Apps and Desktops.

CVAD select

Export self-service search events to CSV file

You can now export the self-service search events to a CSV file and download the file for future use. For more information, see Self-service search.

Improved onboarding for Virtual Apps and Desktops

The onboarding process for Virtual Apps and Desktop data source is now improved to provide a better user experience. The site cards and the on boarding steps have been modified. For more information, see Citrix Virtual Apps and Desktops data source.

November 29, 2018

New features

Microsoft Security Graph data source

Microsoft Graph Security is an external data source that aggregates data from multiple security providers. It also provides access to the user inventory data.

Citrix Analytics currently supports the Azure AD identity protection and Windows Defender ATP security providers associated with this data source.

To onboard this data source, you must obtain permissions from the Microsoft identity platform. For more information, see Microsoft Graph Security.

MSG Onboarding

View event details and discovered users on the site cards for data sources

The site cards for the data sources now display event details and the number of users. For example, you can view the event details and the users for Access Control on the site card. For more information, see Enable Analytics on data sources.

Access control image

November 16, 2018

New features

Self-service search for access data

You can use self-service search to get insight into the access details for the users in your enterprise. Citrix Analytics collects the users’ access details from the Citrix Access Control service. Use the facets and the search query to narrow down your search results.

To use the self-service search page, from the Security tab, click Event Search.

For more information, see Self-service search for Access.

Search image

Risk indicator feedback

Using the risk indicator feedback feature on Citrix Analytics, you can provide feedback regarding a risk indicator. Your feedback helps to confirm if the security incident reported is accurate or not.

Currently, this feature is supported on the Unusual logon access risk indicator triggered by the Content Collaboration data source. If this risk indicator triggered is incorrect, you can report it as a false positive and provide feedback. You can also edit feedback that you have previously submitted. Citrix Analytics captures your feedback and validates the predicted information to optimize the anomalous behavior detection.

For more information, see Risk indicator feedback.

False positive image

Fixed issues

  • You cannot edit and save a policy if you are accessing Citrix Analytics using Internet Explorer 11.0.