citrix analytics - getting started guide

Citrix Analytics

Getting Started Guide Release v1.0 July 2018

Citrix Analytics 1

Contents DISCLAIMER ........................................................................................................................................................... 4

ABOUT CITRIX ANALYTICS ...................................................................................................................................... 5

How Citrix Analytics works ...................................................................................................... 5 Supported data sources ........................................................................................................... 6

DATA GOVERNANCE ......................................................................................................................................... 6 Data sources ............................................................................................................................ 7 Enable Citrix Analytics ............................................................................................................. 7 Data retention period .............................................................................................................. 7 Turn on or off data processing ................................................................................................. 7 Data collection agreement ...................................................................................................... 8

SYSTEM REQUIREMENTS ....................................................................................................................................... 9

SUPPORTED BROWSERS ..................................................................................................................................... 9 XENAPP AND XENDESKTOP REQUIREMENTS .......................................................................................................... 9 NETSCALER MA SERVICE AGENT INSTALLATION REQUIREMENTS................................................................................ 9 NETSCALER MA SERVICE AGENT PORT REQUIREMENTS ......................................................................................... 10

GETTING STARTED ............................................................................................................................................... 12

ADDING SHAREFILE DATA SOURCES .................................................................................................................. 15 ADDING ACCESS CONTROL DATA SOURCE ........................................................................................................... 16 ADDING THE XENMOBILE DATA SOURCE ............................................................................................................. 17 ADDING THE XENAPP AND XENDESKTOP DATA SOURCE ......................................................................................... 24

Discover XenApp and XenDesktop service ............................................................................. 24 Add on-premises XenApp and XenDesktop data source ........................................................ 24

ADDING NETSCALER DATA SOURCE ................................................................................................................... 32 Discover data source from NetScaler MA service .................................................................. 33 Add additional on-premises NetScaler data source ............................................................... 33

SECURITY ANALYTICS ........................................................................................................................................... 42

RISK INDICATORS ........................................................................................................................................... 42 RISK SCORE ................................................................................................................................................... 43 USER SECURITY DASHBOARD ............................................................................................................................ 44

Risky users ............................................................................................................................. 45 Discovered users .................................................................................................................... 45 Top users ................................................................................................................................ 46 Users in watchlist ................................................................................................................... 47

USER ACCESS DASHBOARD .............................................................................................................................. 48 APP ACCESS DASHBOARD ................................................................................................................................ 51

Top risky domains by access .................................................................................................. 52 Top risky domains by data download volume ....................................................................... 53 Top risky categories by access ............................................................................................... 54 Top risky categories by data download volume .................................................................... 55

RISK TIMELINE ............................................................................................................................................... 57 RULES AND ACTIONS ....................................................................................................................................... 59

Rules ...................................................................................................................................... 59

Citrix Analytics 2

Actions ................................................................................................................................... 60 Configuring rules and actions ................................................................................................ 63 Apply an action manually ...................................................................................................... 65 Managing rules ...................................................................................................................... 66

WATCHLISTS ................................................................................................................................................. 68 ALERTS ........................................................................................................................................................ 70 INVESTIGATE ACCESS-BASED RISK INDICATOR ....................................................................................................... 73

EPA scan failures .................................................................................................................... 73 Logon failures ........................................................................................................................ 76 Authorization failures ............................................................................................................ 79 Risky website access .............................................................................................................. 82 Attempt to access blacklisted URL ......................................................................................... 85

INVESTIGATE FILES-BASED RISK INDICATOR .......................................................................................................... 89 Excessive access to sensitive files .......................................................................................... 89 Excessive file sharing ............................................................................................................. 92 Excessive file downloads ........................................................................................................ 96 Excessive file or folder deletion .............................................................................................. 99 Ransomware activity suspected .......................................................................................... 102

INVESTIGATE APPLICATION-BASED RISK INDICATOR ............................................................................................. 105 Unusual logon access (ShareFile)......................................................................................... 105 Unmanaged device detected ............................................................................................... 108 Jailbroken or rooted device detected ................................................................................... 111 Device with blacklisted apps detected ................................................................................. 114 Access from new device ....................................................................................................... 118 Potential data exfiltration ................................................................................................... 121 Access from device with unsupported operating system (OS) ............................................. 125 Unusual application usage .................................................................................................. 128 Unusual logon access (NetScaler Gateway) ........................................................................ 131

INVESTIGATE DATA-BASED RISK INDICATOR ........................................................................................................ 133 Unusual upload volume ....................................................................................................... 133 Unusual download volume .................................................................................................. 137

OPERATIONS ANALYTICS ................................................................................................................................... 141

USER OPERATIONS ....................................................................................................................................... 141 Top users by transactions .................................................................................................... 141 Top users by data download volume ................................................................................... 142

APP OPERATIONS ......................................................................................................................................... 144 Top domains by access ........................................................................................................ 145 Top domains by data download volume .............................................................................. 146 Top categories by access ..................................................................................................... 147 Top categories by data download volume ........................................................................... 149

MONITOR CITRIX ANALYTICS ............................................................................................................................. 151

AUDIT LOGS ................................................................................................................................................ 151

FAQS .................................................................................................................................................................. 153

DATA SOURCE ............................................................................................................................................. 153 NETSCALER MA SERVICE AGENT .................................................................................................................... 153 ONBOARDING NETSCALER INSTANCES.............................................................................................................. 156

Citrix Analytics 3

ONBOARDING XENAPP AND XENDESKTOP SITE ................................................................................................. 158

KNOWN ISSUES .................................................................................................................................................. 159

Citrix Analytics 4

Disclaimer TO THE EXTENT PERMITTED BY APPLICABLE LAW, CITRIX AND ITS SUPPLIERS MAKE AND YOU RECEIVE NO WARRANTIES OR CONDITIONS, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND CITRIX AND ITS SUPPLIERS SPECIFICALLY DISCLAIM WITH RESPECT TO THIS RELEASE ANY CONDITIONS OF QUALITY, AVAILABILITY, RELIABILITY, SECURITY, LACK OF VIRUSES, BUGS OR ERRORS, OR SUPPORT AND ANY IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER CITRIX, NOR ITS SUPPLIERS SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, MULTIPLE, PUNITIVE OR OTHER DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF DATA, LOSS OF INCOME, LOSS OF OPPORTUNITY, LOST PROFITS, COSTS OF RECOVERY OR ANY OTHER DAMAGES), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, AND WHETHER OR NOT FOR BREACH OF CONTRACT, NEGLIGENCE OR OTHERWISE, AND WHETHER OR NOT CITRIX, ITS SUPPLIERS, OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. This document is furnished "AS IS." CITRIX DISCLAIMS ALL WARRANTIES REGARDING THE CONTENTS OF THIS DOCUMENT, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE. This document may contain technical or other inaccuracies or typographical errors. Citrix reserves the right to revise the information in this document at any time without notice. This document and the software described in this document constitute confidential information of Citrix and its licensors and are furnished under a license from Citrix. This document and the software may be used and copied only as agreed upon by the Technology Preview Agreement.

Citrix Analytics 5

About Citrix Analytics Recent studies indicate that online threats have evolved to attack company resources from within. Protecting internal users from an imminent attack is as important as protecting a company’s network resources. Corporations must be able to shield its network resources and apps from any unauthorized or suspicious access.

Users within the company share network resources such as the internet. As a security officer, your objective must be to monitor and identify ‘events’ that are potentially suspicious. The events can also be inconsistent with the requirements or procedures within the company. When a user connects their mobile devices and laptops, monitoring and flagging such events become important so that potential threats can be predicted and downtimes avoided.

Citrix Analytics is an analytics service that allows you to monitor and identify inconsistent or suspicious activities on your networks. It provides actionable insights such as:

• User behavior

• Usage based on indicators identified across users, endpoints, network traffic, and files.

How Citrix Analytics works

Citrix Analytics integrates with the following Citrix products and aggregates metrics on users, applications, endpoints, networks, and data to provide comprehensive insights into user behavior and context.

• NetScaler ADC

• NetScaler Gateway

• ShareFile

• XenMobile

• XenApp and XenDesktop

It uses built-in Artificial Intelligence (AI) and Machine Learning (ML) algorithms to detect anomalous user behavior and threats. Using the aggregated information, it creates User Risk Profiles of the users in your network. Based on the Risk Indicators derived from the user activity, it assigns Risk Score to the users. Using this comprehensive visibility into user behavior and context, you can fine-tune your Citrix

Citrix Analytics 6

product policies in your deployment to mitigate the threats to your network.

Supported data sources

Data sources are Citrix services and products that send data to Citrix Analytics. The following table lists various data sources supported by Citrix Analytics.

Citrix Product / Data Source

Deployment Type

Citrix Cloud Subscription

Required Agents

Product Component and Version

ShareFile Service ShareFile N/A ShareFile

NetScaler Gateway

On-premises NetScaler Management and Analytics Service

NetScaler MA Service Agent

NetScaler Gateway 12.0.56.16

XenMobile Service XenMobile Service N/A XenMobile Server

XenApp and XenDesktop

Service XenApp and XenDesktop Service

N/A Citrix Receiver for Windows 4.11 and later


On-premises Workspace Service and Smart Tools

XenApp and XenDesktop agent

XenApp and XenDesktop 7.16 and later

Citrix Receiver for Windows 4.11 and later

Director 7.16 and later

Note: XenApp and XenDesktop Site must be added to Workspace using Site Aggregation.

Data governance Citrix Analytics is designed to protect your organization’s information and enable you to choose what you want to monitor.

Citrix Analytics 7

Data sources

The data sources supported by Citrix Analytics are Citrix ShareFile, Citrix NetScaler on premises along with subscription for NetScaler MA Service, Citrix XenMobile service, and Citrix XenApp and XenDesktop service and on premises.

Enable Citrix Analytics

When you sign up for Citrix Analytics, the data sources associated with your Citrix Cloud account are automatically discovered by Citrix Analytics. For example, if you have a ShareFile subscription, then the ShareFile data source is automatically discovered by Citrix Analytics.

However, you have to explicitly enable Analytics on the discovered data sources to begin transmitting data from these data sources. Citrix Analytics, then, processes and stores this data and makes the analytics data available on dashboards for your viewing.

You can also add additional on-premises data sources such as Citrix NetScaler and Citrix XenApp and XenDesktop to Citrix Analytics and enable Analytics on them. The data is then uploaded to Citrix Analytics for processing and viewing.

Data retention period

The default data retention period in Citrix Analytics is 13 months or 396 days. All collected and processed data such as user risk profiles, user risk score details, user risk event details, user watchlist, user actions, user profile, and so on are retained for this duration.

For example, if you have enabled Analytics on a data source on January 1st, 2018, then by default, data collected on January 1st, 2018 will be retained in Citrix Analytics until January 31st, 2019, the data collected on January 15th, 2018 will be retained until February 15th, 2019, and so on.

This data is stored for the default data retention period even after you have turned off data processing for the data source or after you have removed the data source from Citrix Analytics.

Turn on or off data processing

At any time, if you do not want to process data for any of the discovered or added data sources, you can turn off data processing for that data source. To turn off data processing, flip the site card and click "Turn off data processing.”

Citrix Analytics 8

When you turn off data processing, all communication between Citrix Analytics and that data source stops. No new data from that data source is processed by Citrix Analytics. However, all previously processed and stored data is available for the duration of the data retention period.

Data collection agreement

By uploading your data to Citrix Analytics and by using the features of Citrix Analytics, you agree and consent that Citrix may collect, store, transmit, maintain, process and use technical, user, or related information about your Citrix products and services.

At all times, information received by Citrix will be treated in accordance with Citrix’s Privacy Policy, which can be found at: https://www.citrix.com/about/legal/privacy/.

https://www.citrix.com/about/legal/privacy/

Citrix Analytics 9

System requirements Before you begin using Citrix Analytics, you must review the software requirements, browser requirements, port information, license information, and limitations.

Supported browsers To access Citrix Analytics, your workstation must have the following supported web browser:

• Latest version of Google Chrome

• Latest version of Mozilla Firefox

• Latest version of Microsoft Edge

• Microsoft Internet Explorer 11

• Latest version of Apple Safari

XenApp and XenDesktop requirements Install Citrix Receiver version 4.11 or later for Windows to enable communication between Citrix Analytics and the XenApp and XenDesktop Sites. The supported on-premises XenApp and XenDesktop version is 7.16 and later. Also, you need to have subscriptions to Workspace Service and Smart Tools.

NetScaler MA Service agent installation requirements Install and configure an agent in your network environment to enable communication between Citrix Analytics and the managed NetScaler instances in your data center. In your data center, you can install an agent on Citrix XenServer, VMware ESXi, Microsoft Hyper-V, and Linux KVM Server.

The following table lists the virtual computing resources that the hypervisor must provide for the agent.

Component Requirement

RAM 8 GB

Citrix Analytics 10

Note: Citrix recommends that you use 32 GB for better performance.

Virtual CPU 4

Note: Citrix recommends that you use 8 CPUs for better performance.

Storage Space 120 GB

Virtual Network Interfaces

1

Throughput 1 Gbps

NetScaler MA Service agent port requirements Ensure the following ports are open for the NetScaler MA Service agent to communicate with NetScaler instances.

Type Port Description

TCP 80/443 For NITRO communication from agent to NetScaler instances.

TCP 22 For SSH communication from agent to NetScaler instance.

UDP 4739 For AppFlow communication from NetScaler to agent.

ICMP No reserved port

To detect network reachability from agent to NetScaler instances.

SNMP 161, 162 To receive SNMP events from NetScaler instance to agent.

Syslog 514 To receive syslog messages in agent from NetScaler instance.

TCP 5557 For logstream communication from NetScaler instances to agent.

For communication between the NetScaler MA Service agent and Citrix Analytics, make sure the following port is open:

Type Port Details

Citrix Analytics 11

TCP 443 For NITRO communication from the agent to NetScaler Management and Analytics Service.

Citrix Analytics 12

Getting started This section walks you through the how to get started with onboarding and setting up Citrix Analytics for the first time. This document is intended for network and application administrators who manage the following Citrix products:

• NetScaler instances

• ShareFile

• XenMobile Service

• XenApp and XenDesktop Service

• On-premises XenApp and XenDesktop

Step 1: Sign up for Citrix Cloud

To start using Citrix Analytics, you must first create a new Citrix Cloud company account or join an existing one that has been created by someone else in your organization. For detailed processes and instructions on how to proceed, see Signing Up for Citrix Cloud.

Step 2: Request a Citrix Analytics trial

After you sign in to Citrix Cloud, a screen similar to the following appears. In the Available Services section, on the Citrix Analytics tile, click Request Trial.

The Citrix Analytics tile moves to the My Services section, and the button then changes to Trial Requested. You will receive an email to notify you when your trial becomes available.

http://docs.citrix.com/en-us/citrix-cloud/overview/get-started/signing-up-for-citrix-cloud.html

Citrix Analytics 13

After you are authorized to access the trial, the button on the tile changes to Manage. Click Manage to log on to Citrix Analytics.

Citrix Analytics 14

The following image shows the Welcome screen of the Citrix Analytics service. Click Get Started to begin setting up Citrix Analytics for the first time. Alternatively, you can also set up Citrix Analytics from Settings > Data Sources.

Step 3: Set up Citrix Analytics

To set up Citrix Analytics, you must either enable Analytics on discovered data sources or add on-premises data sources and then enable Analytics on them. Data sources are the Citrix services and products that send data to Citrix Analytics.

When you sign up for Citrix Analytics, the data sources associated with your Citrix Cloud account are automatically discovered by Citrix Analytics. This includes NetScaler instances added to NetScaler MA Service and on-premises XenApp and XenDesktop Sites added to Citrix Workspace.

However, you have to explicitly enable Analytics on the discovered data sources to begin transmitting data from these data sources. Citrix Analytics, then, processes and stores this data and makes the analytics data available on dashboards for your viewing.

You can also add additional on-premises data sources such as Citrix NetScaler and Citrix XenApp and XenDesktop to Citrix Analytics and enable Analytics on them. The data is then uploaded to Citrix Analytics for processing and viewing.

Citrix Analytics 15

Adding ShareFile Data Sources To monitor analytical data for ShareFile, you must be subscribed to the ShareFile service.

To add ShareFile service to your Citrix Cloud account, perform the following steps:

1. On Citrix Cloud, under Available Services, click Request Trial for ShareFile service.

2. When the ShareFile service tile changes its status from Trial Requested to Manage, you can do the following:

a. If you do not have a ShareFile account, you can try the ShareFile service by requesting for a trial. On the Citrix Cloud page, click Manage under ShareFile. In the ShareFile service page, you can request for a trial.

Under the Request Trial tab, you need to choose a geographical location and create a subdomain, which is a unique URL for your ShareFile account. Enter the details and click Request Trial.

To learn more about ShareFile subdomains, click here.

b. If you already have a ShareFile account, you can link your ShareFile account under the Link Account tab of the ShareFile service page.

Note: To link an account with your email address, you must be a ShareFile administrator.

https://support.citrix.com/article/CTX223556

Citrix Analytics 16

You should now be subscribed to ShareFile.

To add the ShareFile data source to Citrix Analytics, perform the following steps:

1. Now, back on the Citrix Cloud page, click Manage on the Citrix Analytics tile.

2. To go to the Data Sources page manually, navigate to Settings in the top-right corner and select Data Sources. On the Data Sources page, to enable communication between ShareFile service and Citrix Analytics, click on the ShareFile tile to flip it. Click Turn On Data Transmission.

If your Citrix Cloud account is enrolled to ShareFile service, Citrix Analytics automatically detects your account and the ShareFile service appears as a tile on the Data Sources page.

Note:

• To disable communication between ShareFile service and Citrix Analytics, click on the ShareFile tile to flip it. Click Turn Off Data Transmission. On the confirmation dialog, click Yes, Turn Off to proceed.

Adding Access Control data source To monitor analytical data for Access Control, you must be subscribed to the Access Control service.

To add Access Control service to your Citrix Cloud account, perform the following steps:

1. On Citrix Cloud, under Available Services, click Request Trial for Access Control service.

2. When the Access Control service tile changes its status from Trial Requested to Manage, click the Manage button and configure Access Control settings. For more information, see Access Control Documentation.

3. After you configure Access Control, back on the Citrix Cloud page, click Manage on the Citrix Analytics tile. If your Citrix Cloud account is enrolled to Access Control service, Citrix Analytics

Citrix Analytics 17

automatically detects your account and the Access Control service appears as a tile on the Data Sources page.

4. To go to the Data Sources page manually, navigate to Settings in the top-right corner and select Data Sources. On the Data Sources page, to enable communication between Access Control service and Citrix Analytics, click on the Access Control tile to flip it. Click Turn on data transmission.

Adding the XenMobile data source To view user behavior analytics data for XenMobile, you must first subscribe to the XenMobile Service from Citrix Cloud.

To begin, perform the following steps:

1. On Citrix Cloud, under Available Services, click Request Trial for XenMobile Service. Once requested, the XenMobile Service tile appears under My Services with the button Trial

Citrix Analytics 18

Requested.

Note: Your XenMobile administrator gets a request to approve your trial. Once approved, you get an email notifying you of the successful approval.

2. Click Manage for XenMobile Services. You will be redirected to the XenMobile Service installation wizard.

3. Click Get Started.

4. In Cloud Site and Enterprise Directory Setup section, click Configure MDM.

Citrix Analytics 19

5. On Device Management, do the following:

a. In the Site Name field, type a site name.

b. In the Cloud Region list box, select the cloud region.

Note: If you want to limit access to XenMobile admin console to specific customer IP Address range, type the IP Address range in the ‘Limit Access to XenMobile console to this IP Address’ field.

6. Click Ok.

Citrix Analytics 20

7. Select the Active Directory location. By default, My Resource Location is selected. Click Next.

8. Click Download Cloud Connector. Click Save & Exit. For more information, see: https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector.html.

Note: You need to download and install the Cloud Connector on a Virtual Machine that is part of an Active Directory

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector.html

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-resource-locations/citrix-cloud-connector.html

Citrix Analytics 21

9. Click Finish.

Click hamburger icon > Home to return to the Citrix Analytics home screen. Once approved, click Manage for XenMobile Services to manage and configure the XenMobile service and the console appears as below.

Citrix Analytics 22

After your Citrix Cloud account has a XenMobile service subscription, Citrix Analytics automatically detects it and the XenMobile Service appears as a tile on the Data Sources page.

To enable communication between XenMobile Service and Citrix Analytics, perform the following steps:

1. On Data Sources, click the XenMobile site tile.

The following site options appear:

• View Environment Log – Click to view the event log.

• Turn on Data Transmission – Click to turn on the data transmission.

Citrix Analytics 23

• Remove from Citrix Analytics Service – Click to delete the service from the Cloud.

2. Click Turn on data transmission.

Once transmission is turned on, you can view data about the devices on the Citrix Analytics service dashboard. To view the dashboard, click the Security tab.

Citrix Analytics 24

Adding the XenApp and XenDesktop data source You can add XenApp and XenDesktop data sources in two ways:

• Discover XenApp and XenDesktop service.

• Add on-premises XenApp and XenDesktop data source.

Discover XenApp and XenDesktop service

If your Citrix Cloud account is subscribed to XenApp and XenDesktop Service, it is automatically discovered by Citrix Analytics. The XenApp and XenDesktop Service card is then visible on the Data Sources page. You have to enable Analytics to allow Citrix Analytics to begin processing data for the XenApp and XenDesktop Service.

Add on-premises XenApp and XenDesktop data source

Before you begin onboarding the on-premises XenApp and XenDesktop Sites to Citrix Analytics, review the System Requirements and Prerequisites sections, and ensure that you have completed the required tasks.

Prerequisites

Make sure that you have:

1. Delivery Controller version 7.16 and later

2. Director version 7.16 and later

3. Receiver for Windows version 4.11 and later

4. Subscription to Citrix Workspace Service. You must have a Citrix Workspace Service subscription. Citrix Workspace Service is included with new subscriptions to XenApp and XenDesktop Service after December 2017, as either a trial or as a purchased service.

Note that XenApp and XenDesktop Essentials is not supported on Citrix Analytics.

To purchase a Citrix Workspace Service subscription, visit https://www.citrix.com/products/citrix-workspace/get-started.html and contact a Citrix Workspace expert who can help you.

https://www.citrix.com/products/citrix-workspace/get-started.html

Citrix Analytics 25

5. Site(s) added to Workspace. Citrix Analytics automatically discovers the Sites added to Citrix Workspace. You must add your Sites to Citrix Workspace before proceeding with onboarding on Citrix Analytics. This process is known as Site aggregation.

Site aggregation requires you to install Cloud Connector, configure NetScaler Gateway STA servers for internal and external connectivity to Workspace resources, and then add the Sites to Workspace. For detailed instructions on Site aggregation, see https://docs.citrix.com/en-us/citrix-cloud/workspaces/add-on-premises-site.html

• Site credentials for Citrix Analytics. While configuring your Site for the Actions feature of Citrix Analytics, you have to provide the Citrix administrator credentials for your on-premises Site. These credentials should have the following permissions:

i. Citrix administrator role: Full Administrator

ii. Active Directory: Domain Users

6. Server URL for Citrix Director. Using this information, Citrix Analytics accesses the real-time data available to provide in-depth analysis of user behavior in your Site.

7. Delivery Controller. During the process of configuring your Site for advanced Citrix Analytics features such as Actions, you have to install the XenApp and XenDesktop agent on a Delivery Controller in your on-premises Site. This agent enables your Site to communicate with Citrix Analytics on port 443 (HTTPS).

Note: If your Site is connected to the Smart Tools service using the Citrix Smart Tools agent, you won't have to install this agent again.

Ensure that the Delivery Controller hosting the agent meets the following requirements:

• Supports PowerShell 3.0 or later.

• Outbound connections on TCP port 443 (HTTPS) are allowed.

Add on-premises XenApp and XenDesktop Site to Citrix Analytics

Ensure that you have reviewed the System Requirements and Prerequisites sections before you begin adding XenApp and XenDesktop data sources.

To add an on-premises XenApp and XenDesktop data source

1. Sign in to Citrix Cloud from a browser and under My Services, click Manage on the Citrix Analytics tile.

Citrix Analytics 26

Alternatively, you can also log on as an administrator to a Delivery Controller in your Site, and then sign in to Citrix Cloud.

2. On the Citrix Analytics overview page, click Get Started. The Data Sources page appears.

If you have already discovered other data sources, you are taken to the User Risk Profiles page. Navigate to Settings > Data Sources to view the Data Sources page.

3. Citrix Analytics discovers the XenApp and XenDesktop Sites from Citrix Workspace and displays them on the Data Sources page. Each Site is represented as an individual card.

Important: If you are not subscribed to Citrix Workspace and do not have your on-premises Sites added to Citrix Workspace, Citrix Analytics cannot discover and process data from your Sites. Review the Prerequisites section for details.

4. To allow Citrix Analytics to begin processing and storing data from the Sites, click Enable Analytics on a Site card and follow the prompts on the screen.

If you have multiple Sites added to the same workspace, clicking Enable Analytics on any one of the Site cards lets Citrix Analytics process and store data from all the Sites in that workspace.

You should see a success message when Analytics is successfully enabled on all your Sites.

Citrix Analytics now begins processing and storing data from all your Sites.

Citrix Analytics 27

You can view the user risk scores and the risk indicators on the dashboards. However, to be able to take action on the risk indicators, you have to configure agents on the Delivery Controller as shown in the next steps.

5. To use the Actions feature of Citrix Analytics, you have to install and configure agents on the Delivery Controller. Flip the Site card and click Continue setup.

You have to do this individually for each Site. For high availability and reliability, Citrix recommends that you install multiple agents in each Site.

The Configure <SiteName> to Use the Actions Feature of Citrix Analytics wizard appears.

Note: If your Site is connected to the Smart Tools service using the Citrix Smart Tools agent, you won’t have to install this agent again. Clicking Continue setup will prompt you to enter the Site administrator credential details similar to step 8 below.

6. Click Download Agent. When prompted, save the agent package. Install the agent on one of the Delivery Controllers in your Site.

Note: Make sure your browser settings are configured to not block pop-up windows, else the agent might not download to your system.

Citrix Analytics 28

7. After the installation finishes, click Connect to Installed Agent. The agent registers your Site with Citrix Analytics. This process might take a few minutes.

8. Enter the user name and password for your Site administrator account and then click Next. Citrix Analytics verifies your entries.

Citrix Analytics 29

9. Enter your Site’s Director URL and click Next.

10. Review the configuration summary and verify that your Site is available for Citrix Analytics and that the Analytics agent is online. Click Done to close the wizard.

Citrix Analytics 30

The XenApp and XenDesktop Site setup is completed successfully and the Data Sources page appears.

Manage your Site card

You can view the Site details and you can turn off or on data processing anytime you want to. You can also remove a Site from Citrix Analytics if you do not want the Site to send data to Citrix Analytics.

Citrix Analytics 31

Flip a Site card and do one of the following:

• Turn off data processing for all Sites. This action stops all communication between Citrix Analytics and your XenApp and XenDesktop Sites added from the same workspace. No new data is processed or stored. For details about data retention policy, see the section “Data governance.”

To turn on data processing again, on the Data Sources page, flip a Site card and click “Turn on data processing.” This will turn on data processing on all Sites added from the same workspace.

• View Site details. You can view the details of the installed agent and the Delivery Controller where it is installed.

Citrix Analytics 32

• Remove from Citrix Analytics. After you remove the Site, Citrix Analytics stops collecting data from the Sites, but all the previously processed data is available for the duration of the retention period.

You can rediscover this Site by clicking Discover More Data Sources on the Data Sources page. You do not have to reinstall the agent, however, you will have to configure the settings to reconnect to the Delivery Controller and Director.

Adding NetScaler data source You can add NetScaler data sources in two ways:

• Discover data source from NetScaler MA service

• Add additional on-premises NetScaler data source

To add NetScaler data sources, you must have a subscription for NetScaler MA Service.

Citrix Analytics 33

Discover data source from NetScaler MA service

If your Citrix Cloud account is subscribed to NetScaler MA Service, the agents and NetScaler instances associated with this service are automatically discovered and associated with Citrix Analytics. You have to enable Analytics to allow Citrix Analytics to begin processing data for the NetScaler instances.

1. Log on to Citrix Analytics.

2. Navigate to Settings > Data Sources. The agent associated with NetScaler MA Service appears as a tile on the Data Sources page.

3. Click the three dots (…) on the top right corner of the tile, and then click Turn on Data Transmission.

Add additional on-premises NetScaler data source

If you want to add more NetScaler instances as data sources, you can add these instances to Citrix Analytics.

This involves the following steps:

1. Install and set up an agent

2. Add NetScaler instances

3. Enable analytics

To begin, navigate to Settings > Data Sources, and then select NetScaler from the list of data sources. Then, click Get Started.

Citrix Analytics 34

Step 1: Install and set up an agent

Install and configure the NetScaler MA Service agent in your network environment to enable communication between Citrix Analytics and the instances in your data center.

You can install an agent on the following hypervisors in your enterprise data center:

• Citrix XenServer

• VMware ESXi

• Microsoft Hyper-V

• Linux KVM Server

To install and set up an agent, do the following:

1. Download agent image.

Citrix Analytics 35

On the Set up agent on a hypervisor page, select the hypervisor and click Download Image to download the agent image to your local system.

2. Copy service URL and activation code.

A service URL and an activation code are generated and displayed on the UI as shown in the image below. (This might take a few seconds.) The agent uses the service URL to locate the service and the activation code to register with the service. You have to enter the service URL and the activation code while installing the agent on your hypervisor.

Citrix Analytics 36

3. Install the agent on a hypervisor.

Note: Before you begin agent installation, ensure that:

• You have the required virtual computing resources that the hypervisor must provide for each agent: RAM: 8 GB, vCPU:4, storage space: 120 GB, virtual network interface: 1, and throughput: 1 Gbps

• You configure your DNS to allow internet access to your agent.

• On Citrix XenServer hypervisor, perform the following:

i. Import the agent image file to your hypervisor, and from the Console tab configure the initial network configuration options as shown in the following example.

If you have entered incorrect values or want to change any value, log on to the shell prompt by using the default credentials nsrecover/nsroot, and then run the command “networkconfig.”

ii. Enter the Service URL and the Activation Code that you saved when you had downloaded the agent image.

If you entered the service URL or the activation code incorrectly, log on to the shell prompt of the agent and then run the script: deployment_type.py. This script lets you reenter the Service URL and activation code.

• On VMware ESXi hypervisor, perform the following:

Citrix Analytics 37

i. Import the agent image file to your hypervisor, and from the Console tab configure the initial network configuration options as shown in the following example.

ii. After you configure the network, when prompted, log on to the shell prompt of the agent using the default credentials nsrecover/nsroot.

iii. Navigate to /mps directory, run the script deployment_type.py and enter the Service URL and the Activation Code that you saved when you had downloaded the agent image.

Citrix Analytics 38

Note: You can use the same image file to install multiple agents. However, you cannot use the same activation code on more than one agent. To generate a new activation code, access Citrix Analytics, and on the Set up agent on a hypervisor page, click Download Image Again. A new activation code is generated.

4. Register Agent.

After agent registration is successful, the agent restarts to complete the installation process. After the agent has restarted, access Citrix Analytics and click Register Agent, and then verify the status of the agent.

When the agent status is in the UP state denoted by a green dot next to it, click Next to start adding instances to the service.

Citrix Analytics 39

Step 2: Add NetScaler instances

Instances are NetScaler appliances or virtual appliances that are the data sources for Citrix Analytics.

1. On the Add NetScaler Instances page, select the instance type and specify hostnames or IP Addresses or range of IP addresses of NetScaler instances to discover.

2. Create an authentication profile that the agent can use to access the NetScaler instances. This profile is the administrator credentials of a NetScaler instance.

3. Click Add Instances.

After the instances are added, you can view the number of instances that have been successfully discovered. To add more instances, click Add More Instances.

Citrix Analytics 40

Click Next to enable analytics.

Step 3: Enable analytics

Citrix Analytics automatically discovers the licensed virtual servers on the added NetScaler Instances. You must manually enable analytics on all the discovered virtual servers.

On the Enable Analytics page, by default, all the licensed virtual servers on the NetScaler instances appear. Review the list of licensed virtual servers and click Enable Analytics to enable analytics on the virtual servers.

Citrix Analytics 41

A tile appears on the Data Sources page.

Citrix Analytics 42

Security Analytics

Risk indicators Risk indicators are user activities that look suspicious or can pose a security threat to your organization. Risk indicators span across all Citrix products used in your deployment. The indicators are based on user behavior and are triggered where the user’s behavior deviates from the normal. Risk indicators help in determining the user’s risk score.

Risk indicators can be of the following categories:

• Access based. These risk indicators are triggered when the user accesses the network or a specific resource, that is unauthorized or if they are unable to.

• Data based. These risk indicators are triggered when a user has downloaded or uploaded an unusually large volume of data. This data upload or download activity could be to an internal or external destination over a specific time period.

• Application based. These risk indicators are triggered when the user has attempted to access an unauthorized application over a specific time period.

The following table lists various Risk Indicators that provided by various Citrix products:

Citrix Products Risk Indicators

ShareFile

Excessive access to sensitive files

Excessive file sharing

Excessive file or folder deletion

Excessive file downloads

Ransomware activity suspected

Unusual logon access

NetScaler

End point analysis (EPA) scan failure

Logon failures

Authorization failures

Citrix Analytics 43

Unusual logon location

XenMobile

Unmanaged device detected

Jailbroken or rooted device detected

Device with blacklisted apps detected

XenApp and XenDesktop/ Citrix Workspace

Access from device with unsupported OS

Access from new device

Unusual application usage

Potential data exfiltration

Access Control Unusual upload volume

Unusual download volume

Risky website access

Attempt to access blacklisted URL

Risk score A risk score is a value that indicates the aggregate level of risk a user poses to the network over a pre-determined monitoring period. This value is dynamic and is based on User Behavior Analytics (UBA) that study and determine patterns of user behavior. These algorithms are applied to analyze anomalies that indicate potential threats.

For a defined monitoring period, risk score is an aggregate of the risk indicators that are triggered for a user. A user associated with a risk score can be either of the following types:

• High risk users. Users with risk score between 91 and 100. These users represent immediate threats to the organization.

• Medium risk users. Users with risk score between 71 and 90. These users could have multiple serious violations on their account and must be monitored closely.

• Low risk users. Users with risk score between 0 and 70. These users may have some violations detected on their account. They can also include users who were previously high or medium risk users who have been reevaluated over a pre-determined time period.

Citrix Analytics 44

User security dashboard The user security dashboard provides visibility into user-behavior pattern across an organization. Citrix Analytics uses machine learning and artificial intelligence to detect suspicious activity and potential threats. Using this data, organizations can proactively monitor, detect, and flag behavior that fall outside the norm, such as phishing or ransomware attacks. The User Risk Profile displays the following details:

• Risky users. Users that have acted in a risky manner or presented risky behavior.

• Discovered users. Total number of discovered users in your organization.

• Top users. List of risky users who have the highest risk score and the highest risk score change associated with their account.

• Users in watchlist. Users monitored closely by administrators.

Citrix Analytics 45

Risky users

Risky users can be identified by the behavior or actions that they take using Citrix products. A risk score is a value that indicates the level of risk a user poses to the network for a specific time period. This value is dynamic and is based on user behavior analytics. A risky user associated with a risk score can be either of the following types:

• High risk users. Users with risk score between 91 and 100. These users represent immediate threats to the organization.

• Medium risk users. Users with risk score between 71 and 90. These users could have multiple serious violations on their account and must be monitored closely.

• Low risk users. Users with risk score between 0 and 70. These users may have some violations detected on their account. They can also include users who were previously high or medium risk users who have been reevaluated over a pre-determined time period.

Discovered users

Discovered users are all the users in your organization who are discovered by Citrix Analytics. They may or may not have a risk score associated to their account. So, it is possible that the number of discovered users on the Users dashboard is more than the number of risky users.

To view the list of all discovered users, click Discovered Users link. The following information is displayed:

• The list of all uses

• The number of devices the user uses to access data sources

Citrix Analytics 46

• Locations from which the user could have logged in

• Amount of data consumed by the user

• Applications accessed by the user

Top users

The top users are a list of risky users who have the highest risk score and the highest risk score change associated with their account. The Top Users pane displays the current risk score of the users, the change in the risk score, and the trend in the risk score change. You can click on the user’s name to see the list of risk indicators detected by Citrix Analytics for the user.

When you click on the user’s name, you can learn more about the user by clicking User Info highlighted in the image below. The following information is displayed:

• The number of devices the user uses to access data sources

• Locations from which the user could have logged in

• Amount of data consumed by the user

• Applications accessed by the user

Citrix Analytics 47

Users in watchlist

The Users in Watchlist pane lists all the users that you want to monitor closely. Based on your organization’s policy, you can add a user to the watchlist using the Add to watchlist action. For example, you can monitor users who aren’t full-time employees within your organization by adding those users to the watchlist and monitor them separately.

Citrix Analytics 48

Add a user to watchlist manually

To add a user to the watchlist, navigate to the user’s profile, from the Actions menu, select Add to watchlist. Click Apply to enforce the action.

User Access Dashboard The domains accessed by the users in your network are categorized based on the URL categorization configuration in Access Control. The User Access dashboard summarizes the number of risky domains accessed and the volume of data uploaded and downloaded by the users in your network. To access the User Security dashboard, from the Security tab, click User Access.

Citrix Analytics 49

For the selected timeframe, in the User Access Summary section, the dashboard provides an overview of the number of malicious domains, Dangerous domains, Unknown domains, clean domains, and blocked URLs accessed by the users in your network and also the trend in accessing these domains by the users.

In the Top Risky Users by Access section, the dashboard provides the details of top users who have accessed the URLs or domains that are categorized as malicious or dangerous by Access Control. It provides the user account name, the number of risky domains accessed by the user, and the total number of domains access by the user.

You can click More Details to view the complete list of users who have accessed the risky domains.

Citrix Analytics 50

In the Top Risky Users by Data Download Volume section, the dashboard provides the details of the top users who have uploaded or downloaded large volume of data from the domains that are categorized as malicious or dangerous by Access Control. It provides the user account name; the volume of data uploaded or download by the user from the risky domains.

You can click More Details to view the complete list of users who have uploaded or downloaded data from the risky domains.

Citrix Analytics 51

App Access Dashboard The App Access dashboard summarizes the details of the domains, URLs, and apps accessed by users in your network. To access the App Access dashboard, from the Security tab, click App Access.

For the selected timeframe, in the App Access Summary section, the dashboard provides an overview of the number of malicious domains, Dangerous domains, Unknown domains, and clean domains

Citrix Analytics 52

accessed by users in your network. It also provides the volume of data uploaded or downloaded from the risky domains.

Top risky domains by access

The Top Risky Domains by Access section provides details about the malicious or dangerous domains that were more accessed by the users in your network. It provides details such as:

• The URL of the risky domain.

• The category to which the domain has been categorized by Access Control.

• The action taken by Access Control to mitigate the risk.

• The number of users who have accessed the URL, with the increase in trend of the number users accessing the risky domain for the selected timeframe.

Citrix Analytics 53

You can click More Details to view the complete list of malicious or dangerous domains that were accessed by the users in your network.

Top risky domains by data download volume

The Top Risky Domains by Data Download Volume section, provides details about the top malicious or dangerous domains from which data was downloaded by users. The details are sorted by highest to lowest data volume. It provides details such as:

• The URL of the risky domain.


• The volume of data downloaded by users from the risky domain, with the increase in trend of the amount of data downloaded from the risky domain for the selected timeframe.

Citrix Analytics 54


Top risky categories by access

The Top Risky Categories by Access section, provides details of the category of domains that were accessed highest number of time by the users in your network. It provides details such as:


• The number of users who have accessed the URL, with the increase in trend of the number users accessing the risky domain for the selected timeframe.

• The number of transactions by users on the risky domain, with the increase in trend of the number of transactions by users on the risky domain for the selected timeframe.

• The number of transactions blocked by Access Control.

Citrix Analytics 55


Top risky categories by data download volume

The Top Risky Categories by Data Download Volume section, provides details of the category of domains from which highest amount of data was uploaded or downloaded by the users in the network. It provides details such as:


• The total volume of data uploaded or downloaded from the domain by users in your network.

Citrix Analytics 56

• The amount of data downloaded from the domain by users.

• The amount of data uploaded to the domain by users.

You can click More Details to view the complete details amount of data uploaded or downloaded by the user from the domains.

Citrix Analytics 57

Risk timeline The Risk timeline on a user’s profile enables you, as a Citrix Analytics administrator to gain deeper insights into a user’s risky behavior. You can also see the corresponding actions taken on their account for a selected time period. From the Risk timeline, you can delve deeper into a user’s profile to understand the following:

• Data usage

• Device usage

• Application usage

• Location usage

Additionally, you can view the risk score and risk indicator trends for the user and determine if the user is a high-risk user or not.

When you go to a user’s risk timeline, you can select either a risk indicator or an action that has been applied to their account. If you choose one of the above, the right pane displays the risk indicator section or the action section.

The Risk Timeline displays the following information:

Citrix Analytics 58

• Risk indicators. Risk Indicators are the user activities that is suspicious or can pose a security threat to your organization. The indicators are triggered when the user’s behavior deviates from their normal behavior. The risk indicators can be of the following products:

o ShareFile

o NetScaler Gateway

o XenMobile Service

o XenApp and XenDesktop/ Citrix Workspace

To learn more about risk indicators, see Risk indicators.

• Actions. Actions help you respond to suspicious events and prevent future anomalous events from occurring. Actions that have been applied on a user’s profile are displayed on the risk timeline. These actions are either automatically applied to a user’s account through configured rules or you can apply a specific action manually.

To learn more about actions and how to configure them manually, see Rules and actions.

When you select a risk indicator from the user’s timeline, the risk indicator information section is displayed in the right pane. You can view the reason for the risk indicator along with details of the event. They are broadly categorized into the following sections:

Citrix Analytics 59

• What happened. You can view a summary of the risk indicator here. For example, if you have selected the Excessive file sharing risk indicator. In the What happened section, you can view the number of share links sent to recipients and when the sharing event occurred.

• Event details. You can view individual event entries in graphical and tabular format along with details of the event.

• Additional contextual information. You can view data shared, if any, during an event’s occurrence in this section.

Rules and actions You can create rules on Citrix Analytics to help you perform actions on user accounts when unusual or suspicious activities occur. Rules let you automate the process of applying actions such as disable a user, add users to a watchlist, and so on. When you apply these rules, the action is applied immediately after an anomalous event occurs and the rule condition is met. You can also manually take actions on user accounts with anomalous activities.

Rules

A rule can be defined as a set of conditions that must be met for an action to be executed. A rule can contain a single condition and one or more actions. You can create a rule with multiple actions that can be applied to a user’s account.

Conditions such as Risk score and Risk score change are global conditions. Global conditions can be applied to a specific user for a specific data source. You can keep a watch on user accounts that show unusual activity. Other conditions are specific to data sources and their risk indicators.

Citrix Analytics 60

For example, if your organization works with sensitive data, you might want to restrict the amount of data shared or accessed by users internally. But if you have a large organization, it wouldn’t be feasible for a single administrator to manage and monitor many users. You can create a rule wherein, anyone who shares sensitive data excessively can be added to a watchlist or have their account disabled immediately.

Note: Rules with identical conditions return an error. In such a scenario, users see the following error: “<Name of the rules created> has the same condition. Modify condition and try again.”

Actions

Actions help you respond to suspicious events and prevent future anomalous events from occurring. You can take action on user accounts that display unusual or suspicious behavior. You can either configure rules to take action on the user’s account automatically or apply a specific action manually from the user’s risk timeline.

You can view global actions or actions for each Citrix data source. You can also disable previously applied actions for a user at any time.

Note: Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

The following table describes the actions that you can take.

Citrix Analytics 61

Action Name Description Data Sources Applicable On

Global actions

Add to watchlist When you want to monitor a user for future potential threats, you can add them to a watchlist.

The “Users in Watchlist” pane lists all the users that you want to monitor for potential threats based on the unusual activity on their account. Based on your organization’s policy, you can add a user to the watchlist using the Add to watchlist action.

To add a user to the watchlist, navigate to the user’s profile, from the Actions menu, select Add to watchlist. Click Apply to enforce the action.

All data sources

Notify Admin When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

All data sources

NetScaler actions

Log Off User When a user is logged off from their account, they cannot access any resource through NetScaler until the NetScaler administrator clears the Log Off User action.

• NetScaler on-premises

• NetScaler MA Service

ShareFile actions

Disable user Citrix Analytics enables you to restrict or revoke their access by disabling their ShareFile account.

After their account is disabled, the user will see a notification. The notification on the logon page of their account asks

ShareFile

Citrix Analytics 62

them to reach their ShareFile administrator for further information.

Expire All Shared Links

When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.

When a user shares files excessively, the Excessive File Sharing risk indicator is triggered and the shared links are expired. When the shared links are expired, the link becomes invalid and it is not accessible by the users with whom the link was shared.

ShareFile

XenApp XenDesktop actions

Log Off User When a user is logged off from their account, they cannot access the resource through XenDesktop until the XenDesktop administrator clears the Log Off User action.

• On-premises XenApp and XenDesktop

• XenApp and XenDesktop service

Start Session Recording

If there is an unusual event on the user’s XenDesktop account, the XenApp and XenDesktop administrator can begin to record the user’s usage session. The recording can be stopped the administrator.

On-premises XenApp and XenDesktop

XenMobile actions

Lock Device When there is unusual activity on a device, causing the user’s risk score to exceed a specified value, you can use the Lock Device action.

When the action is applied, all the user’s devices are locked. However, users can swipe on their device’s screen, enter the passcode, and continue with their work.

XenMobile service

Citrix Analytics 63

Notify XenMobile Admin

When there is any unusual or suspicious activity on the user’s XenMobile account, the XenMobile administrator is notified.

XenMobile service

Notify User When the Notify User action is applied, the user sees a message from the Citrix Analytics administrator regarding their account. The notification seen by the user is the message entered by the admin when they apply the action.

XenMobile service

Note:

• If you apply the Disable user action for a ShareFile user, the user’s account is not disabled until the ShareFile administrator sees the notification. During the interim period, the user can use their ShareFile account and the data continue to be processed by Citrix Analytics. After the ShareFile administrator disables the user’s account, the user must contact their ShareFile administrator to have their account reactivated. The Citrix Analytics administrator cannot enable disabled ShareFile accounts.

Configuring rules and actions

For example, following the steps below, you can create an “excessive file sharing” rule. Using this rule, when a user in your organization shares an unusually large amount of data, the share links are automatically expired. You are notified when a user shares data that exceeds that user’s normal behavior. By applying the “excessive file sharing” rule, and taking immediate action, you can prevent data exfiltration from any user’s account.

To create a rule, do the following:

1. After signing in to Citrix Analytics, on the toolbar, go to Settings > Rules.

Citrix Analytics 64

2. On the Rules dashboard, click Create Rule.

3. From the IF THE FOLLOWING CONDITION IS MET list box, select the risk indicator condition upon which you want an action applied.

4. From the THEN DO THE FOLLOWING list box, select one or more actions and click Apply.

Citrix Analytics 65

5. In the Rule Name text box, provide a name and enable the rule using the toggle button provided.

6. Click Create Rule.

Apply an action manually

Consider a user, Sallie Linville who shares excessive files from her ShareFile account. To stop her from sharing any more information, or even accessing sensitive company data, you can disable her ShareFile account using the Disable User action.

To apply the above mentioned action to the user manually, you must:

Navigate to the Sallie Linville’s profile and select the appropriate risk indicator. From the Actions menu, select the Disable user action and click Apply.

Citrix Analytics 66

When Sallie Linville’s account is disabled, she cannot log on to ShareFile. The action applied is added to her risk timeline, and the action details are displayed on the right pane of the risk timeline page.

The next time Sallie Linville logs on to her ShareFile account, she will see a notification, asking her to contact her ShareFile administrator for further information.

Managing rules

You can view the Rules dashboard to manage all the rules created on Citrix Analytics to monitor and identify inconsistencies on your network. On the Rules dashboard, you can:

1. View the list of rules

Citrix Analytics 67

2. Details of the rule

• Name of the rule

• Status – Enabled or disabled

• Duration of the rule – Number of days the rule been active or inactive

• Hits – The number of times the rule is triggered

• Modified – Timestamp, only if the rule has been modified

3. Delete the rule

• To delete a rule, you can select the rule you want to delete and click Delete.

• Or you could click on the rule’s name to be directed to the Modify Rule page. click Delete Rule. In the dialog, confirm your request to delete the rule.

4. Create a rule.

5. Click on a rule’s name to view more details. You can also modify the rule when you click on its name. Other modifications that can be done are as follows:

• Change the name of the rule

• Conditions of the rule

• The actions to be applied

• Enable or disable the rule

• Delete the rule

Note:

• If you don’t want to delete your rule, you can choose to disable the rule.

• To re-enable the rule on the rules dashboard, do the following:

o On the Rules dashboard, click the Status slider button to green.

o On the Modify Rule page, click the Enabled slider button on the bottom of the page.

Citrix Analytics 68

Watchlists The watchlist is a list of users that you want to monitor for potential threats. Based on your organization’s policy, you can add a user to the watchlist using the Add to watchlist action. For example, you can monitor users who aren’t full-time employees within your organization by adding those users to the watchlist and monitor them separately.

Add a user to the watchlist

1. To add a user to the watchlist manually, navigate to the user’s profile, from the Actions menu, select Add to watchlist. Click Apply to enforce the action.

2. To add a user to the watchlist using policy rules, create a rule with a set of conditions that must be met for the Add to watchlist action to be executed.

View users in the watchlist

You can view the list of the watchlist users in your organization in the Users page. They are showcased in the following ways:

Citrix Analytics 69

1. Users in Watchlist tile under User’s Risk Profiles.

2. Users in Watchlist pane in the Users page.

You can click on the user’s name to learn more about the user. You can view the risk indicators and the actions applied to the user’s account from the risk timeline. You can also view the user’s information by clicking the User Info menu option.

Citrix Analytics 70

Note: You can identify users who are added to the watchlist by the “eye” icon next to their name in the top users column.

Alerts Alerts are generated in Citrix Analytics to notify you of events that require attention, or when rules are triggered. By viewing the alert, you can be warned of potential threats, so that you can take immediate action on an account or user if necessary.

Alerts are typically generated when:

• A rule is triggered. A rule is triggered when a set of conditions are met for an action to be executed.

Citrix Analytics 71

• A risk score change occurs. Risk score is a value that indicates the aggregate level of risk a user poses to the network over a pre-determined monitoring period.

Log on to Citrix Analytics and click on the Alerts tab to view the list of alerts generated recently. To view all the alerts, you can click on the See More link at the bottom of the alerts list.

To delete an alert

You can delete alerts in the following ways:

1. You can clear or delete alerts by clicking Clear All to delete all alerts. To delete a single alert, click Clear against the chosen alert.

Citrix Analytics 72

2. You can also click on the See More link at the bottom of the alerts list to see the Alert History. Select the alert you want to delete and click the Delete icon.

Citrix Analytics 73

Investigate access-based risk indicator

EPA scan failures

Citrix Analytics detects user access-based threats based on EPA scan failures activity and triggers the corresponding risk indicator.

When is the EPA scan failures risk indicator triggered?

The EPA scan failure risk indicator is reported when a user tries to access the network using a device that has failed NetScaler Gateway’s End Point Analysis (EPA) Scan policies for pre-authentication or post authentication.

NetScaler Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many EPA scan failures. When Citrix Analytics determines excessive EPA scan failures for a user, it updates the user’s risk score, and creates a notification in the Alerts panel. Also, it adds an EPA scan Failure risk indicator entry to the user’s risk timeline.

How to analyze the EPA scan failures risk indicator?

Consider the user Georgina Kalou, who recently tried multiple times to access the network using a device that has failed NetScaler Gateway's EPA scan. NetScaler Gateway reports this failure to Citrix

Citrix Analytics 74

Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts panel, and the EPA scan failure risk indicator is added to Georgina Kalou’s risk timeline.

To view the EPA scan failure entry for a user, navigate to Security > Users, and select the user.

From Georgina Kalou’s risk timeline, you can select the latest EPA scan failures risk indicator reported for the user. When you select an EPA scan failure risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

• The WHAT HAPPENED section provides a brief summary of the EPA scan failure risk indicator. And, includes the number of post logon EPA scan failures reported during the selected period.

• The EVENT DETAILS – SCAN FAILURES section, includes a timeline visualization of the individual EPA scan failure events that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

Citrix Analytics 75

o Time. The time the EPA scan failure occurred.

o Client IP. The IP address of the client that causes the EPA scan failure.

o Gateway IP. The IP address of NetScaler Gateway that reported the EPA scan failure.

o FQDN. The FQDN of NetScaler Gateway.

o Event description. Brief description of the reason for EPA scan failure.

o Policy name. The EPA scan policy name configured on the NetScaler Gateway.

o Security expression. The security expression configured on the NetScaler Gateway.

What actions you can apply to the user?

You can perform the following actions on the user’s account:

• Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

• Notify admin. When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all Citrix Cloud administrators.

Citrix Analytics 76

• Log off user. When a user is logged off from their account, they cannot access any resource through NetScaler until the NetScaler administrator clears the Log Off User action.

To learn more about actions and how to configure them manually, see Rules and Actions.

To apply the actions to the user manually, navigate to the user's profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Logon failures

Citrix Analytics detects user access-based threats based on logon failures and triggers the corresponding risk indicator.

When is the logon failures risk indicator triggered?

The Logon failure risk indicator is reported when the user encounters multiple NetScaler Gateway logon failures within a given period. The NetScaler Gateway logon failures can be primary, secondary, or tertiary authentication failures, depending on whether multi-factor authentication is configured for the user.

NetScaler Gateway detects all the user logon failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many logon failures. When Citrix Analytics determines excessive logon failures, it updates the user’s risk score. You are notified in the Alerts panel, and the Logon failure risk indicator is added to the user’s risk timeline.

How to analyze the logon failures risk indicator?

Consider the user Lemuel Kildow, who recently failed multiple attempts to authenticate the network. NetScaler Gateway reports these failures to Citrix Analytics, and an updated risk score is assigned to Lemuel Kildow. You are notified in the Alerts panel, and the Logon failures risk indicator is added to Lemuel Kildow’s risk timeline.

To view the Logon failures risk indicator entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest Logon failures risk indicator reported for the user. When you select the Logon Failures risk indicator entry from the risk timeline, a corresponding detailed information panel appears in the right pane.

Citrix Analytics 77

• The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of logon failures that occurred during the selected period.

• The EVENT DETAILS – LOGON FAILURES section, includes a timeline visualization of the individual logon failure events that occurred during the selected time period. Also, you can view the following key information about each event:

o Time. The time the logon failure occurred.

o Error count. The number of logon failures detected for the user at the time of the event and for the previous 48 hours.

o Event description. Brief description of the reason for logon failure.

Citrix Analytics 78








Citrix Analytics 79

Authorization failures

Citrix Analytics detects user access-based threats based on authorization failures and triggers the corresponding risk indicator.

When is the authorization failures risk indicator triggered?

The Authorization failures risk indicator is reported in Citrix Analytics when a user in your enterprise attempts to access a resource without sufficient permissions.

When the user is authenticated, NetScaler Gateway performs a group authorization check based on the authorization policy and expressions configured for the user. NetScaler Gateway collects the user’s group information from either an LDAP, RADIUS, or TACACS+ server.

NetScaler Gateway detects the authorization failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many authorization failures. When Citrix Analytics detects excessive authorization failures for a user, it updates the user’s risk score. You are notified in the Alerts panel and the authorization risk indicator is added to the user’s risk timeline.

How to analyze the authorization failures risk indicator?

Consider the user Georgina Kalou, who recently tried multiple times to access an unauthorized resource in the network. NetScaler Gateway reports these events to Citrix Analytics, and an updated risk score is assigned to Georgina Kalou. You are notified in the Alerts panel, and the Authorization failures risk indicator is added to the Georgina Kalou risk timeline.

To view the Authorization failures entry for a user, navigate to Security > Users, and select the user.

From Georgina Kalou’s risk timeline, you can select the latest Authorization failures risk indicator reported for the user. When you select the Authorization failures risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Citrix Analytics 80

• The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of authorization failures that occurred during the selected period.

• The EVENT DETAILS – AUTHORIZATION FAILURES section, includes a timeline visualization of the individual authorization failure events that occurred during the selected time period. Also, you can view the following key information about each event:

o Time. The time the authorization failure occurred.

o Client IP. The IP address of the client that has caused the authorization failure.

o Gateway IP. The IP address of NetScaler Gateway that reported the authorization failure.

o FQDN. The FQDN of the NetScaler Gateway.

o App name. The application that the user used to access the resource.

Citrix Analytics 81

o VPN session. The type of VPN session established.

o Event description. Brief description of the reason for authorization failure.

o Nth factor. The number of attempts made by the user to access the resource.






Citrix Analytics 82


To apply the actions to the user manually, navigate to the user's profile and select the risk indicator. From the Actions menu, select an action and click Apply.

Risky website access

Citrix Analytics detects data access threats based on the risky websites accessed by the user and triggers the corresponding risk indicator.

The Risky website access risk indicator is reported when a user in your organization attempts to access malicious, suspicious, or risky websites with high reputation ratings.

When is the risky website access risk indicator triggered?

Access Control supports setting a reputation score to a website, based on whether it has been marked as the following by the URL categorization database:

• Malicious

• Potentially dangerous

• Unknown

• Normal

For more information, see URL reputation score.

When a user in your organization attempts to access risky websites, Access Control reports these events with Citrix Analytics. Citrix Analytics monitors all these events and if it identifies that the user has visited at least one website with reputation score of 3 or 4, that is, potentially dangerous site or malicious site. Citrix Analytics increases the risk score for the user. You are notified in the Alerts panel and the Risky website access risk indicator is added to the user’s risk timeline.

How to analyze the risky website access risk indicator?

Consider a user Georgina Kalou, attempted to access a risky website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts Panel, and the Risky website access risk indicator is added to Sallie Linville’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Risky website access risk indicator. The reason for the event is displayed along with the details about the upload events, such as, time of the event, the website, and so on.

https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/security-configuration/url-reputation-score.html

Citrix Analytics 83

To view the Risky website access risk indicator entry for a user, navigate to Security > Users, and select the user.

From Georgina Kalou’s risk timeline, you can select the latest Risky website access risk indicator reported for the user.

Citrix Analytics 84

When you select a Risky website access risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

• The WHAT HAPPENED section provides a brief summary of the risk indicator. It includes the number of risky websites accessed by the user during the selected period.

• The EVENT DETAILS section, includes a timeline visualization of the individual events that occurred during the selected time period. Also, you can view the following key information about each event:

o TIME. The time the event occurred.

o WEBSITE. The risky website accessed by the user.

o CATEGORY GROUP. The category group that Access Control assigned the risky website.

o CATEGORY. The category specified by Access Control for the risky website.

Citrix Analytics 85

o REPUTATION RATING. The reputation rating returned by Access Control for the risky website. For more information, see URL reputation score.

Attempt to access blacklisted URL

Citrix Analytics detects data access threats based on the blacklisted URLs accessed by the user and triggers the corresponding risk indicator.

The Attempt to access blacklisted URL risk indicator is reported in Citrix Analytics when a user attempts to access a blacklisted URL configured in Access Control.

When is attempt to access blacklisted URL risk indicator is triggered?

Access Control includes a URL categorization feature that provides policy-based control to restrict access to blacklisted URLs. When a user attempts to access a blacklisted URL, Access Control reports this event to Citrix Analytics. Citrix Analytics updates the user’s risk score and creates a notification in the Alerts panel. Also, it adds an Attempt to access blacklisted URL risk indicator entry to the user’s risk timeline.

How to analyze attempt to access blacklisted URL risk indicator?

Consider a user Georgina Kalou, accessed a blacklisted URL configured in Access Control. Access Control reports this event to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts panel and the Attempt to access blacklisted URL risk indicator is added to Georgina Kalou’s risk timeline.

https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/security-configuration/url-reputation-score.html

Citrix Analytics 86

From Georgina Kalou’s risk timeline, you can select the reported Attempt to access blacklisted URL risk indicator. The reason for the event is displayed along with the details about the events, such as, time of the event, website details, and so on.

To view the Attempt to access blacklisted URL entry for a user, navigate to Security > Users, and select the user.

From Georgina Kalou’s risk timeline, you can select the latest Attempt to access blacklisted URL risk indicator reported for the user.

Citrix Analytics 87

When you select the Attempt to access blacklisted URL risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

Citrix Analytics 88

• The WHAT HAPPENED section provides a brief summary of the risk indicator. It includes the details of the blacklisted URL accessed by the user during the selected period.

• The EVENT DETAILS section, includes a timeline visualization of the individual events that occurred during the selected time period. Also, you can view the following key information about each event:

o TIME. The time the event occurred.

o WEBSITE. The website accessed by the user.

o CATEGORY GROUP. The category group that Access Control assigned the risky website.

o CATEGORY. The category specified by Access Control for the blacklisted URL.

o REPUTATION RATING. The reputation rating returned by Access Control for the blacklisted URL.

Citrix Analytics 89

Investigate files-based risk indicator

Excessive access to sensitive files

Citrix Analytics detects data threats based on excessive file access activity and triggers the corresponding risk indicator.

The Excessive access to sensitive files risk indicator is triggered when a user’s behavior with regards to access of sensitive files, is excessive. This unusual activity might indicate a problem with the user’s account, such as, an attack on their account.

When is the excessive access to sensitive files risk indicator triggered?

You are notified when a user has accessed an unusual amount of data that has been deemed sensitive during a given time period. This alert is triggered when a user accesses sensitive data identified by a Data Loss Prevention (DLP) or a Cloud Access Security Broker (CASB) solution. When ShareFile detects this excessive behavior, Citrix Analytics receives the events, and increases the risk score of the respective user. You are then notified in the Alerts panel and the Excessive access to sensitive files risk indicator is added to the user’s risk timeline.

Citrix Analytics 90

How to analyze the excessive access to sensitive files risk indicator?

Consider the user Georgina Kalou, had access to 10 sensitive files, that she downloaded to her local system within a span of 15 minutes. The Excessive access to sensitive files risk indicator is triggered because it exceeds a threshold. The threshold is calculated based on the number of sensitive files downloaded in a given time window, factoring in contextual information such as the download mechanism.

From Georgina Kalou’s timeline, you can select the reported Excessive access to sensitive files risk indicator. The reason for the event is displayed on the screen along with details of the event such as file name, file size, and the download time.

To view the Excessive access to sensitive files risk indicator, navigate to Security > Users, and select the user.

• In the WHAT HAPPENED section, you can view a summary of the Excessive access to sensitive files risk indicator. You can view the number of sensitive files that were deemed excessive by Citrix Analytics and the time the events occurred.

Citrix Analytics 91

• In the EVENT DETAILS – SENSITIVE DATA DOWNLOADED section, the events are displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time downloaded. Time when the file was downloaded

o File name. The name and extension of the downloaded file

o File size. The size of the file downloaded

• In the ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

Citrix Analytics 92

o Total number of sensitive files downloaded

o Total size of the files downloaded by the user

What actions can you apply to the user’s account?




• Disable user. Citrix Analytics enables you to restrict or revoke their access by disabling their ShareFile account.

• Expire all Shared Links. When a user triggers the excessive file sharing indicator, Citrix Analytics enables you to expire all of the links associated with that indicator.



Excessive file sharing

Citrix Analytics detects data threats based on excessive file sharing activity and triggers the corresponding risk indicator.

Citrix Analytics 93

The Excessive file sharing indicator is triggered when there is a deviation from the user’s typical file sharing behavior. Any deviation from regular file sharing behavior is considered unusual and the user’s account is investigated for this suspicious activity.

When is the excessive file sharing risk indicator triggered?

You can be notified when a user within your organization has been sharing files more often than expected under normal behavior. By responding to the notification about a user who has excessively shared files, you can prevent data exfiltration.

Citrix Analytics receives share events from ShareFile, analyzes them, and raises the risk score of a user who exhibits excessive sharing behavior. You are then notified in the Alerts panel, and the Excessive file sharing risk indicator is added to the user’s risk timeline.

How to analyze the excessive file sharing risk indicator?

Consider the user Adam Maxwell, who shared files six times within a day. By this action, Adam Maxwell has shared files more times than he usually does based on machine learning algorithms.

From the Adam Maxwell’s timeline, you can select the reported Excessive file sharing risk indicator. The reason for the event is displayed along with details such as the ShareFile link shared, the time the file was shared, and more.

To view the Excessive file sharing risk indicator, navigate to Security > Users, and select the user.

Citrix Analytics 94

• In the WHAT HAPPENED section, you can view a summary of the excessive file sharing event. You can view the number of share links sent to recipients and when the sharing occurred.

• In the EVENT DETAILS – EXCESSIVE FILES SHARED section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time shared. The time the file was shared

o Share ID. The ShareFile link used to share the file

o Operations. The operation performed by the user using ShareFile

o Tool name. The tool or application used to share the files

Citrix Analytics 95

• In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total number of files shared by the user during the event’s occurrence.




Citrix Analytics 96






Note:

• When the user is disabled, they cannot log on to ShareFile. They see a notification, on the logon page, prompting them to reach their ShareFile account administrator for further information.

• When a share link is disabled, the share link is not accessible to any user or recipient. If the user tries to access the share link again, the page displays a message to the recipient stating that the link is no longer available.

Excessive file downloads

Citrix Analytics detects data threats based on excessive file downloads activity and triggers the corresponding risk indicator.

The Excessive file downloads risk indicator helps you identify unusual file download activity. Each user has a file download pattern that they follow which includes attributes such as:

• Time the files were downloaded

• Type of files that were downloaded

• File download volume, and so on

Any deviation from a user’s usual pattern triggers the Excessive file downloads risk indicator.

When is the excessive file downloads risk indicator triggered?

Excessive file downloads can be categorized as risky because it indicates a compromised user or an insider who may be trying to exfiltrate data. If downloading a large amount of data is not consistent

Citrix Analytics 97

with the user’s normal behavior, it could be considered suspicious in a more general sense. This alert is triggered when the volume of data downloaded exceeds the user’s normal download behavior based on machine learning algorithms.

When Citrix Analytics detects excessive download behavior, it raises the risk score of the respective user. You are then notified in the Alerts panel and the Excessive file downloads risk indicator is added to the user’s risk timeline.

How to analyze the excessive file downloads risk indicator?

Consider the user Lemuel Kildow, who has downloaded a large amount of data to his local system within a span of one hour. By this action, Lemuel Kildow had exceeded his normal download behavior based on machine learning algorithms.

From the user’s timeline, you can select the reported Excessive file downloads risk indicator. The reason for the excessive file download alert is displayed along with details of the event such as file name, file size, and download time.

To view the Excessive file downloads risk indicator, navigate to Security > Users, and select the user.

• In the WHAT HAPPENED section, you can view a summary of the excessive file downloads event. You can view the amount of data downloaded by the user and the time the event occurred.

Citrix Analytics 98

• In the EVENT DETAILS – EXCESSIVE FILE DOWNLOADS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time downloaded. Time when the file was downloaded

o File name. The name and extension of the downloaded file

o File size. The size of the file downloaded

• In the ADDITIONAL CONTEXTUAL INFORMATION section, you can view the total download size of the files downloaded by the user during the event’s occurrence.

Citrix Analytics 99









Excessive file or folder deletion

Citrix Analytics detects data threats based on excessive file or folder deletion activity and triggers the corresponding risk indicator.

The Excessive file or folder deletion risk indicator is triggered when a user’s behavior with regards to deletion of files of folders, is excessive. This abnormality might indicate a problem with the user’s account, such as, an attack on their account.

Citrix Analytics 100

When is the excessive file or folder deletion risk indicator triggered?

You can be notified when a user in your organization has deleted an excessive number of files or folders within a certain time period. This alert is triggered when a user deletes an excessive number of files or folders outside of their normal deletion behavior based on machine learning algorithms.

When this behavior is detected, Citrix Analytics increases the risk score to the respective user. You are then notified in the Alerts panel, and the Excessive file or folder deletion risk indicator is added to the user’s risk timeline.

How to analyze the excessive file or folder deletion risk indicator?

Consider the user Lemuel Kildow, who deleted many files or folders over the course of a day. By this action, Lemuel Kildow had exceeded his normal deletion behavior based on machine learning algorithms.

From Lemuel Kildow’s timeline, you can select the reported Excessive file or folder deletion risk indicator. The reason for the event is displayed on the screen along with the details of the event such as type of deletion (file or folder), time it was deleted, and so on.

To view the Excessive file or folder deletion risk indicator, navigate to Security > Users, and select the user.


• In the WHAT HAPPENED section, you can view a summary of the Excessive file or folder deletion event. You can view the number of files and folders that were deleted and the time the event occurred.

• In the EVENT DETAILS – EXCESSIVE DELETED ITEMS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time deleted. Time when the file or folder was deleted

o Type. Item type that was deleted – file or a folder

o Name. Name of the file or folder that was deleted










Ransomware activity suspected

Citrix Analytics detects data threats based on ransomware activity and triggers the corresponding risk indicator.

Ransomware is a type of malicious software that encrypts a user’s file and replaces or updates them with decrypted files. By identifying ransomware attacks across files shared by users within an organization, you can ensure that productivity is not impacted.

When is the ransomware risk indicator triggered?

You can be notified when a user on your account begins to delete and upload an excessive number of files with similar names and different extensions. You can also be notified when the user updates an excessive number of files with similar names and different extensions. This activity indicates that the user’s account has been compromised and a possible ransomware attack has occurred. When Citrix Analytics detects this behavior, it increases the risk score of the respective user. You are then notified in the Alerts panel, and the Ransomware activity suspected risk indicator is added to the user’s risk timeline.

The Ransomware Activity Suspected indicator can be of two types. They are:


• Ransomware activity suspected (Files replaced) indicates files deleted and new files uploaded in their place in a manner that resembles a ransomware attack. The attack patterns can result in more number of uploads than the number of deleted files. For example, a ransom note could be uploaded along with the other files.

• Ransomware activity suspected (Files updated) indicates files updated in a manner that resembles a ransomware attack.

How to analyze the ransomware risk indicator?

Consider the user Andrew Jackson, who deleted many files and replaced them with different versions, within a span of 15 minutes. By this action, Andrew Jackson has triggered unusual and suspicious behavior based on what the machine learning algorithms deem normal for that specific user.

From Andrew Jackson’s timeline, you can select the reported Ransomware Activity Suspected (Files Replaced) risk indicator. The reason for the event is displayed on the screen along with details such as name of the file, location of the file.

To view the Ransomware activity suspected risk indicator, navigate to Security > Users, and select the user. From the user’s risk timeline, select the Ransomware activity suspected (Files Replaced) risk indicator that has been reported for the user.

• In the WHAT HAPPENED section, you can view the summary of the Ransomware activity suspected event. You can view the number of files that were deleted and replaced in a suspicious manner, and the time the event occurred.


• In the EVENT DETAILS – FILE OPERATIONS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time. The time the file was replaced or deleted

o File name. The name of the file

o Path. The path where the file is located

Similarly, you can select the reported Ransomware activity suspected (Files updated) risk indicator. You can view the details of this event such as:

• The reason the risk indicator is triggered.

• The number of files that were updated with encrypted versions.


• The time the event (files being updated) occurred

• The name of the files

• The location of the files









Investigate application-based risk indicator Unusual logon access (ShareFile)

Citrix Analytics detects access threats based on unusual logon activity and triggers the corresponding risk indicator.

The Unusual logon access risk indicator is triggered when a user logs on from a location that is suspicious. By identifying users with unusual logon locations, based on previous behavior, administrators can monitor the user’s account for potential attacks.


When is the unusual logon access risk indicator triggered?

You can be notified when a user in your organization logs on from an unusual location that is contrary to their usual behavior.

The Unusual logon access risk indicator is triggered when a user accesses ShareFile from a city or country that the user doesn’t normally logon from. When this behavior is detected, Citrix Analytics increases the risk score of the respective user. You are then notified in the Alerts panel, and the Unusual logon access risk indicator is added to the user’s risk timeline.

How to analyze unusual logon access risk indicator?

Consider the user Georgina Kalou, who logged on from Manama when she had previously only ever logged on from Raleigh, North Carolina. By this action, Georgina Kalou triggered the machine learning algorithm that detected unusual behavior.

From Georgina Kalou’s timeline, you can select the reported Unusual logon access risk indicator. The reason for the event is displayed on the screen along with details such as logon time, client IP address.

To view the Unusual logon access risk indicator, navigate to Security > Users, and select the user.

• In the WHAT HAPPENED section, you can view a summary of the Unusual logon access event. You can view the number suspicious logons that occurred during a specific time period.


• In the EVENT DETAILS – LOGON LOCATIONS section, the event is displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Logon time. The time of each logon attempt

o Client IP. The client IP address used

o Location. The location where the logon attempt was made from










Unmanaged device detected

Citrix Analytics detects access threats based on unmanaged device activity and triggers the corresponding risk indicator.

The Unmanaged device detected risk indicator is triggered when a device is:

• Remotely wiped due to an automated action

• Manually wiped by the administrator

• Unenrolled by the user.

When is the unmanaged device detected risk indicator triggered?

The Unmanaged device detected risk indicator is reported when a user’s device has become unmanaged. A device changes to an unmanaged state due to:

• An action performed by the user

• An action performed by the XenMobile administrator or the server

In your organization, using XenMobile service you can manage the devices and apps that access the network. For more information, see Management Modes.

https://docs.citrix.com/en-us/xenmobile/server/advanced-concepts/xenmobile-deployment/management-modes.html


When a user’s device changes to an unmanaged state, XenMobile service detects this event and reports it to Citrix Analytics. The user’s risk score is updated and you see a notification in the Alerts panel. Then, the Unmanaged device detected risk indicator is added to user’s risk timeline.

How to analyze unmanaged device detected risk indicator?

Consider the user Georgina Kalou, whose device is remotely wiped by an automated action on the server. XenMobile reports this event to Citrix Analytics, which assigns an updated risk score to Georgina Kalou.

From Georgina Kalou’s risk timeline, you can select the reported Unmanaged device detected risk indicator. The reason for the event is displayed along with details such as, time the risk indicator was triggered, description of the event, and so on.

To view the Unmanaged device detected risk indicator for a user, navigate to Security > Users, and select the user.

• In the WHAT HAPPENED section, you can view a summary of the event. You can view the number of unmanaged devices detected and the time the events occurred.


• In the EVENT DETAILS – DEVICE DETECTED section, the events are displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time detected. The time the event was detected.

o Device. The mobile device used.

o Device ID. The device ID of the mobile device.

o OS. The operating system of the mobile device.



You can perform device security actions such as revoking or wiping a device from Citrix Analytics. Choose the row containing the device and select one of the options below:

• Revoke device. Prohibits a device from connecting to XenMobile Server.

• Wipe device. All data on a device be erased. For Android devices, it also includes the option to wipe any memory cards.




• Lock Device. When there is unusual activity on the device, you can apply the Lock Device action to ensure that the user’s device is locked. However, users can swipe on their device’s screen, enter the passcode, and continue with their work.

• Notify XenMobile admin. When there is any unusual or suspicious activity on the user’s XenMobile account, the XenMobile administrator is notified.

• Notify user. The user sees a message from the administrator regarding their account when the Notify User action is applied. The notification seen by the user is the message entered by the admin when they apply the action.



Jailbroken or rooted device detected

Citrix Analytics detects access threats based on jailbroken or rooted device activity and triggers the corresponding risk indicator.

The Jailbroken or rooted device risk indicator is triggered when a user uses a jailbroken or rooted device to connect to the network. Secure Hub detects the device and reports the incident to XenMobile service. The alert ensures that only authorized users and devices are on your organization’s network.


When is the jailbroken or rooted device detected risk indicator triggered?

It is important for security officers to be able to ensure that users connect using network-compliant devices. The Jailbroken or rooted device detected risk indicator alerts you to users with iOS devices that are jailbroken or Android devices that are rooted.

The Jailbroken or rooted device risk indicator is triggered when an enrolled device becomes jailbroken or rooted. Secure Hub detects the event on the device and reports it to the XenMobile service.

How to analyze the jailbroken or rooted device detected risk indicator?

Consider the user Georgina Kalou, whose enrolled iOS device recently became jailbroken. This suspicious behavior is detected by Citrix Analytics and a risk score is assigned to Georgina Kalou.

From Georgina Kalou’s risk timeline, you can select the reported Jailbroken or rooted device detected risk indicator. The reason for the event is displayed along with the details such as time the risk indicator was triggered, description of the event, and so on.

To view the Jailbroken or rooted device detected risk indicator for a user, navigate to Security > Users, and select the user.

• In the WHAT HAPPENED section, you can view the summary of the event. You can view the number of jailbroken or rooted devices detected and the time the events occurred.


• In the EVENT DETAILS – DEVICE DETECTED section, the events are displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time detected. The time the jailbroken or rooted device is detected.


o Device ID. Information about the ID of the device that is used to log on to the session.

o OS. The operating system version used by the device.

Note: In addition to viewing the details in a tabular format, you can click the arrow against an alert’s instance to see more details.














Device with blacklisted apps detected

Citrix Analytics detects access threats based on activity in a device with blacklisted apps and triggers the corresponding risk indicator.

The Device with blacklisted apps detected risk indicator is triggered when XenMobile service detects a blacklisted app during software inventory. The alert ensures that only authorized apps are run on devices that are on your organization’s network.


When is the device with blacklisted apps detected risk indicator triggered?

The Device with blacklisted apps detected risk indicator is reported when blacklisted apps are detected on a user’s device. When XenMobile service detects one or more blacklisted apps on a device during software inventory, an event is sent to Citrix Analytics.

Citrix Analytics monitors these events, updates the user’s risk score, and creates a notification in the Alerts panel. Also, it adds a Device with blacklisted apps detected risk indicator entry to the user’s risk timeline.

How to analyze the device with blacklisted apps detected risk indicator?

Consider the user Andrew Jackson, who used a device that had blacklisted apps recently installed. XenMobile reports this condition to Citrix Analytics, which assigns an updated risk score to Andrew Jackson.

From Andrew Jackson’s risk timeline, you can select the reported Device with blacklisted apps detected risk indicator. The reason for the event is displayed along with details such as the list of blacklisted apps, time XenMobile detected the blacklisted app, and so on.

To view the Device with blacklisted apps detected risk indicator for a user, navigate to Security > Users, and select the user.


• In the WHAT HAPPENED section, you can view the summary of the event. You can view the number of devices with blacklisted applications detected by the XenMobile service and the time the events occurred.

• The EVENT DETAILS – BLACKLISTED APP DEVICE ACCESS section, the events are displayed in graphical and tabular format. The events are also displayed as individual entries in the graph, and the table provides the following key information:

o Time detected. When the presence of blacklisted apps reported by XenMobile

o Blacklisted apps. The blacklisted apps on the device.



o OS. The operating system version used by the device.


Note: In addition to viewing the details in a tabular format, you can click the arrow against an alert’s instance to see more details.














Access from new device

Citrix Analytics detects access threats based on access from a new device and triggers the corresponding risk indicator.

The Access from new device risk indicator is triggered when a Citrix Receiver user logs on from an unfamiliar device, typically a new device. This is because Citrix Receiver has no logon records for the user from this new and unfamiliar device.

When is the access from new device risk indicator triggered?

The Access from new device risk indicator is reported when a user logs in from a new device. This risk indicator is also flagged if you have cleared the cache or cookies on Citrix receiver for HTML5 or Citrix Receiver for Chrome. Then, when you connect to Citrix Receiver, the device is considered as a new device and the device ID is cleared along with cache and cookies.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns risk score to the respective user. The Access from new device risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.


How to analyze the access from new device risk Indicator?

Consider the user Lemuel Kildow, who is logged on to a session through Citrix Receiver from a new device the user has not previously used.

From the user’s timeline, you can select the reported Access new device risk indicator. The reason for the access for new device alert is displayed along with details such as the event type, the device ID, and so on.

To view the Access from new device risk indicator reported for a user, navigate to Security > Users, and select the user.

• In the WHAT HAPPENED section, you can view the summary of access from new device event. You can view the number of logon instances that occurred from a new device and the time the event occurred.

• In the EVENT DETAILS section, the access events coming from new device appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

o Time. The time the logon instance occurred.


o Events. The type of event.

o IP address. The IP address of the device that is used for logon.

o OS. The operating system version used for logon.

o Platform. The Receiver platform details.





• Log off user. When a user is logged off from their account, they cannot access the resource through XenDesktop.

• Start session recording. If there is an unusual event on the user’s XenDesktop account, the administrator can begin to record the user’s usage session. The recording can be stopped by the administrator.




Potential data exfiltration

Citrix Analytics detects data threats based on excessive attempts to exfiltrate data and triggers the corresponding risk indicator.

The Potential data exfiltration risk indicator is triggered when a Citrix Receiver user attempts to download or transfer files to a drive or printer. This data could be a file-download event such as downloading a file to a local drive, mapped drives, to an external storage device, and so on. It can also be data that is exfiltrated using the clipboard or by the copy-paste action.

When is potential data exfiltration risk indicator triggered?

You can be notified when a user has transferred an excessive number of files to a drive or printer in a certain time period. This risk indicator is also triggered when the user uses the copy-paste action on their local computer.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Potential data exfiltration risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the potential data exfiltration risk Indicator?

Consider the user Adam Maxwell, who is logged on to a session and attempts to print files that exceed the predefined limit. By this action, Adam Maxwell had exceeded his normal file transfer behavior based on machine learning algorithms.

From Adam Maxwell’s timeline, you can select the Potential data exfiltration risk indicator. The reason for the event is displayed along with the details such as the files transferred, the device used to transfer the file, and so on.

To view the Potential data exfiltration risk indicator reported for a user, navigate to Security > Users, and select the user.


• In the WHAT HAPPENED section, you can view the summary of the potential data exfiltration event. You can view the number of data exfiltration events during a specific time period.

• In the EVENT DETAILS section, the data exfiltration attempts appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information:

o Time. The time the data exfiltration event occurred.

o Files. The file that was either downloaded, printed, or copied.

o File type. The file type that was either downloaded, printed, or copied.

o Action. The kind of data exfiltration event that was performed – print, download, or copy.

o Devices. The device used.


o Size. The size of the file being exfiltrated.

• In the ADDITIONAL CONTEXTUAL INFORMATION section, during the event’s occurrence, you can view the following:

o Total size of the files exfiltrated

o The actions performed

o The applications used

o Device used by the user




Access from device with unsupported operating system (OS)

Citrix Analytics detects access threats based on a user’s access from a device running an unsupported operating system and triggers the corresponding risk indicator.

The Access from device with unsupported OS risk indicator is triggered when a Citrix Receiver user logs on from an unsupported operating system (OS) or browser. The alert is raised based on the set of OS and browser versions that are supported by Citrix Receiver.

When is the access from device with unsupported OS risk indicator triggered?

The Access from device with unsupported OS risk indicator is reported when a user logs on from a device running an unsupported OS or browser. When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Access from device with unsupported OS risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

Note: When a user switches to another operating system, but connects to the same session, the session logon event is retained.

How to analyze the access from device with unsupported OS risk indicator?

Consider the user Georgina Kalou, logged on to a session that is running on an OS or browser not supported by Citrix Receiver. Citrix Analytics detects this event and assigns a risk score to Georgina Kalou. You are then notified in the Alerts panel and the Access from device with unsupported OS risk indicator is added to user’s risk timeline.

From Georgina Kalou’s timeline, you can select the reported the Access from device with unsupported OS risk indicator. The reason for the event is displayed on the screen along with details of the event such as the OS version, browser version, and more.

To view the Access from device with unsupported OS risk indicator, navigate to Security > Users, and select the user.


• In the WHAT HAPPENED section, you can view the summary of the Access from device with unsupported OS risk indicator. You can view the number of devices with an unsupported OS or browser version used to launch Citrix Receiver and the time the events occurred.

• In the EVENT DETAILS – DEVICE ACCESS section, the unsupported device access events appear in a graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

o Launch time. The time the event occurred.

o Receiver. The Receiver platform details.

o Browser. The browser version used for logon.

o OS. The operating system version used for logon.


o IP Address. The IP address of the device that is used for logon.


Note: If your device uses an unsupported browser for access, you cannot see any data under the IP address column.










Unusual application usage

Citrix Analytics detects data threats based on a user’s access from a new application and triggers the corresponding risk indicator.

The Unusual application usage risk indicator is triggered when a Citrix Receiver user exhibits unusual app usage behavior. Unusual behavior could be the first-ever launch of an HDX application during a particular time of the day.

When is the unusual application usage risk indicator triggered?

The Unusual application usage risk indicator is reported when the user attempts to access an application they have not previously used, factoring in time of day.

When Citrix Receiver detects this behavior, Citrix Analytics receives this event and assigns a risk score to the respective user. The Unusual Application Usage risk indicator is added to the user’s risk timeline and an alert is displayed in the Alerts panel.

How to analyze the unusual application usage risk Indicator?

Consider the user Georgina Kalou, who is logged on to a session and attempts to access an application for the first time during non-working hours.

From Georgina Kalou’s timeline, you can select the reported the Unusual application usage risk indicator. The reason for the event is displayed along with details such as the application’s name, the time zone it was accessed from, and so on.

To view the Unusual application usage risk indicator reported for a user, navigate to Security > Users, and select the user.


• In the WHAT HAPPENED section, you can view the summary of the event. You can view the number of new applications that were accessed and when they were accessed.

• In the EVENT DETAILS – APPLICATION USAGE section, the event is displayed in graphical and tabular format. The events appear as individual entries in the graph and the table provides the following key information about the events:

o Time. The time the application was accessed.

o Application name. Name of the application accessed.

o Time zone. Time zone from which the application is accessed.



Unusual logon access (NetScaler Gateway)

Citrix Analytics detects user access-based threats based on logon access the user logs on to the network and triggers the corresponding risk indicator.

When is the unusual logon access risk indicator triggered?

You can be notified when a user in your organization logs on from an unusual location that is contrary to their usual behavior.

NetScaler Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics receives the events, increases the user’s risk score. You are notified in the Alerts panel and the Unusual logon access risk indicator is added to the user’s risk timeline.

How to analyze the unusual logon access risk indicator?

Consider the user Georgina Kalou, who logged on from Moscow, Russia when she has only ever logged on from Raleigh, North Carolina. NetScaler Gateway reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts panel, and the Unusual logon access risk indicator is added to the Linda Lee’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Unusual logon access risk indicator. The reason for the event is displayed along with the details such as, time of the event, logon location, and so on.


• The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of suspicious logon attempts that occurred during a specific time period.

• The EVENT DETAILS section, includes a timeline visualization of the individual logon events from unusual geographical location that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

o Time. The time of each logon attempt.

o Location. The location where the logon attempt was made from.

o Client IP address. The client IP address used.

o OS. The operation system used by the client.

o Browser. The browser used by the user.








To apply the actions to the user manually, navigate to the user's profile and select the risk indicator. From the Actions menu, select an action and click Apply.

Investigate data-based risk indicator

Unusual upload volume

Citrix Analytics detects data access threats based on Unusual upload volume activity and triggers the corresponding risk indicator.

The Unusual upload volume risk indicator is reported when a user uploads excess volume of data to an application or website.

When is the Unusual upload volume risk indicator triggered?

You can configure Access Control to monitor user activities, such as malicious, dangerous, or unknown websites visited and the bandwidth consumed, and risky downloads and uploads. When a user in your organization uploads data to an application or website, Access Control reports these events to Citrix Analytics.


Citrix Analytics monitors all these events and if it determines that this user activity is contrary to the user’s usual behavior, it updates the user’s risk score. You are notified in the Alerts panel and the Unusual upload volume risk indicator is added to the user’s risk timeline.

How to analyze the unusual upload volume risk indicator?

Consider a user Georgina Kalou, uploaded excess volume of data to an application or website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. You are notified in the Alerts panel and the Unusual upload volume risk indicator is added to the Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Unusual upload volume risk indicator. The reason for the event is displayed along with the details about the events, such as, time of the event, domain, and so on.

To view the Unusual upload volume risk indicator, navigate to Security > Users, and select the user.

From Georgina Kalou’s risk timeline, you can select the latest Unusual upload volume risk indicator reported for the user.


When you select an Unusual upload volume risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

• The WHAT HAPPENED section provides a brief summary of the risk indicator, including the volume of data uploaded during the selected period.


• The EVENT DETAILS section, includes a timeline visualization of the individual data upload events that occurred during the selected time period. Also, you can view the following key information about each event:

o TIME. The time the excessive data was uploaded to an application or a website.

o DOMAIN. The domain to which the user uploaded the data.

o CATEGORY. The domain category.

o UPLOAD SIZE. Volume of data uploaded to the domain.


Unusual download volume

Citrix Analytics detects data access threats based on the excessive data downloaded by user in your network and triggers the corresponding risk indicator.

The Unusual download volume risk indicator is reported when a user in your organization downloads excess volume of data from an application or website.

When is the unusual download volume risk indicator triggered?

You can configure Access Control to monitor user activities, such as malicious, dangerous, or unknown websites visited and the bandwidth consumed, and risky downloads and uploads. When a user in your organization downloads data from an application or website, Access Control reports these events to Citrix Analytics.

Citrix Analytics monitors all these events and if it determines that the user activity is contrary to user’s usual behavior, it updates the user’s risk score. You are notified in the Alerts panel and the Unusual download volume risk indicator is added to the user’s risk timeline.


How to analyze Unusual download volume risk indicator?

Consider a user Georgina Kalou, downloaded excess volume of data from an application or website. Access Control reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. It notifies you in the Alerts panel and adds the Unusual download volume risk indicator entry to the user’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Unusual download volume risk indicator. The reason for the event is displayed along with the details about the events, such as, time, domain details, and so on.

To view the Unusual download volume risk indicator, navigate to Security > Users, and select the user.

From Georgina Kalou’s risk timeline, you can select the latest Unusual download volume risk indicator reported for the user.


When you select an Unusual download volume risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.


• The WHAT HAPPENED section provides a brief summary of the Unusual download volume risk indicator, including the volume of data downloaded during the selected period.

• The EVENT DETAILS section, includes a timeline visualization of the individual data download events that occurred during the selected time period. Also, you can view the following key information about each event:

o TIME. The time the excessive data was uploaded to an application or a website.

o DOMAIN. The domain to which the user uploaded the data.

o CATEGORY. The domain category.

o DOWNLOAD SIZE. Volume of data downloaded from the domain.


Operations Analytics

User operations The User Operations dashboard provides an overview of the total number of domains accessed by users in your network. It also provides the amount of data uploaded to or downloaded from the domains. To access the User Operations dashboard, from the Operations tab, click User Operations.

Top users by transactions

The Top Users by Transactions section, lists the transactions performed by a user while accessing different domain categories and also specifies the number of transactions blocked for each user. It provides details such as:

• The name of the user.

• The number of transactions performed by the user while accessing different domain categories.

• The total number of domains accessed by the user.



You can click More Details to view the complete details about the user transactions.

Top users by data download volume

The Top Users by Data Download Volume section, provides details of the top users who have uploaded data to or downloaded data from the domains. It provides details such as:

• The name of the user.


• The total volume of data uploaded to and downloaded from the domain by the user.

• The amount of data downloaded from the domain by the user.

• The amount of data uploaded to the domain by the user.

You can click More Details to view the complete details about the user transactions.


App operations The App Operations dashboard provides an overview of the total number of domains accessed by users in your network. It also provides the amount of data uploaded to or downloaded from the domains. To access the App Operations dashboard, from the Operations tab, click App Operations.

For the selected timeframe, the dashboard provides an overview of the number of domains accessed by users in your network. It also provides the volume of data uploaded to or downloaded from the domains.


Top domains by access

The Top Domains by Access section provides details about the domains that were more accessed by the users in your network. It provides details such as:

• The URL of the domain.


• The action taken by Access Control to mitigate the risk.

• The number of users who have accessed the URL, with the increase in trend of the number users accessing the domain for the selected timeframe.

You can click More Details to view the complete list of domains that were accessed by the users in your network.


Top domains by data download volume

The Top Domains by Data Download Volume section, provides details about the top domains from which data was downloaded by users. The details are sorted by highest to lowest data volume. It provides details such as:

• The URL of the domain.


• The volume of data downloaded by users from the domain, with the increase in trend of the amount of data downloaded from the domain for the selected timeframe.



Top categories by access

The Top Categories by Access section, provides details of the category of domains that were accessed highest number of time by the users in your network. It provides details such as:



• The number of users who have accessed the URL, with the increase in trend of the number users accessing the domain for the selected timeframe.

• The number of transactions by users on the risky domain, with the increase in trend of the number of transactions by users on the domain for the selected timeframe.




Top categories by data download volume

The Top Risky Categories by Data Download Volume section, provides details of the category of domains from which highest amount of data was upload or downloaded by the users in the network. It provides details such as:


• The total volume of data uploaded or downloaded from the domain by users in your network.

• The amount of data downloaded from the domain by users.

• The amount of data uploaded to the domain by users.


You can click More Details to view the complete details amount of data uploaded or downloaded by the user from the domains.


Monitor Citrix Analytics Audit logs Audit logs provide an audit trail of activities performed by the Citrix Analytics administrator. The events registered on Citrix Analytics are:

• Errors generated

• Turning on data transmission

• Turning off data transmission

• Adding data sources

• Removing data sources

• Creating rules

• Updating rules

• Deleting rules

Audit logs on Citrix Analytics display the following information:

• Events. Events may be system generated or configurations applied by the administrator on Citrix Analytics. Events can also represent errors such as the failure to apply actions or a data source.


• Date and Time. The data and time (along with its time zone) the event occurred.

• Product. The product for which the event was generated. The events are generated on the product and aggregated on Citrix Analytics where they are displayed.

• Data Source. The name of the product instance associated with the audit entry.

• By Admin. The Citrix Analytics administrator who performs admin activities.

In addition to viewing events on the Audit Log page, you can filter the events occurred. If your registered event was the addition of a rule created or modified, you can click the arrow icon to view details of the modifications made.

The audit logs are refreshed every time a new event is generated. But if you want to view the latest logs, you can click the Refresh icon.

To view audit logs, log on to Citrix Analytics. Click Settings in the menu bar and select Data Sources. log in to Citrix Analytics. On the Data Sources page, select Event Log from the top right corner.


FAQs This document provides frequently asked questions on Citrix Analytics.

Data source

What is a data source?

A data source is the Citrix product for which you want to monitor analytics data in Citrix Analytics.

The following table lists the data sources supported by Citrix Analytics.

Citrix Product / Data Source

Deployment Type

Citrix Cloud Subscription

Agent Requirement

Product Component

ShareFile Service ShareFile None ShareFile

NetScaler Gateway

On-premises NetScaler Management and Analytics Service

NetScaler MA Service Agent

NetScaler Gateway

XenMobile Service XenMobile Service None XenMobile Server


Service XenApp and XenDesktop Service

Analytics Agent

Citrix Receiver

How do I add a data source?

After you log on to Citrix Analytics, on the Welcome screen of the service, select Get Started to add a data source to Citrix Analytics. Alternatively, you can also add a data source by navigating to Settings > Data Sources.

NetScaler MA Service Agent What are the minimum resource requirements to install an agent on a hypervisor on-premises?

8 GB RAM, 4 Virtual CPU, 120 GB Storage, 1 Virtual Network Interfaces, 1 Gbps Throughput


Should I assign an additional disk to NetScaler MA Service agent while provisioning?

No, you do not have to add an additional disk. The agent is used only as an intermediary between Citrix Analytics and the instances in your enterprise data center. It does not store inventory or analytics data that would require an additional disk.

What are the default credentials to log on to an agent?

The default credentials to log on to the agent is nsrecover/nsroot. This logs you on to the shell prompt of the agent. How do I change the network settings of an agent if I have entered an incorrect value?

Log on to the agent console on your hypervisor and access the shell prompt by using the credentials nsrecover/nsroot, and then run the command "networkconfig".

Why do I need a service URL and an activation code?

The agent uses the service URL to locate the service and the activation code to register the agent with the service.

How can I reenter service URL if I have typed it incorrectly in the agent console?

Log on to the shell prompt of the agent by using the credentials nsrecover/nsroot, and then type: deployment_type.py. This script lets you reenter the Service URL and activation code.

How do I get a new activation code?

You can get a new activation code from NetScaler MA Service. Log on to NetScaler MA Service and navigate to Networks > Agents. On the Agents page, from the Select Action list, select Generate Activation Code.

Can I reuse my activation code with multiple agents?

No, you cannot.


How many NetScaler MA Service agents do I need to install?

The number of agents depends on the number of managed instances in a data center and the total throughput. Citrix recommends that you install at least one agent for every data center.

How do I install multiple NetScaler MA Service agents?

On the Data Sources page, click the plus (+) sign next to NetScaler and follow the instructions to install another agent.

Alternatively, you can access the NetScaler MA Service GUI and navigate to Networks > Agents and click Set Up Agents to install multiple agents.

Can I install two agents in a high availability setup?

No, you cannot.

What do I do if my agent registration fails?

• Make sure your agent has access to the Internet (configure DNS).

• Make sure you have copied the activation code correctly.

• Make sure you have entered the service URL correctly.

• Make sure you have the required ports open.

Registration is successful, but how do I know if the agent is running fine?

You can do the following to check if the agent is running fine:

• After the agent is successfully registered, access NetScaler MA Service and navigate to Networks > Agents. You can view the discovered agents on this page. If the agent is running fine, the status is indicated by a green icon. If it is not running, the state is indicated by a red icon.

• Log on to the agent's shell prompt and run the following commands: "ps -ax | grep mas" and "ps -ax | grep ulfd". Ensure that the following processes are running.


• If any of the processes is not running, run the command "masd restart". This might take some time to start all the daemons (1 minute or so).

• Make sure agent.conf is created in /mpsconfig after successful registration of agent.

Onboarding NetScaler instances NetScaler Instances are added to Citrix Analytics, but how do I know if Analytics is enabled on the Agent?

You can verify if analytics is enabled on the agent using the agent’s shell prompt. If analytics is successfully enabled on the agent, the “turnOnEvent” parameter would be set to “Y” in the /mpsconfig/telemetry_cloud.conf file.

Log on to the agent’s shell prompt and run the following command: cat /mpsconfig/telemetry_cloud.conf and verify the value of the “turnOnEvent” parameter.


I accidentally closed the NetScaler onboarding wizard. Do I have to start my configuration from the beginning?

No. Citrix Analytics saves the progress and displays the incomplete configuration as a tile in the Data Sources > Settings page. Click Continue NetScaler Setup to complete the configuration.


Onboarding XenApp and XenDesktop Site Can I add more Delivery Controllers to Citrix Analytics?

Yes! Adding more Delivery Controllers ensures high availability for your Site, enabling Citrix Analytics to keep analyzing user behavior in the event one of your Delivery Controllers becomes unavailable.

To add more Delivery Controllers:

1. Click the Site card and then click View Site Details. Citrix Analytics displays a list of the available Delivery Controllers in your Site.

2. Click Install Agent for the Delivery Controllers you want to add. When the installation finishes, the Agent State changes to “online.”

How do I turn transmission off?

If you want to temporarily disable data transmission from your Site to Citrix Analytics, simply click the Site card and then click Turn Off Data Transmission.

When I add my Site to Workspace and click "Test STA," the test fails. What do I do?

There might be a connectivity issue between your NetScaler Gateway and Cloud Connectors. To troubleshoot, see CTX232517 in the Citrix Support Knowledge Center.

Where can I get help with Citrix Analytics?

You can ask questions and connect with Citrix Analytics experts in the Citrix Analytics Discussion Forum at https://discussions.citrix.com/forum/1710-citrix-analytics/.

To participate in the forum, you must sign in with your Citrix ID.

https://support.citrix.com/article/CTX232517

https://discussions.citrix.com/forum/1710-citrix-analytics/


Known issues The following are the issues that exist in the preview release:

Browser issues

• Unable to edit and save a rule in Internet Explorer version 11.0 You cannot edit and save a rule if you are accessing Citrix Analytics using Internet Explorer 11.0.

• On Internet Explorer version 11.0, the Citrix Cloud navigation bar does not load properly If you are accessing Citrix Analytics using Internet Explorer version 11.0, Citrix Cloud navigation bar fails to load and restricts you from accessing the hamburger menu.

Locations Corporate Headquarters | 851 Cypress Creek Road Fort Lauderdale, FL 33309, United States Silicon Valley | 4988 Great America Parkway Santa Clara, CA 95054, United States © 2018 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, and other marks appearing herein are property of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of their respective owner(s).

https://docs.citrix.com/

citrix analytics - getting started guide

Documents