Citrix Analytics for Security

适用于 SIEM 的 Citrix Analytics 数据格式

适用于安全的 Citrix Analytics 允许您与安全信息和事件管理 (SIEM) 服务集成。此集成使 Citrix Analytics 可以将处理过的数据发送到 SIEM 服务,并帮助您深入了解组织的安全风险状况。

目前,您可以将适用于安全的 Citrix Analytics 与以下 SIEM 服务集成:

已处理的 SIEM 数据

Citrix Analytics 针对安全性发送到 SIEM 服务的处理数据包括:

  • 风险评分变化 -当前风险评分与用户之前的风险评分之间的差异。如果用户的风险评分变化等于或超过 3,且此变化以任何速度增加或下降超过 10%,则数据将发送到 SIEM 服务。

  • 风险指示器摘要 -与用户关联的风险指示器的详细信息。

  • 风险指示器事件详细信 息-与风险指示器关联的用户事件的详细信息。Citrix Analytics 向 SIEM 服务发送每个风险指标发生情况的最多 1000 个事件详细信息。这些事件按发生时间顺序发送,发送前 1000 个风险指标事件详细信息。

  • 用户风险评分 — 用户的当前风险评分。Citrix Analytics for Security 每 12 小时将此数据发送到 SIEM 服务。

  • 用户配置文件 - 用户配置文件数据可以分为:

    • 户应用程序 -用户启动和使用的应用程序。适用于安全的 Citrix Analytics 会从 Citrix Virtual Apps 中检索此数据,并每 12 小时将其发送到 SIEM 服务。

    • 用户数据使用情况 — 用户通过 Citrix Content Collaboration 上传和下载的数据。Citrix Analytics for Security 每 12 小时将此数据发送到 SIEM 服务。

    • 用户设备 - 与用户关联的设备。适用于安全的 Citrix Analytics 会从 Citrix Virtual Apps 和 Citrix Endpoint Management 中检索此数据,并每 12 小时将其发送到 SIEM 服务。

    • 用户位置 -上次检测到用户的城市。适用于安全的 Citrix Analytics 将从 Citrix Content Collaboration 和 Citrix Virtual Apps and Desktops 中检索此数据。针对安全性的 Citrix Analytics 每 12 小时将此信息发送到您的 SIEM 服务。

已处理数据的模式详细信息

以下部分介绍 Citrix Analytics 针对安全性生成的已处理数据的架构。

注意

以下模式示例中显示的字段值仅用于表示目的。实际字段值因用户配置文件、用户事件和风险指标而异。

下表描述了整个架构中所有用户配置文件数据、用户风险评分和风险评分更改的常见字段名称。

字段名称 说明
entity_id 与实体关联的身份。在这种情况下,实体是用户。
entity_type 面临风险的实体。在这种情况下,实体是用户。
event_type 发送到 SIEM 服务的数据类型。例如:用户的位置、用户的数据使用情况或用户的设备访问信息。
tenant_id 客户的独特身份。
timestamp 最近用户活动的日期和时间。
version 已处理数据的模式版本。当前模式版本为 2。

用户配置文件数据架

用户位置模式


{"tenant_id": "demo_tenant", "entity_id": "demo_user", "entity_type": "user", "timestamp": "2021-02-10T15:00:00Z", "event_type": "userProfileLocation", "country": "India", "city": "Bengaluru", "cnt": 4, "version": 2}

<!--NeedCopy-->

用户位置的字段描述

字段名称 说明
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是用户的位置。
country 用户登录的国家/地区。
city 用户登录的城市。
cnt 过去 12 小时内访问该位置的次数。

用户数据使用模式


{"data_usage_bytes": 87555255, "deleted_file_cnt": 0, "downloaded_bytes": 87555255, "downloaded_file_cnt": 5, "entity_id": "demo@demo.com", "entity_type": "user", "event_type": "userProfileUsage", "shared_file_cnt": 0, "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "uploaded_bytes": 0, "uploaded_file_cnt": 0, "version": 2}

<!--NeedCopy-->

用户数据使用情况的字段描述

字段名称 说明
data_usage_bytes 用户使用的数据量(以字节为单位)。它是用户下载和上传卷的汇总。
deleted_file_cnt 用户删除的文件数。
downloaded_bytes 用户下载的数据量。
downloaded_file_count 用户下载的文件数。
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是用户的使用情况配置文件。
shared_file_count 用户共享的文件数。
uploaded_bytes 用户上传的数据量。
uploaded_file_cnt 用户上传的文件数。

用户设备模式


{"cnt": 2, "device": "user1612978536 (Windows)", "entity_id": "demo", "entity_type": "user", "event_type": "userProfileDevice", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "version": 2}

<!--NeedCopy-->

用户设备的字段描述。

字段名称 说明
cnt 过去 12 小时内设备的访问次数。
device 设备的名称。
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是用户的设备访问信息。

用户应用模式


{"tenant_id": "demo_tenant", "entity_id": "demo", "entity_type": "user", "timestamp": "2021-02-10T21:00:00Z", "event_type": "userProfileApp", "version": 2, "session_domain": "99e38d488136f62f828d4823edd120b4f32d724396a7410e6dd1b0", "user_samaccountname": "testnameeikragz779", "app": "Chromeeikragz779", "cnt": 189}

<!--NeedCopy-->

用户应用的字段描述。

字段名称 说明
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是用户的设备访问信息。
session_domain 用户已登录的会话的 ID。
user_samaccountname 以前版本的 Windows(例如 Windows NT 4.0、Windows 95、Windows 98 和局域网管理器)的客户端和服务器的登录名称。此名称用于登录 Citrix StoreFront 并登录远程 Windows 计算机。
app 用户访问的应用程序的名称。
cnt 过去 12 小时内应用程序被访问的次数。

用户风险评分模式


{"cur_riskscore": 7, "entity_id": "demo", "entity_type": "user", "event_type": "userProfileRiskscore", "last_update_timestamp": "2021-01-21T16:14:29Z", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T20:45:00Z", "version": 2}

<!--NeedCopy-->

用户风险评分的字段描述。

字段名称 说明
cur_riskscore 分配给用户的当前风险评分。风险评分从 0 到 100 不等,具体取决于与用户活动相关的威胁严重程度。
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是用户的风险评分。
last_update_timestamp 上次为用户更新风险评分的时间。
timestamp 收集用户风险评分事件并发送到 SIEM 服务的时间。此活动将在每 12 小时后发送至您的 SIEM 服务。

风险评分变更模式

示例 1


{"alert_message": "Large risk score drop percent since last check", "alert_type": "riskscore_large_drop_pct", "alert_value": -21.73913, "cur_riskscore": 18, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T05:45:00Z", "version": 2}

<!--NeedCopy-->

示例 2


{"alert_message": "Risk score increase since last check", "alert_type": "riskscore_increase", "alert_value": 39.0, "cur_riskscore": 76, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T03:45:00Z", "version": 2}

<!--NeedCopy-->

风险评分变化的字段描述。

字段名称 说明
alert_message 显示的风险评分变化的消息。
alert_type 指示警报是针对风险评分的提高还是风险评分百分比显著下降。如果用户的风险评分变化等于或超过 3,且此变化以任何速度增加或下降超过 10%,则数据将发送到 SIEM 服务。
alert_value 为风险评分变化分配的数值。风险评分变化是指用户当前风险评分与之前的风险评分之间的差异。警报值从 -100 到 100 不等。
cur_riskscore 分配给用户的当前风险评分。风险评分从 0 到 100 不等,具体取决于与用户活动相关的威胁严重程度。
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是用户风险评分的变化。
timestamp 为用户检测到风险评分的最新更改的日期和时间。

风险指标架构

风险指标架构由两个部分-指标摘要架构和指标事件详细信息模式组成。根据风险指标,模式中的字段及其值会相应地发生变化。

下表描述了所有指标摘要架构中通用的字段名称。

字段名称 说明
data source 向 Citrix Analytics 发送数据以实现安全的产品。例如:Citrix 访问控制、Citrix Gateway 和 Citrix Virtual Apps and Desktops。
data_source_id 与数据源关联的 ID。ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Virtual Apps and Desktops, ID 4 = Citrix Access Control
entity_type 面临风险的实体。它可以是用户,也可以是共享链接。
entity_id 与面临风险的实体关联的 ID。
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是风险指标的摘要。
indicator_category 表示风险指标的类别。风险指标分为风险类别之一,即受到破坏的终端、受损的用户、数据泄露或内部威胁。
indicator_id 与风险指标关联的唯一 ID。
indicator_category_id 与风险指标类别关联的 ID。ID 1 = 数据泄露,ID 2 = 内幕威胁,ID 3 = 受到攻击的用户,ID 4 = 受威胁的终端
indicator_name 风险指标的名称。对于自定义风险指标,此名称是在创建指标时定义的。
indicator_type 指示风险指示器是默认的(内置)还是自定义指示器。
indicator_uuid 与风险指示器实例关联的唯一 ID。
indicator_vector_name 表示与风险指标关联的风险向量。风险载体包括基于设备的风险指标、基于位置的风险指标、基于登录故障的风险指标、基于知识产权的风险指标、基于数据的风险指标、基于文件的风险指标和其他风险指标。
indicator_vector_id 与风险载体关联的 ID。ID 1 = 基于设备的风险指标,ID 2 = 基于位置的风险指示器,ID 3 = 基于登录故障的风险指示器,ID 4 = 基于 IP 的风险指标,ID 5 = 基于 IP 的风险指标,ID 6 = 基于数据的风险指标,ID 7 = 其他风险指标,ID 999 = 不可用
occurrence_details 有关风险指标触发条件的详细信息。
risk_probability 表示与用户事件相关的风险的可能性。该值从 0 到 1.0 不等。对于自定义风险指标,risk _概率始终为 1.0,因为它是基于策略的指标。
severity 表示风险的严重程度。它可以是低、中或高。
tenant_id 客户的独特身份。
timestamp 触发风险指示器的日期和时间。
ui_link 在 Citrix Analytics 用户界面上指向用户时间轴视图的链接。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。

下表描述了所有指标事件详细信息架构中通用的字段名称。

字段名称 说明
data_source_id 与数据源关联的 ID。ID 0 = Citrix Content Collaboration, ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Virtual Apps and Desktops, ID 4 = Citrix Access Control
indicator_category_id 与风险指标类别关联的 ID。ID 1 = 数据泄露,ID 2 = 内幕威胁,ID 3 = 受到攻击的用户,ID 4 = 受威胁的终端
entity_id 与面临风险的实体关联的 ID。
entity_type 面临风险的实体。它可以是用户或共享链接。
event_type 发送到 SIEM 服务的数据类型。在这种情况下,事件类型是风险指标事件的详细信息。
indicator_id 与风险指标关联的唯一 ID。
indicator_uuid 与风险指示器实例关联的唯一 ID。
indicator_vector_name 表示与风险指标关联的风险向量。风险载体包括基于设备的风险指标、基于位置的风险指标、基于登录故障的风险指标、基于知识产权的风险指标、基于数据的风险指标、基于文件的风险指标和其他风险指标。
indicator_vector_id 与风险载体关联的 ID。ID 1 = 基于设备的风险指标,ID 2 = 基于位置的风险指示器,ID 3 = 基于登录故障的风险指示器,ID 4 = 基于 IP 的风险指标,ID 5 = 基于 IP 的风险指标,ID 6 = 基于数据的风险指标,ID 7 = 其他风险指标,ID 999 = 不可用
tenant_id 客户的独特身份。
timestamp 触发风险指示器的日期和时间。
version 已处理数据的模式版本。当前模式版本为 2。
client_ip 用户设备的 IP 地址。

注意

  • 如果整数数据类型字段值不可用,则分配的值为 -999。例如, "latitude": -999"longitude": -999

  • 如果字符串数据类型字段值不可用,则分配的值为 NA。例如, "city": "NA""region": "NA"

Citrix Gateway 风险指标架构

EPA 扫描失败风险指示器架构

指标摘要架构

{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "EPA scan failure",
  "severity": "low",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "event_description": "Post auth failed, no quarantine",
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "EPA Scan Failure at Logon"
  }
}

<!--NeedCopy-->

指标事件详情模式

{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:12:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Post auth failed, no quarantine",
  "gateway_domain_name": "10.102.xx.xx",
  "gateway_ip": "56.xx.xxx.xx",
  "policy_name": "postauth_act_1",
  "client_ip": "210.91.xx.xxx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "cs_vserver_name": "demo_vserver",
  "device_os": "Windows OS",
  "security_expression": "CLIENT.OS(Win12) EXISTS",
  "vpn_vserver_name": "demo_vpn_vserver",
  "vserver_fqdn": "10.xxx.xx.xx"
}
<!--NeedCopy-->

该表描述了摘要架构特定的字段名称以及 EPA 扫描失败风险指示器的事件详细信息架构。

字段名 说明
event_description 描述 EPA 扫描失败的原因,例如身份验证后失败和没有隔离组。
relevant_event_type 指示 EPA 扫描失败事件的类型。
gateway_domain_name Citrix Gateway 的域名。
gateway_ip Citrix Gateway 的 IP 地址。
policy_name Citrix Gateway 上配置的 EPA 扫描策略名称。
country 检测到用户活动的国家/地区。
city 检测到用户活动的城市。
region 检测到用户活动的区域。
cs_vserver_name 内容交换机虚拟服务器的名称。
device_os 用户设备的操作系统。
security_expression Citrix Gateway 上配置的安全表达式。
vpn_vserver_name Citrix Gateway 虚拟服务器的名称。
vserver_fqdn Citrix Gateway 虚拟服务器的 FQDN。

过度验证失败风险指示器架构

指标摘要架构

{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "4bc0f759-93e0-5eea-9967-ed69de9dd09a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Excessive authentication failures",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/”,
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "Logon Failure"
  }
}
<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "a391cd1a-d298-57c3-a17b-01f159b26b99",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:10:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo-user",
  "version": 2,
  "event_description": "Bad (format) password passed to nsaaad",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "auth_server_ip": "10.xxx.x.xx",
  "client_ip": "24.xxx.xxx.xx",
  "gateway_ip": "24.xxx.xxx.xx",
  "vserver_fqdn": "demo-fqdn.citrix.com",
  "vpn_vserver_name": "demo_vpn_vserver",
  "cs_vserver_name": "demo_cs_vserver",
  "gateway_domain_name": "xyz",
  "country": "United States",
  "region": "California",
  "city": "San Jose",
  "nth_failure": 5
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及过度身份验证失败的事件详细信息架构。

字段名 说明
relevant_event_type 指示事件的类型,例如登录失败。
event_description 描述过多的身份验证失败事件(例如密码不正确)的原因。
authentication_stage 指示身份验证阶段是主要、次要还是第三阶段。
authentication_type 指示身份验证的类型,例如 LDAP、本地或 OAuth。
auth_server_ip 身份验证服务器的 IP 地址。
gateway_domain_name Citrix Gateway 的域名。
gateway_ip Citrix Gateway 的 IP 地址。
cs_vserver_name 内容交换机虚拟服务器的名称。
vpn_vserver_name Citrix Gateway 虚拟服务器的名称。
vserver_fqdn Citrix Gateway 虚拟服务器的 FQDN。
nth_failure 用户身份验证失败的次数。
country 检测到用户活动的国家/地区。
city 检测到用户活动的城市。
region 检测到用户活动的区域。

从可疑的 IP 风险指示器架构登录

指标摘要架构

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "0100e910-561a-5ff3-b2a8-fc556d199ba5",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.91,
  "indicator_category": "Compromised users",
  "indicator_name": "Logon from suspicious IP",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon",
    "client_ip": "1.0.xxx.xx",
    "observation_start_time": "2019-10-10T10:00:00Z",
    "suspicion_reasons": "brute_force|external_threat"
  }
}
<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "4ba77b6c-bac0-5ad0-9b4a-c459a3e2ec33",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:11:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "suspicion_reasons": "external_threat",
  "gateway_ip": "gIP1",
  "client_ip": "128.0.xxx.xxx",
  "country": "Sweden",
  "city": "Stockholm",
  "region": "Stockholm",
  "webroot_reputation": 14,
  "webroot_threat_categories": "Windows Exploits|Botnets|Proxy",
  "device_os": "Windows OS",
  "device_browser": "Chrome"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及从可疑 IP 登录的事件详细信息架构。

字段名称 说明
suspicious_reasons 识别 IP 地址为可疑的原因。
webroot_reputation 威胁情报提供商 Webroot 提供的 IP 信誉指数。
webroot_threat_categories 威胁情报提供商 Webroot 为可疑 IP 确定的威胁类别。
device_os 用户设备的操作系统。
device_browser 使用的 Web 浏览器。
country 检测到用户活动的国家/地区。
city 检测到用户活动的城市。
region 检测到用户活动的区域。

从不寻常的位置模式访问

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 104,
  "indicator_uuid": "56e0bdd8-e7c3-5c96-9950-c9f544520174",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2 },
  "data_source_id": 1,
  "timestamp": "2018-01-25T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Access from an unusual location",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/”,
  "indicator_type": "builtin",
  "occurrence_details": {
    "country": "India",
    "observation_start_time": "2018-01-25T12:00:00Z",
    "historical_logon_locations": "[{"country":"United States","region":"","city":"","latitude":40.7,"longitude":-74.0,"count":7}]",
    "historical_observation_period_in_days": 30,
    "city": "NA",
    "region": "NA",
    "relevant_event_type": "Logon"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 104,
  "indicator_uuid": "56e0bdd8-e7c3-5c96-9950-c9f544520174",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2 },
  "data_source_id": 1,
  "timestamp": "2018-01-25T12:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "NA",
  "city": "NA",
  "region": "NA",
  "latitude": -999,
  "longitude": -999,
  "device_os": "Windows OS ",
  "device_browser": "Chrome",
  "client_ip": "157.45.xxx.xxx"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及从异常位置访问的事件详细信息架构。

字段名 说明
historical_logon_location 在观察期间,用户访问的位置以及每个位置的访问次数。
historical_observation_period_in_days 每个地点都被监控 30 天。
relevant_event_type 指示事件的类型,例如登录。
country 表示用户登录的国家/地区。
city 指示用户登录的城市。
region 表示用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。
device_os 用户设备的操作系统。
device_browser 用户使用的 Web 浏览器。

注意

  • 如果整数数据类型字段值不可用,则分配的值为 -999。例如, "latitude": -999"longitude": -999

  • 如果字符串数据类型字段值不可用,则分配的值为 NA。例如, "city": "NA""region": "NA"

异常身份验证失败风险指示器

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "dc0174c9-247a-5e48-a2ab-d5f92cd83d0f",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:44:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2020-04-01T05:45:00Z"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "ef4b9830-39d6-5b41-bdf3-84873a77ea9a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:42:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Success",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "client_ip": "99.xxx.xx.xx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "device_os": "Windows OS ",
  "device_browser": "Chrome",
  "is_risky": "false"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及异常身份验证失败的事件详细信息架构。

字段名 说明
relevant_event_type 指示事件的类型,例如登录失败。
event_description 指示登录是成功还是失败
authentication_stage 指示身份验证阶段是主要、次要还是第三阶段。
authentication_type 指示身份验证的类型,例如 LDAP、本地或 OAuth。
is_risky 对于成功登录,is_冒险值为假。对于登录失败,is_冒险值为真。
device_os 用户设备的操作系统。
device_browser 用户使用的 Web 浏览器。
country 检测到用户活动的国家/地区。
city 检测到用户活动的城市。
region 检测到用户活动的区域。

Citrix Content Collaboration 风险指标架构

过度访问敏感文件(DLP 警报)

指标摘要架构

{
  
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": 3,
  "indicator_category_id": 1,
  "data_source_id": 0,
  "indicator_uuid": "3847a1bb-666b-4f25-9aec-2307daf8d56c",
  "timestamp": "2021-03-22T09:46:11Z",
  "indicator_name": "Excessive access to sensitive files (DLP alert)",
  "indicator_category": "Data exfiltration",
  "risk_probability": 1.0,
  "version": 2,
  "severity": "low",
  "indicator_type": "builtin",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "occurrence_details": {
    "relevant_event_type": "Download",
    "event_count": 1,
    "observation_start_time": "2021-03-22T09:31:11Z"
    },
  "event_type": "indicatorSummary",
  "cas_consumer_debug_details": {"partition": 1, "offset":179528, "enqueued_timestamp": 1616406412459}
}

<!--NeedCopy-->

指标事件详情模式

{
  
  "tenant_id": "demo_tenant",
  "version": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": 3,
  "indicator_uuid": "3847a1bb-666b-4f25-9aec-2307daf8d56c",
  "timestamp": "2021-03-22T09:46:11Z",
  "indicator_category_id": 1,
  "data_source_id": 0,
  "client_ip": "210.91.xx.xxx",
  "file_name": "filename.xls",
  "file_size_in_bytes": 178690,
  "event_type": "indicatorEventDetails",
}
<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及对敏感文件的过度访问权限(DLP 警报)的事件详细信息架构。

字段名称 说明
relevant_event_type 事件的类型,例如下载。
event_count 检测到的下载事件的数量。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
file_name 已下载文件的名称。
file_size_in_bytes 下载文件的大小(以字节为单位)。

过多的文件或文件夹删除风险指示器

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 5,
  "indicator_uuid": "28c4bbab-f3ad-5886-81cd-26fef200d9d7",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2017-12-18T11:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive file / folder deletion",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "cumulative_event_count_day": 11,
    "relevant_event_type": "File and/or Folder Delete",
    "observation_start_time": "2017-12-18T11:00:00Z"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 5,
  "indicator_uuid": "be9af43f-29d2-51cd-81d6-c1d48b392bbb",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2017-12-18T01:45:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "client_ip": "210.91.xx.xxx",
  "version": 2,
  "resource_type": "File",
  "resource_name": "Filename21",
  "component_name": "Platform"
  "connector_type": "GFIS",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及删除过多的文件或文件夹的事件详细信息架构。

字段名 说明
cumulative_event_count_day 当天的唯一文件或文件夹删除事件的数量。
relevant_event_type 指示文件或文件夹删除等事件的类型。
resource_type 指示资源是文件还是文件夹。
resource_name 资源的名称。
component_name 表示 ShareFile 组件-平台或连接器。如果用户从 ShareFiles 管理的云存储中删除文件,则该组件将显示为 “平台”。如果用户从存储区域中删除文件,则该组件将显示为 “连接器”。
connector_type 使用的存储区域连接器的类型。
city 用户登录的城市。
country 用户登录的国家/地区。
region 用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。

文件共享风险指示器架构过多

指标摘要架构

{
  "tenant_id": "demo_tenant",
  "indicator_id": 6,
  "indicator_uuid": "3d421659-ef4d-5434-94b8-90f792e81989",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-03T06:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.19621421,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive file sharing",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-03T06:00:00Z",
    "relevant_event_type": "Share Create and/or Send",
    "cumulative_event_count_day": 15
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 6,
  "indicator_uuid": "c5ea0b26-ce4c-55ad-b8ba-d562f128a2fb",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-03T02:22:04Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_tenant",
  "version": 2,
  "share_id": "share110",
  "operation_name": "Create",
  "tool_name": "SFWebApp",
  "component_name": "Platform",
  "client_ip": "99.xxx.xx.xx",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及过度文件共享的事件详细信息架构。

字段名称 说明
cumulative_event_count_day 白天共享的唯一文件的数量。
relevant_event_type 指示事件的类型,例如共享链接。
share_id 与共享链接关联的 ID。
operation_name 指示用户活动,例如创建共享链接、删除共享链接。
tool_name 用于共享文件的工具或应用程序。
component_name 表示 ShareFile 组件-平台或连接器。如果用户共享来自 ShareFiles 管理的云存储中的文件,则该组件将显示为 “平台”。如果用户共享来自存储区域的文件,则该组件将显示为 “连接器”
city 用户登录的城市。
country 用户登录的国家/地区。
region 用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。

文件上传过多的风险指示器架构

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 4,
  "indicator_uuid": "e15ddbb3-f885-514b-81a1-ab84f4e542f1",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.64705884,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive file uploads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "tool_name": "tool3",
    "relevant_event_type": "Upload",
    "observation_start_time": "2018-01-02T10:00:00Z"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 4,
  "indicator_uuid": "e15ddbb3-f885-514b-81a1-ab84f4e542f1",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:37:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "File5.txt",
  "component_name": "Connector",
  "client_ip": "99.xxx.xx.xx",
  "connector_type": "GFIS",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及文件上传过多的事件详细信息架构。

字段名称 说明
tool_name 用于共享文件的工具或应用程序。
relevant_event_type 指示用户事件的类型,例如上传。
file_name 上传文件的名称。
component_name 表示 ShareFile 组件-平台或连接器。如果用户将文件上传到 ShareFiles 管理的云存储,则该组件将显示为 “平台”。如果用户将文件上传到存储区域,该组件将显示为 “连接器”。
connector_type 使用的存储区域连接器的类型。
city 用户登录的城市。
country 用户登录的国家/地区。
region 用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。

异常身份验证失败风险指示器

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 10,
  "indicator_uuid": "274cedc0-a404-5abe-b95b-317c0209c9e8",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 0,
  "timestamp": "2018-01-26T01:29:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2018-01-26T00:30:00Z"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 10,
  "indicator_uuid": "e1bf5b91-b0e1-5145-aa5b-7731f31b56ac",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 0,
  "timestamp": "2018-01-26T01:01:01Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "operation_name": "LoginFailure",
  "tool_name": "webapp",
  "client_ip": "128.x.x.x",
  "os": "Android"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及异常身份验证失败的事件详细信息架构。

字段名称 说明
relevant_event_type 指示用户事件的类型,例如登录失败。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
tool_name 用于共享文件的工具或应用程序。
os 用户设备的操作系统。

怀疑勒索软件活动(已替换文件)风险指示器

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 8,
  "indicator_uuid": "0afaa694-59ec-5a44-84df-3afcefad7b50",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:04:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Ransomware activity suspected (files replaced)",
  "severity": "high",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-29T10:50:00Z",
    "relevant_event_type": "Delete & Upload"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 8,
  "indicator_uuid": "580f8f03-c02b-5d0f-b707-1a0577ca2fec",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:00:06Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "file1",
  "client_ip": "99.xxx.xx.xx",
  "operation_name": "Upload",
  "file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及怀疑勒索软件活动(已替换文件)的事件详细信息架构。

字段名称 说明
relevant_event_type 指示用户事件的类型,例如删除文件并上传另一个文件。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
file_name 被替换文件的名称。
operation_name 用户活动,例如上传或删除。
file_path 被替换文件的路径。

匿名敏感分享下载风险指示器

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 50,
  "indicator_uuid": "93a32d22-d14b-5413-94fc-47c44fe7c07f",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-27T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "share",
  "entity_id": "62795698",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Anonymous sensitive share download",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/share-timeline/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-27T12:00:00Z",
    "relevant_event_type": "Download"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 50,
  "indicator_uuid": "11562a63-9761-55b8-8966-3ac81bc1d043",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-27T12:02:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "share",
  "entity_id": "46268753",
  "version": 2,
  "file_name": "file1.mp4",
  "file_size_in_bytes": 278,
  "city": "Miami",
  "country": "USA",
  "client_ip": "166.xxx.xxx.xxx",
  "device_type": "iPhone X"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及匿名敏感共享下载的事件详细信息架构。

字段名 说明
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
relevant_event_type 指示用户事件的类型,例如删除文件并上传另一个文件。
file_name 下载的敏感文件的名称。
file_size_in_bytes 下载的文件大小(以字节为单位)。
city 检测到用户活动的城市。
country 检测到用户活动的国家/地区。
device_type 用于下载文件的设备类型。

下载过多风险指示器

指标摘要架构

{
  "tenant_id": "demo_tenant",
  "indicator_id": 51,
  "indicator_uuid": "ed292b9c-622e-5904-9017-92632827bd22",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-28T18:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "share",
  "entity_id": "29510000",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive downloads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/share-timeline/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download",
    "lifetime_users_downloaded": 6,
    "observation_start_time": "2018-01-27T19:00:00Z",
    "lifetime_download_volume_in_bytes": 2718,
    "lifetime_download_count": 6,
    "link_first_downloaded": "2018-01-27T11:12:00Z"
  }
}

<!--NeedCopy-->

指标事件详情模式

{
  "tenant_id": "demo_tenant",
  "indicator_id": 51,
  "indicator_uuid": "ed292b9c-622e-5904-9017-92632827bd22",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "NA",
    "id": 999 },
  "data_source_id": 0,
  "timestamp": "2018-01-28T18:47:50Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "share",
  "entity_id": "29510000",
  "version": 2,
  "file_name": "anom20.jep",
  "file_size_in_bytes": 106,
  "client_ip": "99.xxx.xx.xx",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74,
  "user_email": "new-user61@citrix.com",
  "lifetime_unique_user_emails": "new-user62@citrix.com user6e@citrix.com user6f@citrix.com new-user63@citrix.com new-user64@citrix.com new-user61@citrix.com",
  "lifetime_unique_user_count": 6,
  "lifetime_num_times_downloaded": 6,
  "lifetime_total_download_size_in_bytes": 2718,
  "lifetime_first_event_time": "2018-01-27T11:12:00Z"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称和过多下载量的事件详细信息架构。

字段名 说明
relevant_event_type 表示事件类型,例如共享链接下载过多。
lifetime_users_downloaded 表示自创建链接以来已下载共享链接的用户总数。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
lifetime_download_volume_in_bytes 表示自创建共享链接以来的总下载量(以字节为单位)。
lifetime_download_count 表示自创建共享链接以来的总下载次数。
link_first_downloaded 指示首次下载共享链接的日期和时间。
file_name 指示通过链接共享的文件名。
file_size_in_bytes 指示共享文件的大小。
user_email 表示通过共享链接下载过度文件的当前用户的电子邮件 ID。
lifetime_unique_user_emails 表示所有用户的电子邮件 ID,包括自创建链接以来已下载文件的当前用户。
lifetime_unique_user_count 表示自创建链接以来已下载文件的唯一用户总数。
lifetime_num_times_downloaded 表示自创建链接以来文件下载的总次数。
lifetime_total_download_size_in_bytes 指示自创建链接以来下载的总文件大小。
lifetime_first_event_time 指示自创建链接以来第一次下载事件的日期和时间。
city 用户登录的城市。
country 用户登录的国家/地区。
region 用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。

文件下载过多风险指示器

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 0,
  "indicator_uuid": "ebf19ac0-19a5-53cf-b8fa-e3c71858fef6",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Excessive file downloads",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "exfiltrated_data_volume_in_bytes": 24000,
    "relevant_event_type": "Download",
    "observation_start_time": "2018-01-02T10:00:00Z"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 0,
  "indicator_uuid": "ebf19ac0-19a5-53cf-b8fa-e3c71858fef6",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": "0",
  "timestamp": "2018-01-02T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "client_ip": "99.xxx.xx.xx",
  "version": 2,
  "file_name": "File1.txt",
  "file_size_in_bytes": 24000,
  "component_name": "Platform",
  "connector_type": "NA",
  "city": "some_city",
  "country": "some_country",
  "region": "some_region",
  "latitude": 12.29,
  "longitude": -34.74
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及文件下载过多的事件详细信息架构。

字段名称 说明
exfiltrated_data_volume_in_bytes 下载的数据量(以字节为单位)。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
file_name 下载的文件的名称。
file_size_in_bytes 下载的文件大小(以字节为单位)。
component_name 表示 ShareFile 组件-平台或连接器。如果用户从 ShareFiles 管理的云存储下载文件,则该组件将显示为 “平台”。如果用户从存储区域下载文件,则该组件将显示为 “连接器”。
city 用户登录的城市。
country 用户登录的国家/地区。
region 用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。

从不寻常的位置风险指示器架构访问

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 7,
  "indicator_uuid": "88002ccf-63bb-5c6e-9288-24e9c826d4b3",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2 },
  "data_source_id": 0,
  "timestamp": "2018-01-25T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Access from an unusual location",
  "severity": "medium",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-01-25T12:00:00Z",
    "city": "abc",
    "region": "xyz",
    "historical_observation_period_in_days": 30,
    "historical_logon_locations": "[{"country":"United States","region":"Some_State_A","city":"Some_City_A","latitude":0.0,"longitude":0.0,"count":5},{"country":"United States","region":"Some_State_B","city":"Some_City_B","latitude":45.0,"longitude":45.0,"count":5}]",
    "country": "United States",
    "relevant_event_type": "Logon"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 7,
  "indicator_uuid": "d31db7d2-cf60-570e-8785-e994862ba377",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2 },
  "data_source_id": 0,
  "timestamp": "2018-01-25T12:04:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "United States",
  "city": "NA",
  "region": "NA",
  "latitude": -999,
  "longitude": -999,
  "tool_name": "SFWebApp",
  "os": "WindowsOS",
  "client_ip": "11.xx.xx.xx"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及从异常位置访问的事件详细信息架构。

字段名称 说明
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
historical_logon_location 在观察期间,用户访问的位置以及每个位置的访问次数。
historical_observation_period_in_days 每个地点都被监控 30 天。
relevant_event_type 指示事件的类型,例如登录。
region 表示用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。
os 用户设备的操作系统。
tool_name 用于共享文件的工具或应用程序。
country 用户登录的国家/地区。
city 用户登录的城市。
region 用户登录的区域。

注意

  • 如果整数数据类型字段值不可用,则分配的值为 -999。例如, "latitude": -999"longitude": -999

  • 如果字符串数据类型字段值不可用,则分配的值为 NA。例如, "city": "NA""region": "NA"

怀疑勒索软件活动(文件已更新)风险指示器

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 9,
  "indicator_uuid": "f21ef9c8-c379-5a96-ae90-e750d31a728c",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:04:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Ransomware activity suspected (files updated)",
  "severity": "high",
  "data_source": "Citrix Content Collaboration",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Update/Upload",
    "observation_start_time": "2018-01-29T10:50:00Z"
  }
}

<!--NeedCopy-->

指标事件详情


{
  "tenant_id": "demo_tenant",
  "indicator_id": 9,
  "indicator_uuid": "0509e432-527e-5c84-abb4-f397f2a5e02b",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "File-Based Risk Indicators",
    "id": 6 },
  "data_source_id": 0,
  "timestamp": "2018-01-29T11:00:05Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "file_name": "file1",
  "operation_name": "Update",
  "stream_id": "someid37",
  "client_ip": "11.xx.xx.xx",
  "file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

下表描述了特定于摘要架构的字段名称以及怀疑勒索软件活动的事件详细信息架构(文件已更新)。

字段名称 说明
relevant_event_type 指示用户事件的类型,例如更新或上传文件。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
file_name 更新后的文件的名称。
operation_name 用户活动,例如上传、更新或删除。
file_path 用户更新的文件的路径。
stream_id 商品流的 ID。项目表示文件系统对象的单个版本。该流标识同一文件系统对象的所有版本。例如,当用户上传或修改现有文件时,将使用相同的流 ID 创建一个新项目。

Citrix Endpoint Management 风险指标架构

越狱或根设备检测到的指标模式

指标摘要架构


{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_id": 200,
  "indicator_name": "Jailbroken / Rooted Device Detected",
  "indicator_type": "builtin",
  "indicator_uuid": "aa872f86-a991-4219-ad01-2a070b6e633d",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:05Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

指标事件详情模式

{
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_id": 200,
  "indicator_uuid": "9aaaa9e1-39ad-4daf-ae8b-2fa2caa60732",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:35Z",
  "version": 2
}

<!--NeedCopy-->

检测到已列入黑名单的应用

指标摘要架构

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_id": 201,
  "indicator_name": "Device with Blacklisted Apps Detected",
  "indicator_type": "builtin",
  "indicator_uuid": "3ff7bd54-4319-46b6-8b98-58a9a50ae9a7",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:23Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

指标事件详情模式

{
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_id": 201,
  "indicator_uuid": "743cd13a-2596-4323-8da9-1ac279232894",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:39Z",
  "version": 2
}

<!--NeedCopy-->

检测到非托管设备

指标摘要架构

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_id": 203,
  "indicator_name": "Unmanaged Device Detected",
  "indicator_type": "builtin",
  "indicator_uuid": "e28b8186-496b-44ff-9ddc-ae50e87bd757",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T12:56:30Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

指标事件详情模式

{
  "client_ip": "127.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_id": 203,
  "indicator_uuid": "dd280122-04f2-42b4-b9fc-92a715c907a0",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T18:41:30Z",
  "version": 2
}

<!--NeedCopy-->

Citrix 访问控制风险指示器架构

尝试访问列入黑名单的 URL 风险指示器架构

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "8f2a39bd-c7c2-5555-a86a-5cfe5b64dfef",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:59:58Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Attempt to access blacklisted URL",
  "severity": "low",
  "data_source": "Citrix Access Control",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-15T10:44:59Z",
    "risky_domain_category_list": [
      "YouTube"
    ],
    "relevant_event_type": "Blacklisted External Resource Access"
  }

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "c421f3f8-33d8-59b9-ad47-715b9d4f65f4",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:57:21Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "googleads.g.doubleclick.net",
  "domain_category": "Advertisements/Banners",
  "domain_category_group": "Computing and Internet",
  "executed_action": "blocked",
  "reason_for_action": "URL Category match",
  "domain_reputation": 3,
  "client_ip": "157.xx.xxx.xxx"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及尝试访问黑名单 URL 的事件详细信息架构。

字段名称 说明
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
risky_domain_category_list Citrix Secure Workspace Access 中可用的类别信息。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
domain_category Citrix Secure Workspace Access 中可用的域类别。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
domain_category_group Citrix Secure Workspace Access 中可用的域类别组。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
executed_action 在列入黑名单的 URL 上应用的操作。该操作包括允许、阻止。
reason_for_action 为 URL 应用操作的原因。
domain_reputation 列入黑名单的 URL 的信誉索引。

风险网站访问风险指示器架构

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 400,
  "indicator_uuid": "26cc7ddf-101a-5776-b5de-df501189e8cd",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.075,
  "indicator_category": "Insider threats",
  "indicator_name": "Risky website access",
  "severity": "low",
  "data_source": "Citrix Access Control",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-15T10:45:00Z",
    "risky_domain_category_list": [
      "Advertisements/Banners",
      "Streaming Media"
    ],
    "relevant_event_type": "Risky External Resource Access"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 400,
  "indicator_uuid": "26cc7ddf-101a-5776-b5de-df501189e8cd",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:50:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "abc.googlevideo.com",
  "domain_category": "Streaming Media",
  "domain_category_group": "News/Entertainment/Society",
  "domain_reputation": 3,
  "client_ip": "157.xx.xxx.xxx",
  "transaction_count": 2
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及风险网站访问的事件详细信息架构。

字段名称 说明
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
risky_domain_category_list Citrix Secure Workspace Access 中可用的类别信息。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
domain_name 用户访问的域的名称。
domain_category Citrix Secure Workspace Access 中可用的类别信息。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
domain_category_group Citrix Secure Workspace Access 中可用的域类别组。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
domain_reputation 风险域名的声誉指数。
transaction_count 用户在白天访问域的次数。

数据下载过多的风险指标架构

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive data download",
  "severity": "low",
  "data_source": "Citrix Access Control",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "domain_category": "Facebook",
  "domain_category_group": "Social Networking",
  "client_ip": "157.xx.xxx.xxx",
  "downloaded_bytes": 24000
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及用于下载过多数据的事件详细信息架构。

字段名称 说明
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
data_volume_in_bytes 下载的数据量(以字节为单位)。
relevant_event_type 指示用户事件的类型。
domain_name 从中下载数据的域的名称。
domain_category Citrix Secure Workspace Access 中可用的类别信息。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
domain_category_group Citrix Secure Workspace Access 中可用的域类别组。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
downloaded_bytes 下载的数据量(以字节为单位)。

异常的上传量风险指示器架构

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "4f2a249c-9d05-5409-9c5f-f4c764f50e67",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Unusual upload volume",
  "severity": "low",
  "data_source": "Citrix Access Control",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "c6abf40c-9b62-5db4-84bc-5b2cd2c0ca5f",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "domain_category": "Facebook",
  "domain_category_group": "Social Networking",
  "client_ip": "157.xx.xxx.xxx",
  "uploaded_bytes": 24000
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及异常上传卷的事件详细信息架构。

字段名 说明
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
data_volume_in_bytes 上传的数据量(以字节为单位)。
relevant_event_type 指示用户事件的类型。
domain_name 上传数据的域的名称。
domain_category Citrix Secure Workspace Access 中可用的类别信息。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
domain_category_group Citrix Secure Workspace Access 中可用的域类别组。有关详细信息,请参阅Citrix Secure Workspace Access 的可用类别列表
uploaded_bytes 上传的数据量(以字节为单位)。

Citrix Virtual Apps and Desktops 风险指标架构

潜在的数据泄露风险指标

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Potential data exfiltration",
  "severity": "low",
  "data_source": "Citrix Virtual Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download/Print/Copy",
    "observation_start_time": "2018-04-02T10:00:00Z",
    "exfil_data_volume_in_bytes": 1172000
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:57:36Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "App.SaaS.Clipboard",
  "file_size_in_bytes": 98000,
  "file_type": "text",
  "device_id": "dvc5",
  "receiver_type": "XA.Receiver.Windows",
  "app_url": "https://www.citrix.com",
  "client_ip": "10.xxx.xx.xxx",
  "entity_time_zone": "Pacific Standard Time"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段和潜在数据泄露的事件详细信息架构。

字段名称 说明
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
relevant_event_type 表示用户活动,例如下载、打印或复制数据。
exfil_data_volume_in_bytes 数据泄露的量。
occurrence_event_type 指示数据泄露的发生方式,例如 SaaS 应用程序中的剪贴板操作。
file_size_in_bytes 文件的大小。
file_type 文件的类型。
device_id 用户设备的 ID。
receiver_type 安装在用户设备上的 Citrix Workspace 应用程序或 Citrix Receiver。
app_url 用户访问的应用程序的 URL。
entity_time_zone 用户的时区。

从不寻常的位置风险指示器架构访问

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 311,
  "indicator_uuid": "ac651192-31b2-5a98-8a16-8574ce52d1bd",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2 },
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Access from an unusual location",
  "severity": "medium",
  "data_source": "Citrix Virtual Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "historical_observation_period_in_days": 30,
    "city": "new_city",
    "country": "some_country",
    "relevant_event_type": "Logon",
    "observation_start_time": "2020-06-06T12:00:00Z",
    "region": "some_region",
    "historical_logon_locations": "[{"country":"some_country","region":"some_region","city":"some_city","latitude":40.7,"longitude":-74.0,"count":150}]"
  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 311,
  "indicator_uuid": "104617f6-1459-530b-85e8-9a139ba630a8",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2 },
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:01:02Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "city": "new_city",
  "country": "new_country",
  "region": "new_region",
  "latitude": 60.7,
  "longitude": -74,
  "browser": "Chrome",
  "os": "Windows",
  "device_id": "some_device",
  "receiver_type": "XA.Receiver.Windows",
  "client_ip": "11.xx.xx.xx"
}

<!--NeedCopy-->

下表介绍了特定于摘要架构的字段名称以及从异常位置访问的事件详细信息架构。

字段名称 说明
historical_logon_location 在观察期间,用户访问的位置以及每个位置的访问次数。
historical_observation_period_in_days 每个地点都被监控 30 天。
relevant_event_type 指示事件的类型,例如登录。
observation_start_time Citrix Analytics 开始监视用户活动直到时间戳的时间。如果在此时间段内检测到任何异常行为,则会触发风险指示器。
occurrence_event_type 指示用户事件类型,例如帐户登录。
country 用户登录的国家/地区。
city 用户登录的城市。
region 表示用户登录的区域。
latitude 指示用户登录的位置的纬度。
longitude 表示用户登录的位置的经度。
browser 用户使用的 Web 浏览器。
os 用户设备的操作系统。
device_id 用户使用的设备的名称。
receiver_type 用户设备上安装的 Citrix Workspace 应用程序或 Citrix Receiver 的类型。

MS Active Directory 指示器

指标摘要架构

{
  "data_source": "Microsoft Graph Security",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_id": 1000,
  "indicator_name": "MS Active Directory Indicator",
  "indicator_type": "builtin",
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "ui_link": "https://analytics-daily.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

指标事件详情模式

{
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_id": 1000,
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "version": 2
}

<!--NeedCopy-->

<!—### 受损的用户访问风险指示器架构

指标摘要架构


{
  "tenant_id": "demo_tenant",
  "indicator_id": 312,
  "indicator_uuid": "3df003ba-4323-58c1-8c4c-c2935120b093",
  "indicator_category_id": 3,
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Compromised user access",
  "severity": "medium",
  "data_source": "Citrix Virtual Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "city": "new_city",
    "country": "some_country",
    "region": "some_region",
    "client_ip": "99.155.88.66",
    "device_id": "device2",
    "observation_start_time": "2020-06-06T12:00:00Z",

  }
}

<!--NeedCopy-->

指标事件详情模式


{
  "tenant_id": "demo_tenant",
  "indicator_id": 312,
  "indicator_uuid": "3df003ba-4323-58c1-8c4c-c2935120b093",
  "indicator_category_id": "3",
  "data_source_id": "3",
  "timestamp": "2020-06-06T12:01:02Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "city": "new_city",
  "country": "new_country",
  "region": "new_region",
  "latitude": 60.7,
  "longitude": -74,
  "browser": "Chrome",
  "os": "Windows",
  "device_id": "some_device",
  "receiver_type": "XA.Receiver.Windows",
  "client_ip": "11.xx.xx.xx"
}

<!--NeedCopy-->

自定义风险指标架构

以下部分介绍了自定义风险指示器的架构。

注意

目前,Citrix Analytics 将 Citrix Virtual Apps and Desktops 的自定义风险指标发送到 SIEM。

Citrix Virtual Apps and Desktops 的自定义风险指标

指标摘要架构


{
  "data_source": "Citrix Virtual Apps and Desktops",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_id": "ca97a656ab0442b78f3514052d595936",
  "indicator_name": "Demo_user_usage",
  "indicator_type": "custom",
  "indicator_uuid": "8e680e29-d742-4e09-9a40-78d1d9730ea5",
  "occurrence_details": {
    "condition": "User-Name ~ demo_user", "happen": 0, "new_entities": "", "repeat": 0, "time_quantity": 0, "time_unit": "", "type": "everyTime"},
  "pre_configured": "N",
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-02-10T14:47:25Z",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "version": 2
}

<!--NeedCopy-->

会话登录事件的指示器事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1"
  "app_name": "notepad",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "SYD04-MS1-S102",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

会话启动事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1"
  "app_name": "notepad",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

账户登录事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Account.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1"
  "app_name": "notepad",
}

<!--NeedCopy-->

会话结束事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1"
  "app_name": "notepad",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server"
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

应用启动事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.Start",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1"
  "app_name": "notepad",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path":
}

<!--NeedCopy-->

应用结束事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1"
  "app_name": "notepad",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path":
}

<!--NeedCopy-->

文件下载事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "File.Download",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1",
  "file_download_file_name": "File5.txt",
  "file_download_file_path": "/root/folder1/folder2/folder3",
  "file_size_in_bytes": 278,
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "device_type": "USB"
}

<!--NeedCopy-->

打印事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Printing",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1",
  "printer_name": "Test-printer",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "job_details_size_in_bytes": 454,
  "job_details_filename": "file1.pdf",
  "job_details_format": "PDF"
}

<!--NeedCopy-->

应用程序 SaaS 启动事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

应用程序 SaaS 结束事件的指标事件详细信息架构

{
  "event_type": "indicatorEventDetails",
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",  
  "device_id": "5-Synthetic_device",
  "os_major_version": "Windows NT 6.1",
  "os_minor_version": "7601",
  "os_extra_details": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

–>