Citrix user risk indicators
Note
Attention: Citrix Content Collaboration and ShareFile have reached its end of life and is no longer available to users.
User risk indicators are user activities that look suspicious or can pose a security threat to your organization. These risk indicators span across all Citrix products used in your deployment. The risk indicators are triggered when the user’s behavior deviates from the normal. Each risk indicator can have one or more risk factors associated with it. These risk factors help you to determine the type of anomalies in the user events. The risk indicators and their associated risk factors determine the risk score of a user.
The following are the risk factors associated with the risk indicators:
-
Device-based risk indicators: Triggers when a user signs in from a device that is considered unusual based on the user’s device history.
-
Location-based risk indicators: Triggers when a user signs in from an IP address associated with a location that is considered unusual based on the user’s location history.
-
IP-based risk indicators: Triggers when a user attempts to access resources from an IP address that has been identified as suspicious, regardless of whether the IP address is unusual for the user.
-
Logon-failure-based risk indicators: Triggers when a user has a pattern of excessive or unusual logon failures.
-
Data-based risk indicators: Triggers when a user tries to exfiltrate data out of a Workspace session. The user behaviors under observation include copy or paste events, download patterns, and so on.
-
File-based risk indicators: Triggers when a user’s behavior regarding file access on Content Collaboration is considered unusual based on their historical access pattern. The user behaviors under observation include download patterns, access to sensitive content, activities indicative of ransomware, and so on.
-
Custom risk indicators: Triggers when a pre-configured condition or a user-defined condition is met. For more information, see the following articles:
-
Other risk indicators- The risk indicators that do not belong to any one of the predefined risk factors such as Device-based, Location-based, and Logon failure-based.
The risk indicators are also grouped into risk categories based on the risks that are similar. For more information, see Risk Categories.
The following table shows the correlation between the risk indicators, risk factors, and the risk categories.
| Products | User Risk Indicator | Risk Factor | Risk Category |
|---|---|---|---|
| Citrix Endpoint Management | Device with blacklisted apps detected | Other risk indicators | Compromised endpoints |
| Jailbroken or rooted device detected | Other risk indicators | Compromised endpoints | |
| Unmanaged device detected | Other risk indicators | Compromised endpoints | |
| Citrix Gateway | End point analysis (EPA) scan failure | Other risk indicators | Compromised users |
| Excessive authentication failures | Logon-failure-based risk indicators | Compromised users | |
| Impossible travel | Location-based risk indicators | Compromised users | |
| Logon from suspicious IP | IP-based risk indicators | Compromised users | |
| Suspicious logon | Device-based risk indicators, IP-based risk indicators, Location-based risk indicators, and Other risk indicators | Compromised users | |
| Unusual authentication failure | Logon-failure-based risk indicators | Compromised users | |
| Citrix Secure Private Access | Attempt to access blacklisted URL | Other risk indicators | Insider threats |
| Excessive data download | Other risk indicators | Insider threats | |
| Risky website access | Other risk indicators | Insider threats | |
| Unusual upload volume | Other risk indicators | Insider threats | |
| Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) and on-premises Citrix Virtual Apps and Desktops | Impossible travel | Location-based risk indicators | Compromised users |
| Potential data exfiltration | Data-based risk indicators | Data exfiltration | |
| Suspicious Logon | Device-based risk indicators, IP-based risk indicators, Location-based risk indicators, and Other risk indicators | Compromised users |
You can manually mark risk indicators as helpful or not helpful. For more information, see Provide feedback for User Risk indicators.