Citrix Analytics for Security

Data Governance

This section provides information regarding the collection, storage, and retention of logs by the Citrix Analytics service. Any capitalized terms not defined in the Definitions section carry the meaning specified in the Citrix End User Services Agreement.

Citrix Analytics is designed to provide customers with insight into activities in their Citrix computing environment. Citrix Analytics enables security administrators to choose the logs they want to monitor and take directed action based on the logged activity. These insights help security administrators manage access to their computing environments and protect Customer Content in the customer’s computing environment.

Data residency

Citrix Analytics logs are maintained separately from the data sources and are aggregated in multiple Microsoft Azure Cloud environments, which are located in the United States, the European Union, and the Asia Pacific South regions. The storage of the logs depends on the home region selected by the Citrix Cloud administrators when onboarding their organizations to Citrix Cloud. For example, if you choose the European region when onboarding your organization to Citrix Cloud, Citrix Analytics logs are stored in Microsoft Azure environments in the European Union.

For more information, see Citrix Cloud Services Customer Content and Log Handling and Geographical Considerations.

Data collection

Citrix Cloud services are instrumented to transmit logs to Citrix Analytics. Logs are collected from the following data sources:

  • Citrix ADC (on-premises) along with subscription for Citrix Application Delivery Management

  • Citrix Endpoint Management

  • Citrix Gateway (on-premises)

  • Citrix Identity provider

  • Citrix Secure Browser

  • Citrix Secure Private Access

  • Citrix Virtual Apps and Desktops

  • Citrix DaaS (formerly Citrix Virtual Apps and Desktops service)

  • Microsoft Active Directory

  • Microsoft Graph Security

Data transmission

Citrix Cloud logs are transmitted securely to Citrix Analytics. When the administrator of the customer environment explicitly enables Citrix Analytics, these logs are analyzed and stored on a customer database. The same is applicable to Citrix Virtual Apps and Desktops data sources with Citrix Workspace configured.

For Citrix ADC data sources, log transmission is initiated only when the administrator explicitly enables Citrix Analytics for the specific data source.

Data control

Logs sent to Citrix Analytics can be turned on or off at any time by the administrator.

When turned off for Citrix ADC on-premises data sources, communication between the particular ADC data source and Citrix Analytics stops.

When turned off all for other data sources, the logs for the particular data source are no longer analyzed and stored in Citrix Analytics.

Data retention

Citrix Analytics logs are retained in identifiable form for a maximum of 13 months or 396 days. All logs and associated analytics data such as user risk profiles, user risk score details, user risk event details, user watch list, user actions, and user profile are retained for this period.

For example, if you have enabled Analytics on a data source on January 1, 2021, then by default, data collected on January 1, 2021, will be retained in Citrix Analytics until January 31, 2022. Similarly, the data collected on January 15, 2021, will be retained until February 15, 2022, and so on.

This data is stored for the default data retention period even after you have turned off data processing for the data source or after you have removed the data source from Citrix Analytics.

Citrix Analytics deletes all Customer Content 90 days after the expiry of the subscription or the trial period.

Data export

This section explains the data exported from Citrix Analytics for Security and Citrix Analytics for Performance.

Citrix Analytics for Performance collects and analyzes performance metrics from the Data Sources.

You can download the data from the Self-service search page as a CSV file.

Citrix Analytics for Security collects user events from various products (data sources). These events are processed to provide visibility into the users’ risky and unusual behavior. You can export these processed data related to users’ risk insights and users’ events to your System Information and Event Management (SIEM) service.

Currently, the data can be exported in two ways from Citrix Analytics for Security:

  • Integrating Citrix Analytics for Security with your SIEM service

  • Downloading the data from the Self-service search page as a CSV file.

When you integrate Citrix Analytics for Security with your SIEM service, the data is sent to your SIEM service by using either the north-bound Kafka topic or a Logstash-based data connector.

Currently, you can integrate with the following SIEM services:

  • Splunk (by connecting through Citrix Analytics Add-on)

  • Any SIEM service that support Kafka topic or Logstash-based data connectors such as Elasticsearch and Microsoft Azure Sentinel

You can also export the data to your SIEM service by using a CSV file. In the Self-service search page, you can view the data (user events) for a data source and download these data as a CSV file. For more information about the CSV file, see Self-service search.

Important

After the data is exported to your SIEM service, Citrix is not responsible for the security, storage, management, and the use of the exported data in your SIEM environment.

You can turn on or off data transmission from Citrix Analytics for Security to your SIEM service.

For information on the processed data and the SIEM integration, see Security Information and Event Management (SIEM) integration and Citrix Analytics data format for SIEM.

Citrix Services Security Exhibit

Detailed information concerning the security controls applied to Citrix Analytics, including access and authentication, security program management, business continuity, and incident management, is included in the Citrix Services Security Exhibit.

Definitions

Customer Content means any data uploaded to a customer account for storage or data in a customer environment to which Citrix is provided access to perform Services.

Log means a record of events related to the Services, including records that measure performance, stability, usage, security, and support.

Services means the Citrix Cloud Services outlined above for the purposes of Citrix Analytics.

Data collection agreement

By uploading your data to Citrix Analytics and by using the features of Citrix Analytics, you agree and consent that Citrix may collect, store, transmit, maintain, process and use technical, user, or related information about your Citrix products and services.

Citrix always treats the received information according to the Citrix Privacy Policy.

Appendix: logs collected

Citrix Analytics for Security logs

General logs

In general, Citrix Analytics logs contain the following header identification data points:

  • Header Keys

  • Device Identification

  • Identification

  • IP Address

  • Organization

  • Product

  • Product Version

  • System Time

  • Tenant Identification

  • Type

  • User: Email, Id, SAM Account Name, Domain, UPN

  • Version

Citrix Endpoint Management service logs

The Citrix Endpoint Management service logs contain the following data points:

  • Compliance

  • Corporate Owned

  • Device Id

  • Device Model

  • Device Type

  • Geo Latitude

  • Geo Longitude

  • Host Name

  • IMEI

  • IP Address

  • Jail Broken

  • Last Activity

  • Management Mode

  • Operating System

  • Operating System Version

  • Platform Information

  • Reason

  • Serial Number

  • Supervised

Citrix Secure Private Access logs

  • AAA User Name

  • Auth Policy Action Name

  • Authentication Session ID

  • Request URL

  • URL Category Policy Name

  • VPN Session ID

  • Vserver IP

  • AAA User Email ID

  • Actual Template Code

  • App FQDN

  • App Name

  • App Name Vserver LS

  • Application Flags

  • Authentication Type

  • Authentication Stage

  • Authentication Status Code

  • Back-end Server Dst IPv4 Address

  • Back-end Server IPv4 Address

  • Back-end Server IPv6 Address

  • Category Domain Name

  • Category Domain Source

  • Client IP

  • Client MSS

  • Client Fast Retx Count

  • Client TCP Jitter

  • Client TCP Packets Retransmited

  • Client TCP RTO Count

  • Client TCP Zero Window Count

  • Clt Flow Flags Rx

  • Clt Flow Flags Tx

  • Clt TCP Flags Rx

  • Clt TCP Flags Tx

  • Connection Chain Hop Count

  • Connection Chain ID

  • Egress Interface

  • Exporting Process ID

  • Flow Flags Rx

  • Flow Flags Tx

  • HTTP Content Type

  • HTTP Domain Name

  • HTTP Req Authorization

  • HTTP Req Cookie

  • HTTP Req Forw FB

  • HTTP Req Forw LB

  • HTTP Req Host

  • HTTP Req Method

  • HTTP Req Rcv FB

  • HTTP Req Rcv LB

  • HTTP Req Referer

  • HTTP Req URL

  • HTTP Req XForwarded For

  • HTTP Res Forw FB

  • HTTP Res Forw LB

  • HTTP Res Location

  • HTTP Res Rcv FB

  • HTTP Res Rcv LB

  • HTTP Res Set Cookie

  • HTTP Rsp Len

  • HTTP Rsp Status

  • HTTP Transaction End Time

  • HTTP Transaction ID

  • IC Cont Grp Name

  • IC Flags

  • IC No Store Flags

  • IC Policy Name

  • Ingress Interface Client

  • NetScaler Gateway Service App ID

  • NetScaler Gateway Service App Name

  • NetScaler Gateway Service App Type

  • NetScaler Partition ID

  • Observation Domain ID

  • Observation Point ID

  • Origin Res Status

  • Origin Rsp Len

  • Protocol Identifier

  • Rate Limit Identifier Name

  • Record Type

  • Responder Action Type

  • Response Media Type

  • Srv Flow Flags Rx

  • Srv Flow Flags Tx

  • Srvr Fast Retx Count

  • Srvr TCP Jitter

  • Srvr TCP Packets Retransmitted

  • Srvr TCP Rto Count

  • Srvr TCP Zero Window Count

  • SSL Cipher Value BE

  • SSL Cipher Value FE

  • SSL Client Cert Size BE

  • SSL Client Cert Size FE

  • SSL Clnt Cert Sig Hash BE

  • SSL Clnt Cert Sig Hash FE

  • SSL Err App Name

  • SSL Err Flag

  • SSL FLags BE

  • SSL FLags FE

  • SSL Handshake Error Msg

  • SSL Server Cert Size BE

  • SSL Server Cert Size FE

  • SSL Session ID BE

  • SSL Session ID FE

  • SSL Sig Hash Alg BE

  • SSL Sig Hash Alg FE

  • SSL Srvr Cert Sig Hash BE

  • SSL Srvr Cert Sig Hash FE

  • SSL iDomain Category

  • SSL iDomain Category Group

  • SSL iDomain Name

  • SSL iDomain Reputation

  • SSL iExecuted Action

  • SSL iPolicy Action

  • SSL iReason For Action

  • SSL iURL Set Matched

  • SSL iURL Set Private

  • Subscriber Identifier

  • Svr Tcp Flags Rx

  • Svr Tcp Flags Tx

  • Tenant Name

  • Tracing Req Parent Span ID

  • Tracing Req Span ID

  • Tracing Trace ID

  • Trans Clt Dst IPv4 Address

  • Trans Clt Dst IPv6 Address

  • Trans Clt Dst Port

  • Trans Clt Flow End Usec Rx

  • Trans Clt Flow End Usec Tx

  • Trans Clt Flow Start Usec Rx

  • Trans Clt Flow Start Usec Tx

  • Trans Clt IPv4 Address

  • Trans Clt IPv6 Address

  • Trans Clt Packet Tot Cnt Rx

  • Trans Clt Packet Tot Cnt Tx

  • Trans Clt RTT

  • Trans Clt Src Port

  • Trans Clt Tot Rx Oct Cnt

  • Trans Clt Tot Tx Oct Cnt

  • Trans Info

  • Trans Srv Dst Port

  • Trans Srv Packet Tot Cnt Rx

  • Trans Srv Packet Tot Cnt Tx

  • Trans Srv Src Port

  • Trans Svr Flow End Usec Rx

  • Trans Svr Flow End Usec Tx

  • Trans Svr Flow Start Usec Rx

  • Trans Svr Flow Start Usec Tx

  • Trans Svr RTT

  • Trans Svr Tot Rx Oct Cnt

  • Trans Svr Tot Tx Oct Cnt

  • Transaction ID

  • URL Category

  • URL Category Group

  • URL Category Reputation

  • URL Category Action Reason

  • URL Set Matched

  • URL set Private

  • URL Object ID

  • VLAN Number

Citrix Virtual Apps and Desktops and Citrix DaaS logs

The Citrix Virtual Apps and Desktops and Citrix DaaS logs contains the following data points:

  • App Name

  • Browser

  • Customer ID

  • Details: Format Size, Format Type, Initiator, Result

  • Device ID

  • Device Type

  • Feedback

  • Feedbak ID

  • File Name

  • File Path

  • File Size

  • Is like

  • Jail Broken

  • Job Details: File Name, Format, Size

  • Location: Estimated, Latitude, Longitude

    Note

    The location information is provided at the city and the country level and does not represent a precise geolocation.

  • Long CMD Line

  • Module File Path

  • Operation

  • Operating System

  • Platform Extra Information

  • Printer Name

  • Question

  • Question ID

  • SaaS App Name

  • Session Domain

  • Session Server Name

  • Session User Name

  • Session GUID

  • Timestamp

  • Time Zone: Bias, DST, Name

  • Total Copies Printed

  • Total Pages Printed

  • Type

  • URL

  • User Agent

Citrix ADC logs

The Citrix ADC logs contain the following data points:

  • Container

  • Files

  • Format

  • Type

Citrix DaaS Standard for Azure logs

The Citrix DaaS Standard for Azure logs contain the following data points:

  • App Name

  • Browser

  • Details: Format Size, Format Type, Initiator, Result

  • Device Id

  • Device Type

  • File Name

  • File Path

  • File Size

  • Jail Broken

  • Job Details: File Name, Format, Size

  • Location: Estimated, Latitude, Longitude

    Note

    The location information is provided at the city and the country level and does not represent a precise geolocation.

  • Long CMD Line

  • Module File Path

  • Operation

  • Operating System

  • Platform Extra Information

  • Printer Name

  • SaaS App Name

  • Session Domain

  • Session Server Name

  • Session User Name

  • Session GUID

  • Timestamp

  • Time Zone: Bias, DST, Name

  • Type

  • URL

  • User Agent

Citrix Identity provider logs

  • User Login:

    • Authentication Domains: Name, Product, IdP Type, IdP Display Name

      • IdP Properties: App, Auth Type, Customer Id, Client Id, Directory, Issuer, Logo, Resources, TID

      • Extensions:

        • Workspace: Background Color, Header Logo, Logon Logo, Link Color, Text Color, StoreFront Domains

        • ShareFile: Customer Id, Customer Geo

        • Long Lived Token: Enabled, Expiry Type, Absolute Expiry Seconds, Sliding Expiry Seconds

    • Authentication Result: User Name, Error Message

    • Sign-in Message: Client Id, Client Name

    • User Claim: AMR, Access Token Hash, Aud, Auth Time, CIP Cred, Auth Alias, Auth Domains, Groups, Product, System Aliases, Email, Email Verified, Exp, Family Name, Given Name, IAT, IdP, ISS, Locale, Name, NBF, SID, Sub

      • Auth Alias Claims: Name, Value

      • Directory Context: Domain, Forrest, Identity Provider, Tenant Id

      • User: Customers, Email, OID, SID, UPN

      • IdP Extra Fields: Azure AD OID, Azure AD TID

  • User Logoff: Client Id, Client Name, Nonce, Sub

  • Client Update: Action, Client Id, Client Name

Citrix Gateway logs

  • Transaction events:

    • ICA App: Record Type, Actual Template Code, Observation Domain Id, Observation Point Id, Exporting Process Id, ICA Session Guid, MSI Client Cookie, Flow Id Rx, ICA Flags, Connection Id, Padding Octets Two, ICA Device Serial Number, IP Version 4, Protocol Identifier, Source IPv4 Address Rx, Destination IPv4 Address Rx, Source Transport Port Rx, Destination Transport Port Rx, ICA Application Start up Duration, ICA Launch Mechanism, ICA Application Start up Time, ICA Process ID Launch, ICA Application Name, ICA App Module Path, ICA Application Termination Type, ICA Application Termination Time, Application Name App Id, ICA App Process ID Terminate, ICA App

    • ICA Event: Record Type, Actual Template Code, Source IPv4 Address Rx, Destination IPv4 Address Rx, ICA Session Guid, MSI Client Cookie, Connection Chain ID, ICA Client Version, ICA Client Host Name, ICA User Name, ICA Domain Name, Logon Ticket Setup, Server Name, Server Version, Flow Id Rx, ICA Flags, Observation Point Id, Exporting Process Id, Observation Domain Id, Connection Id, ICA Device Serial Number, ICA Session Setup Time, ICA Client IP, NS ICA Session Status Setup, Source Transport Port Rx, Destination Transport Port Rx, ICA Client Launcher, ICA Client Type, ICA Connection Priority Setup, NS ICA Session Server Port, NS ICA Session Server IP Address, IPv4, Protocol Identifier,Connection Chain Hop Count, Access Type

    • ICA Update: Record Type, Actual Template Code, Observation Domain Id, Observation Point Id, Exporting Process Id, ICA Session Guid, MSI Client Cookie, Flow Id Rx,ICA Flags, Connection Id, ICA Device Serial Number, IPv4, Protocol Identifier, Padding Octets Two, ICA RTT, Client Side RX Bytes, Client Side Packets Retransmit, Server Side Packets Retransmit, Client Side RTT, Client Side Jitter, Server Side Jitter, ICA Network Update Start Time, ICA Network Update End Time, Client Side SRTT, Server Side SRTT,Client Side Delay, Server Side Delay, Host Delay, Client Side Zero Window Count, Server Side Zero Window Count, Client Side RTO Count, Server Side RTO Count, L7 Client Latency, L7 Server Latency, App Name App Id, Tenant Name, ICA Session Update Begin Sec, ICA Session Update End Sec, ICA Channel Id 1, ICA Channel Id 2, ICA Channel Id 2 Bytes, ICA Channel Id 3, ICA Channel Id 3 Bytes, ICA Channel Id 4, ICA Channel Id 4 Bytes, ICA Channel Id 5, ICA Channel Id 5 Bytes

    • AppFlow Config: Record Type, Actual Template Code, Observation Domain Id, Observation Point Id, Exporting Process Id, System Rule Flag 1, System Safety Index, AppFlow Profile Relaxed Flags, AppFlow Profile Block Flags, AppFlow Profile Log Flags, AppFlow Profile Learn Flags, AppFlow Profile Stats Flags, AppFlow Profile None Flags, AppFlow App Name Id, AppFlow Profile Sign Disabled, AppFlow Profile Sign Block Count, AppFlow Profile Sign Log Count, AppFlow Profile Sign Stat Count, AppFlow Incarnation Number,AppFlow Sequence Number, AppFlow Profile Sign Auto Update, AppFlow Safety Index, AppFlow App Safety Index, AppFlow Profile Sec Checks Safety Index, AppFlow Profile Type, Iprep App Safety Index, AppFlow Profile Name, AppFlow Sig Name, AppFlow App Name Ls, AppFlow Sig Rule ID1, AppFlow Sig Rule ID2, AppFlow Sig Rule ID3, AppFlow Sig Rule ID4, AppFlow Sig Rule ID5, AppFlow Sig Rule Enabled Flags, AppFlow Sig Rule Block Flags, AppFlow Sig Rule Log Flags, AppFlow Sig Rule File Name, AppFlow Sig Rule Category1, AppFlow Sig Rule Logstring1, AppFlow Sig Rule Category2, AppFlow Sig Rule Logstring2, AppFlow Sig Rule Category3, AppFlow Sig Rule Category4, AppFlow Sig Rule Logstring4, AppFlow Sig Rule Category5, AppFlow Sig Rule LogString5

    • AppFlow: Actual Template Code, Observation Domain Id, Observation Point Id, Exporting Process Id, Transaction Id, Appfw Violation Occurred Time, App Name App Id, Appfw Violation Severity, Appfw Violation Type, Appfw Violation Location, Appfw Violation Threat Index, Appfw NS Longitude, Appfw NS Latitude, Source IPv4 Address Rx, Appfw Http Method, Appfw App Threat Index, Appfw Block Flags, Appfw Transform Flags, Appfw Violation Profile Name, Appfw Session Id, Appfw Req Url, Appfw Geo Location, Appfw Violation Type Name 1, Appfw Violation Name Value 1, Appfw Sig Category 1, Appfw Violation Type Name 2, Appfw Violation Name Value 2, Appfw Sig Category 2, Appfw Violation Type Name 3, Appfw Violation Name Value 3, Appfw Sig Category3, Appfw Req X Forwarded For, Appfw App Name Ls,App Name Ls, Iprep Category, Iprep Attack Time, Iprep Reputation Score, Iprep NS Longitude, Iprep NS Latitude, Iprep Severity, Iprep HTTP Method, Iprep App Threat Index, Iprep Geo Location, Tcp Syn Attack Cntr, Tcp Slow Ris Cntr, Tcp Zero Window Cntr, Appfw Log Expr Name, Appfw Log Expr Value, Appfw Log Expr Comment

    • VPN: Actual Template Code, Observation Domain Id, Access Insight Flags, Observation Point Id, Exporting Process Id, Access Insight Status Code, Access Insight Timestamp, Authentication Duration, Device Type, Device ID, Device Location, App Name App Id, App Name App Id1, Source Transport Port Rx, Destination Transport Port Rx, Authentication Stage, Authentication Type, VPN Session ID, EPA Id, AAA User Name, Policy Name, Auth Agent Name, Group Name, Virtual Server FQDN, cSec Expression, Source IPv4 Address Rx, Destination IPv4 Address Rx, Cur Factor Policy Label, Next Factor Policy Label, App Name Ls, App Name 1 Ls,AAA User Email Id, Gateway IP, Gateway Port, Application Byte Count, VPN Session State, VPN Session Mode, SSO Auth Method, IIP Address, VPN Request URL, SSO Request URL, Backend Server Name, VPN Session Logout Mode, Logon Ticket File Info, STA Ticket, Session Sharing Key, Resource Name, SNIP Address, Temp VPN Session ID

    • HTTP: Actual Template Code, Http Req Method, Http Req Url, Http Req User Agent, Http Content Type, Http Req Host, Http Req Authorization, Http Req Cookie, Http Req Referer, Http Res Set Cookie, Ic Cont Grp Name, Ic Flags, Ic Nostore Flags, Ic Policy Name, Response Media Type, Ingress Interface Client, Origin Res Status, Origin Rsp Len, Srv Flow Flags Rx, Srv Flow Flags Tx, Flow Flags Rx, Flow Flags Tx, App Name, Observation Point Id, Exporting Process Id, Observation Domain Id, Http Trans End Time, Transaction Id, Http Rsp Status, Trans Clt Ipv4 Address, Trans Clt Dst Ipv4 Address, Backend Svr Dst Ipv4 Address, Backend Svr Ipv4 Address, Http Rsp Len, Trans Svr RTT, Trans Clt RTT, Http Req Rcv FB, Http Req Rcv LB, Http Res Rcv FB, Http Res Rcv LB, Http Req Forw FB, Http Req Forw LB, Http Res Forw FB, Http Res Forw LB, Http Req X Forwarded For, Http Domain Name, Http Res Location, Protocol Identifier, Egress Interface, Backend Svr Ipv6 Address, SSL Flags BE, SSL Flags FE, SSL Session IDFE, SSL Session IDBE, SSL Cipher Value FE, SSL Cipher Value BE, SSL Sig Hash Alg BE, SSL Sig Hash Alg FE, SSL Srvr Cert Sig Hash BE, SSL Srvr Cert Sig Hash FE, SSL Clnt Cert Sig Hash FE, SSL Clnt Cert Sig Hash BE, SSL Server Cert Size FE, SSL Server Cert Size BE, SSL Client Cert Size FE, SSL Client Cert Size BE, SSL Err App Name, SSL Err Flag, SSL Handshake Error Msg, Client IP, Virtual Server IP, Connection Chain Id, Connection Chain Hop Count, Trans Clt Tot Rx Oct Cnt, Trans Clt TotTx Oct Cnt, Trans Clt Src Port, Trans Clt Dst Port, Trans Srv Src Port, Trans Srv Dst Port, VLAN Number, Client Mss, Trans Info, Trans Clt Flow End Usec Rx, Trans Clt Flow End Usec Tx, Trans Clt Flow Start Usec Rx, Trans Clt Flow Start Usec Tx, Trans Svr Flow End Usec Rx, Trans Svr Flow End Usec Tx, Trans Svr Flow Start Usec Rx, Trans Svr Flow Start Usec Tx, Trans Svr Tot Rx Oct Cnt, Trans Svr Tot Tx Oct Cnt, Clt Flow Flags Tx, Clt Flow Flags Rx, Trans Clt Ipv6 Address, Trans Clt Dst Ipv6 Address, Subscriber Identifier, SSLi Domain Name, SSLi Domain Category, SSLi Domain Category Group, SSLi Domain Reputation, SSLi Policy Action, SSLi Executed Action, SSLi Reason For Action, SSLi URL Set Matched, SSLi URL Set Private, URL Category, URL Category Group, URL Category Reputation, Responder Action Type, URL Set Matched, URL Set Private, Category Domain Name, Category Domain Source, AAA User Name, VPN Session ID, Tenant Name

  • Metric events:

    • VServer LB: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Representation, Schema Type, Time, CPU, GSLB Server, GSLB VServer, Interface, Memory Pool, Server Service Group, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, VServer LB: RATE Si Tot Request Bytes, RATE Si Tot Requests, RATE Si Tot Response Bytes, RATE Si Tot Responses, RATE Si Tot Clt Ttlb Transactions, RATE Si Tot Clt Ttlb Pkt Rcvd, RATE Si Tot Clt Ttlb Pkt Sent, RATE Vsvr Tot Hits, Si Cur Clients, Si Cur Conn Established, Si Cur Servers, Si Cur State, Si Tot Request Bytes, Si Tot Responses, Si Tot Clt Ttlb, Si Tot Clt Ttlb Transactions, Si Tot Pkt Rcvd, Si Tot Pkt Sent, Si Tot Ttlb Frustrating Transactions, Si Tot Ttlb Tolerating Transactions, Vsvr Active Svcs, Vsvr Tot Hits, Vsvr tot Req Resp Invalid, Vsvr Tot Req Resp Invalid Dropped

    • CPU: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Representation, Schema Type, Time, Cc CPU Use GSLB Server, GSLB Vserver, Interface, Memory Pool, NetScaler, Server Service Group, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, VServer Lb, VServer SSL, VServer User

    • Server Service Group: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Representation, Schema Type, Time, Cc CPU Use, GSLB Server, GSLB Vserver, Interface, Memory Pool, NetScaler, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, VServer Lb, VServer SSL, VServer User, Server Service Group: RATE Si Tot Request Bytes, RATE Si Tot Requests, RATE Si Tot_Response Bytes, RATE Si Tot Responses, RATE Si Tot Clt Ttlb, RATE Si Tot Clt Ttlb Transactions, RATE Si Tot Svr Ttfb, RATE Si Tot Svr Ttfb Transactions, RATE Si Tot Svr Ttlb, RATE Si Tot Svr Ttlb Transactions, RATE Si Tot Ttlb Frustrating Transactions, RATE Si Tot Ttlb Tolerating Transactions, Si Cur State, Si Tot Request Bytes, Si Tot Requests, Si Tot Response Bytes, Si Tot Responses, Si Tot Clt Ttlb, Si Tot Clt Ttlb Transactions, Si Tot Svr Ttfb, Si Tot Svr Ttfb Transactions,Si Tot Svr Tlb, Si Tot Svr Ttlb Transactions, Si Tot Ttlb Frustrating Transactions, Si Tot Ttlb Tolerating Transactions

    • Server SVC CFG: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Representation, Schema Type, Time, CPU Use, GSLB Server, GSLB Vserver, Interface, Memory Pool, NetScaler, VServer Authn, VServer Cr, VServer Cs, VServer Lb, VServer SSL, VServer User, Server Svc Cfg: RATE Si Tot Request Bytes, RATE Si Tot Requests, RATE Si Tot Response Bytes, RATE Si Tot Responses, Si Tot Clt Ttlb, RATE Si Tot Clt Ttlb Transactions, RATE Si Tot Pkt Rcvd, RATE Si Tot Pkt Sent, RATE Si Tot Svr Busy Err, RATE Si Tot Svr Ttfb, RATE Si Tot Svr Ttfb Transactions, RATE Si Tot Svr Ttlb, RATE Si Tot Svr Ttlb Transactions, RATE Si Tot Ttlb Frustrating Transactions, RATE Si Tot Ttlb Tolerating Transactions, Si Cur State, Si Cur Transport, Si Tot Request Bytes, Si Tot Requests, Si Tot Response Bytes, Si Tot Responses, Si Tot Clt Ttlb, Si Tot Clt Ttlb Transactions, Si Tot Pkt Rcvd, Si Tot Pkt Sent, Si Tot Svr Busy Err, Si Tot Svr Ttfb, Si Tot Svr Ttfb Transactions, Si Tot Svr Ttlb, Si Tot Svr Ttlb Transactions, Si Tot Ttlb Frustrating Transactions, Si Tot Ttlb Tolerating Transactions

    • NetScaler: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Representation, Schema Type, Time, GSLB Server, GSLB VServer, Interface, Memory Pool, Server Service Group, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, VServer Lb, VServer SSL, VServer User, NetScaler: RATE All Nic Tot Rx Mbits, RATE All Nic Tot Rx Mbits, RATE Dns Tot Queries, RATE Dns Tot Neg Nxdmn Entries,RATE Http Tot Gets, RATE Http Tot Others, RATE Http Tot Posts, RATE Http Tot Requests, RATE Http Tot Requests 1.0, RATE Http Tot Requests 1.1, RATE Http Tot Responses, RATE Http Tot Rx Request Bytes, RATE Http Tot Rx Response Bytes, RATE Ip Tot Rx Mbits, RATE Ip Tot Rx Bytes, RATE Ip Tot Rx Pkts, RATE Ip Tot Tx Mbits, RATE Ip Tot Tx Bytes, RATE Ip Tot Tx Pkts, RATE SSL Tot Dec Bytes, RATE SSL Tot Enc Bytes,RATE SSL Tot SSL Info Session Hits, RATE SSL Tot SSL Info Total Tx Count, RATE Tcp Err Rst, RATE Tcp Tot Client Open, RATE Tcp Tot Server Open, RATE Tcp Tot Rx Bytes, RATE Tcp Tot Rx Pkts, RATE Tcp Tot Syn, RATE Tcp Tot Tx Bytes, RATE Tcp Tot Tx Pkts, RATE Udp Tot Rx Bytes, RATE Udp Tot Rx Pkts, RATE Udp Tot Tx Bytes, RATE Udp Tot Tx Pkts, All Nic Tot Rx Mbits, All Nic Tot Tx Mbits, Cpu Use, Dns Tot Queries, Dns Tot Neg Nxdmn Entries, Http Tot Gets, Http Tot Others, Http Tot Posts, Http Tot Requests, Http Tot Requests1.0, Http Tot Requests1.1, Http Tot Responses, Http Tot Rx Request Bytes, Http Tot Rx Response Bytes, Ip Tot Rx Mbits, Ip Tot Rx Bytes, Ip Tot Rx Pkts, Ip Tot Tx Mbits, Ip Tot Tx Bytes, Ip Tot Tx Pkts, Mem Cur Free size, Mem Cur Free size Actual, Mem Cur Used size, Mem Tot Available, Mgmt Additional Cpu Use, Mgmt Cpu 0 Use, Mgmt Cpu Use, SSL Tot Dec Bytes, SSL Tot Enc Bytes, SSL Tot SSL Info Session Hits, SSL Tot SSL Info Total Tx Count, Sys Cpus, Tcp Cur Client Conn, Tcp Cur Client Conn Closing, Tcp Cur Client Conn Est, Tcp Cur Server Conn, Tcp Cur Server Conn Closing, Tcp Cur Server Conn Est, Tcp Err Rst, Tcp Tot Client Open, Tcp Tot Server Open, Tcp Tot Rx Bytes, Tcp Tot Rx Pkts, Tcp Tot Syn, Tcp Tot Tx Bytes, Tcp Tot Tx Pkts, Udp Tot Rx Bytes, Udp Tot Rx Pkts, Udp Tot Tx Bytes, Udp Tot Tx Pkts

    • Memory Pool: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Schema Type, Time, CPU, Gslb Server, Gslb VServer, Interface, NetScaler, Server Service Group, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, VServer Lb, VServer SSL, VServer User, Memory Pool: Mem Cur Alloc Size, Mem Err Alloc Failed, Mem Tot Available

    • Monitoring Service Binding: Bind Entity Name, Entity Name, NetScalerId, SchemaType, Time, CPU, Gslb Server, Gslb VServer, Interface, Memory Pool, NetScaler, Server Service Group, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, Vserver Lb, VServer SSL, VServer User, Mon Service Binding: RATE Mon Tot Probes, Mon Tot Probes

    • Interface: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Schema Type, Time, CPU, Gslb Server, Gslb VServer, Memory Pool, NetScaler, Server Service Group, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, Vserver Lb, VServer SSL, VServer User, Interface: RATE NIC Tot Rx Bytes, RATE NIC Tot Rx Packets, RATE NIC Tot Tx Bytes, RATE NIC Tot Tx Packets, NIC Tot Rx Bytes, NIC Tot Rx Packets, NIC Tot Tx Bytes, NIC Tot Tx Packets

    • VServer CS: Bind Entity Name, Entity Name, Mon Service Binding, NetScaler Id, Schema Type, Time, CPU, Gslb Server, Gslb VServer, Memory Pool, NetScaler, Server Service Group, Server Svc Cfg, VServer Authn, VServer Cr, VServer Cs, Vserver Lb, VServer SSL, VServer User, VServer Cs: RATE Si Tot Request Bytes, RATE Si Tot Requests, RATE Si Tot Response Bytes, RATE Si Tot Responses, RATE Si Tot Clt Ttlb,RATE Si Tot Clt Ttlb Transactions, RATE Si Tot Pkt Rcvd, RATE Si Tot Pkt Sent, RATE Si Tot Ttlb Frustrating Transactions, RATE Si Tot Ttlb Tolerating Transactions, RATE Vsvr Tot Hits, Si Cur State, Si Tot Request Bytes, Si Tot Requests, Si Tot Response Bytes, Si Tot Responses, Si Tot Clt Ttlb, Si Tot Clt Ttlb Transactions, Si Tot Pkt Rvd, Si Tot Pkt Sent, Si Tot Ttlb Frustrating Transactions, Si Tot Tlb Tolerating Transactions, Vsvr Tot Hits, Vsvr Tot Req Resp Invalid, Vsvr Tot Req Resp Invalid Dropped

Secure Browser logs

  • Application Post:

    • Logs before the published application: Authentication, Browser, Change Id, Created, Customer Name, Destination URL, E-Tag, Gateway Service Product Id, Session Id, Legacy Icon, Application Name, Policies, Published Application Id, Region, Resource Zone, Resource Zone Id, Subscription, Session Idle Timeout, Session Idle Timeout Warning, Watermark, Whitelist External, Whitelist Internal, Whitelist Redirect

    • Logs after the published application: Authentication, Browser, Change Id, Created, Customer Name, Destination, E-Tag, Gateway Service Product Id, Session Id, Legacy Icon, Application Name, Policies, Published Application Id, Region, Resource Zone, Resource Zone Id, Subscription, Session Idle Timeout, Session Idle Timeout Warning, Watermark, Whitelist External URL, Whitelist Internal URL, Whitelist Redirect URL

  • Application Delete:

    • Logs before the published application: Authentication, Browser, Change Id, Created, Customer Name, Destination URL, E-Tag, Gateway Service Product Id, Session Id, Legacy Icon, Application Name, Policies, Published Application Id, Region, Resource Zone, Resource Zone Id, Subscription, Session Idle Timeout, Session Idle Timeout Warning, Watermark, Whitelist External, Whitelist Internal, Whitelist Redirect

    • Logs after the published application: Authentication, Browser, Change Id, Created, Customer Name, Destination, E-Tag, Gateway Service Product Id, Session Id, Legacy Icon, Application Name, Policies, Published Application Id, Region, Resource Zone, Resource Zone Id, Subscription, Session Idle Timeout, Session Idle Timeout Warning, Watermark, Whitelist External URL, Whitelist Internal URL, Whitelist Redirect URL

  • Application Update:

    • Logs before the published application: Authentication, Browser, Change Id, Created, Customer Name, Destination URL, E-Tag, Gateway Service Product Id, Session Id, Legacy Icon, Application Name, Policies, Published Application Id, Region, Resource Zone, Resource Zone Id, Subscription, Session Idle Timeout, Session Idle Timeout Warning, Watermark, Whitelist External, Whitelist Internal, Whitelist Redirect

    • Logs after the published application: Authentication, Browser, Change Id, Created, Customer Name, Destination, E-Tag, Gateway Service Product Id, Session Id, Legacy Icon, Application Name, Policies, Published Application Id, Region, Resource Zone, Resource Zone Id, Subscription, Session Idle Timeout, Session Idle Timeout Warning, Watermark, Whitelist External URL, Whitelist Internal URL, Whitelist Redirect URL

  • Entitlement Create:

    • Logs before the entitlement creation: Approved, Customer Id, Data Retention Days, End Date, Session Id, Product SKU, Quantity, Serial Numbers, Start Date, State, Type

    • Logs after the entitlement creation: Approved, Customer Id, Data Retention Days, End Date, Session Id, Product SKU, Quantity, Serial Numbers, Start Date, State, Type

  • Entitlement Update:

    • Logs before the entitlement update: Approved, Customer Id, Data Retention Days, End Date, Session Id, Product SKU, Quantity, Serial Numbers, Start Date, State, Type

    • Logs after the entitlement update: Approved, Customer Id, Data Retention Days, End Date, Session Id, Product SKU, Quantity, Serial Numbers, Start Date, State, Type

  • Session Access Host: Accept Host, Client IP, Date Time, Host, Session, User Name

  • Session Connect:

    • Logs before the session connection: Application Id, Application Name, Browser, Created, Customer Id, Duration, Session Id, IP Address, Last Updated, Launch Source, User Name

    • Logs after the session connection: Application Id, Application Name, Browser, Created, Customer Id, Duration, Session Id, IP Address, Last Updated, Launch Source, User Name

  • Session Launch:

    • Logs before the session launch: Application Id, Application Name, Browser, Created, Customer Id, Duration, Session Id, IP Address, Last Updated, Launch Source, User Name

    • Logs after the session launch: Application Id, Application Name, Browser, Created, Customer Id, Duration, Session Id, IP Address, Last Updated, Launch Source, User Name

  • Session Tick:

    • Logs before the session tick: Application Id, Application Name, Browser, Created, Customer Id, Duration, Session Id, IP Address, Last Updated, Launch Source, User Name

    • Logs after the session tick: Application Id, Application Name, Browser, Created, Customer Id, Duration, Session Id, IP Address, Last Updated, Launch Source, User Name

Microsoft Graph Security logs

  • Tenant Id

  • User Id

  • Indicator Id

  • Indicator UUID

  • Event Time

  • Create Time

  • Category of alert

  • Logon Location

  • Logon IP

  • Logon Type

  • User Account Type

  • Vendor Information

  • Vendor Provider Information

  • Vulnerability States

  • Vulnerability Severity

Microsoft Active Directory logs

  • Tenant Id

  • Collect Time

  • Type

  • Directory Context

  • Groups

  • Identity

  • User Type

  • Account Name

  • Bad Password Count

  • City

  • Common Name

  • Company

  • Country

  • Days Until Password Expiry

  • Department

  • Description

  • Display Name

  • Distinguished Name

  • Email

  • Fax Number

  • First Name

  • Group Category

  • Group Scope

  • Home Phone

  • Initials

  • IP Phone

  • Is Account Enabled

  • Is Account Locked

  • Is Security Group

  • Last Name

  • Manager

  • Member of

  • Mobile Phone

  • Pager

  • Password Never Expires

  • Physical Delivery Office Name

  • Post Office Box

  • Postal Code

  • Primary Group Id

  • State

  • Street Address

  • Title

  • User Account Control

  • User Group List

  • User Principal Name

  • Work Phone

Citrix Analytics for Performance logs

  • actionid

  • actionreason

  • actiontype

  • adminfolder

  • agentversion

  • allocationtype

  • applicationid

  • applicationname

  • applicationpath

  • applicationtype

  • applicationversion

  • associateduserfullnames

  • associatedusername

  • associatedusernames

  • associateduserupns

  • authenticationduration

  • autoreconnectcount

  • autoreconnecttype

  • AvgEndpointThroughputBytesReceived

  • AvgEndpointThroughputBytesSent

  • blobcontainer

  • blobendpoint

  • blobpath

  • brokerapplicationchanged

  • brokerapplicationcreated

  • brokerapplicationdeleted

  • brokeringdate

  • brokeringduration

  • brokerloadindex

  • brokerregistrationstarted

  • browsername

  • catalogchangeevent

  • catalogcreatedevent

  • catalogdeletedevent

  • catalogid

  • catalogname

  • catalogsync

  • clientaddress

  • clientname

  • clientplatform

  • clientsessionvalidatedate

  • clientversion

  • collecteddate

  • connectedviahostname

  • connectedviaipaddress

  • connectionid

  • connectioninfo

  • connectionstate

  • connectiontype

  • controllerdnsname

  • cpu

  • cpuindex

  • createddate

  • currentloadindexid

  • currentpowerstate

  • currentregistrationstate

  • currentsessioncount

  • datetime

  • deliverygroupadded

  • deliverygroupchanged

  • deliverygroupdeleted

  • deliverygroupid

  • deliverygroupmaintenancemodechanged

  • deliverygroupname

  • deliverygroupsync

  • deliverytype

  • deregistrationreason

  • desktopgroupdeletedevent

  • desktopgroupid

  • desktopgroupname

  • desktopkind

  • disconnectcode

  • disconnectreason

  • disk

  • diskindex

  • dnsname

  • domainname

  • effectiveloadindex

  • enddate

  • errormessage

  • establishmentdate

  • eventreporteddate

  • eventtime

  • exitcode

  • failurecategory

  • failurecode

  • failuredata

  • failuredate

  • failurereason

  • failuretype

  • faultstate

  • functionallevel

  • gpoenddate

  • gpostartdate

  • hdxenddate

  • hdxstartdate

  • host

  • hostedmachineid

  • hostedmachinename

  • hostingservername

  • hypervisorconnectionchangedevent

  • hypervisorconnectioncreatedevent

  • hypervisorid

  • hypervisorname

  • hypervisorsync

  • icartt

  • icarttms

  • id

  • idletime

  • inputbandwidthavailable

  • inputbandwidthused

  • instancecount

  • interactiveenddate

  • interactivestartdate

  • ipaddress

  • isassigned

  • isinmaintenancemode

  • ismachinephysical

  • ispendingupdate

  • ispreparing

  • isremotepc

  • issecureica

  • lastderegisteredcode

  • launchedviahostname

  • launchedviaipaddress

  • lifecyclestate

  • LinkSpeed

  • logonduration

  • logonenddate

  • logonscriptsenddate

  • logonscriptsstartdate

  • logonstartdate

  • long

  • machineaddedtodesktopgroupevent

  • machineassignedchanged

  • machinecatalogchangedevent

  • machinecreatedevent

  • machinedeletedevent

  • machinederegistrationevent

  • machinednsname

  • machinefaultstatechangeevent

  • machinehardregistrationevent

  • machineid

  • machinemaintenancemodechangeevent

  • machinename

  • machinepvdstatechanged

  • machineregistrationendedevent

  • machineremovedfromdesktopgroupevent

  • machinerole

  • machinesid

  • machineupdatedevent

  • machinewindowsconnectionsettingchanged

  • memory

  • memoryindex

  • modifieddate

  • NGSConnector.ICAConnection.Start

  • NGSConnector.NGSSyntheticMetrics

  • NGSConnector.NGSPassiveMetrics

  • NGSConnector.NGSSystemMetrics

  • network

  • networkindex

  • networklatency

  • networkinfoperiodic

  • NetworkInterfaceType

  • ostype

  • outputbandwidthavailable

  • outputbandwidthused

  • path

  • percentcpu

  • persistentuserchanges

  • powerstate

  • processname

  • profileloadenddate

  • profileloadstartdate

  • protocol

  • provisioningschemeid

  • provisioningtype

  • publishedname

  • registrationstate

  • serversessionvalidatedate

  • sessioncount

  • sessionend

  • sessionfailure

  • sessionid

  • sessionidlesince

  • sessionindex

  • sessionkey

  • sessionstart

  • sessionstate

  • sessionsupport

  • sessiontermination

  • sessiontype

  • sid

  • SignalStrength

  • siteid

  • sitename

  • startdate

  • totalmemory

  • triggerinterval

  • triggerlevel

  • triggerperiod

  • triggervalue

  • usedmemory

  • userid

  • userinputdelay

  • username

  • usersid

  • vdalogonduration

  • vdaprocessdata

  • vdaresourcedata

  • version

  • vmstartenddate

  • vmstartstartdate

  • windowsconnectionsetting

  • xd.SessionStart

Data Governance