Citrix Analytics for Security

Citrix Gateway risk indicators

End Point Analysis (EPA) scan failures

Citrix Analytics detects user access-based threats based on EPA scan failures activity and triggers the corresponding risk indicator.

The risk factor associated with the End Point Analysis scan failure risk indicator is the Other risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the EPA scan failures risk indicator triggered?

The EPA scan failure risk indicator is reported when a user tries to access the network using a device that has failed Citrix Gateway’s End Point Analysis (EPA) Scan policies for pre-authentication or post authentication.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many EPA scan failures. When Citrix Analytics determines excessive EPA scan failures for a user, it updates the user’s risk score and adds an EPA scan Failure risk indicator entry to the user’s risk timeline.

How to analyze the EPA scan failures risk indicator?

Consider the user Lemuel, who recently tried multiple times to access the network using a device that has failed Citrix Gateway’s EPA scan. Citrix Gateway reports this failure to Citrix Analytics, which assigns an updated risk score to Lemuel. The EPA scan failure risk indicator is added to Lemuel Kildow’s risk timeline.

To view the EPA scan failure entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest EPA scan failures risk indicator reported for the user. When you select an EPA scan failure risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

EPA scan failures

  • The WHAT HAPPENED section provides a brief summary of the EPA scan failure risk indicator. And, includes the number of post logon EPA scan failures reported during the selected period.

    EPA scan failures what happened

  • The EVENT DETAILS – SCAN FAILURES section, includes a timeline visualization of the individual EPA scan failure events that occurred during the selected time period. Also, it includes a table that provides the following key information about each event:

    • Time. The time the EPA scan failure occurred.

    • Client IP. The IP address of the client that causes the EPA scan failure.

    • Gateway IP. The IP address of Citrix Gateway that reported the EPA scan failure.

    • FQDN. The FQDN of Citrix Gateway.

    • Event description. Brief description of the reason for EPA scan failure.

    • Policy name. The EPA scan policy name configured on the Citrix Gateway.

    • Security expression. The security expression configured on the Citrix Gateway.

      EPA scan failure event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Excessive authentication failures

Citrix Analytics detects user access-based threats based on Excessive authentication failures and triggers the corresponding risk indicator.

The risk factor associated with the Excessive authentication failures risk indicator is the Logon-failure-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the Excessive authentication failures risk indicator triggered?

The Logon failure risk indicator is reported when the user encounters multiple Citrix Gateway authentication failures within a given period. The Citrix Gateway authentication failures can be primary, secondary, or tertiary authentication failures, depending on whether multifactor authentication is configured for the user.

Citrix Gateway detects all the user authentication failures and reports these events to Citrix Analytics. Citrix Analytics monitors all these events to detect whether the user has had too many authentication failures. When Citrix Analytics determines excessive authentication failures, it updates the user’s risk score. The Excessive authentication failures risk indicator is added to the user’s risk timeline.

How to analyze the Excessive authentication failures risk indicator?

Consider the user Lemuel, who recently failed multiple attempts to authenticate the network. Citrix Gateway reports these failures to Citrix Analytics, and an updated risk score is assigned to Lemuel. The Excessive authentication failures risk indicator is added to Lemuel Kildow’s risk timeline.

To view the Excessive authentication failures risk indicator entry for a user, navigate to Security > Users, and select the user.

From Lemuel Kildow’s risk timeline, you can select the latest Excessive authentication failures risk indicator reported for the user. When you select the Excessive authentication failures risk indicator entry from the risk timeline, a corresponding detailed information panel appears in the right pane.

Excessive authentication failures

  • The WHAT HAPPENED section provides a brief summary of the risk indicator, including the number of authentication failures that occurred during the selected period.

    Excessive authentication failures what happened

  • The EVENT DETAILS section, includes a timeline visualization of the individual Excessive authentication failure events that occurred during the selected time period. Also, you can view the following key information about each event:

    • Time. The time the logon failure occurred.

    • Error count. The number of authentication failures detected for the user at the time of the event and for the previous 48 hours.

    • Event description. Brief description of the reason for the logon failure.

      Excessive authentication failures event details

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Impossible travel

Citrix Analytics detects a user’s logons as risky when the consecutive logons are from two different countries within a time period that is less than the expected travel time between the countries.

The impossible travel time scenario indicates the following risks:

  • Compromised credentials: A remote attacker steals a legitimate user’s credentials.
  • Shared credentials: Different users are using the same user credentials.

When is the Impossible travel risk indicator triggered?

The Impossible travel risk indicator evaluates the time and estimated distance between each pair of consecutive user logons, and triggers when the distance is greater than an individual person can possibly travel in that amount of time.

Note

This risk indicator also contains logic to reduce false positive alerts for the following scenarios that do not reflect the users’ actual locations:

  • When users log on through Citrix Gateway from proxy connections.
  • When users log on through Citrix Gateway from hosted clients.

How to analyze the Impossible risk indicator

Consider the user Adam Maxwell, who logs on from two locations- Bengaluru, India and Oslo, Norway within a time duration of one minute. Citrix Analytics detects this logon event as an impossible travel scenario and triggers the Impossible travel risk indicator. The risk indicator is added to Adam Maxwell’s risk timeline and a risk score is assigned to him.

To view Adam Maxwell’s risk timeline, select Security > Users. From the Risky Users pane, select the user Adam Maxwell.

From Adam Maxwell’s risk timeline, select the Impossible travel risk indicator. You can view the following information:

  • The WHAT HAPPENED section provides a brief summary of the impossible travel event.

    GW what happened

  • The INDICATOR DETAILS section provides the locations from which the user has logged on, the time duration between the consecutive logons, and the distance between the two locations.

    GW indicator details

  • The LOGON LOCATION- LAST 30 DAYS section displays a geographical map view of the impossible travel locations and known locations of the user. The location data is shown for the last 30 days. You can hover over the pointers on the map to view the total logons from each location.

    GW logon details- last 30 days

  • The IMPOSSIBLE TRAVEL- EVENT DETAILS section provides the following information about the impossible travel event:

    • Time: Indicates the date and the time of the logons.
    • Device OS: Indicates the operating system of the user device.
    • Client IP: Indicates the IP address of the user device.
    • Location: Indicates the location from where the user has logged on.

    GW impossible travel event details

What actions you can apply to the user?

You can do the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.
  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.
  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.
  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Logon from suspicious IP

Citrix Analytics detects user access threats based on the sign-in activity from a suspicious IP and triggers this risk indicator.

The risk factor associated with the Logon from suspicious IP risk indicator is the IP-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the Logon from suspicious IP risk indicator triggered?

The Logon from suspicious IP risk indicator is triggered when a user attempts to access the network from an IP address that Citrix Analytics identifies as suspicious. The IP address is considered suspicious based on one of the following conditions:

  • Is listed on the external IP threat intelligence feed

  • Has multiple user sign-in records from an unusual location

  • Has excessive failed sign-in attempts that might indicate a brute-force attack

Citrix Analytics monitors the sign-in events received from Citrix Gateway and detects whether a user has signed in from any suspicious IP. When Citrix Analytics detects a sign-in attempt from a suspicious IP, it updates the user’s risk score and adds a Logon from suspicious IP risk indicator entry to the user’s risk timeline.

How to analyze the Logon from suspicious IP risk Indicator?

Consider the user Lemuel, who attempted to access the network from an IP address that Citrix Analytics identifies as suspicious. Citrix Gateway reports the sign-in event to Citrix Analytics, which assigns an updated risk score to Lemuel. The Logon from suspicious IP risk indicator is added to Lemuel Kildow’s risk timeline.

Logon from suspicious IP

To view the Logon from suspicious IP risk indicator reported for a user, navigate to Security > Users, and select the user. From Lemuel Kildow’s risk timeline, you can select the latest Logon from suspicious IP risk indicator reported for the user. When you select the Logon from suspicious IP risk indicator entry from the timeline, a corresponding detailed information panel appears in the right pane.

  • The WHAT HAPPENED section provides a brief summary of the Logon from suspicious IP risk indicator. And, includes the number of sign-ins from a suspicious IP address reported during the selected period.

    Logon from suspicious IP

  • The Suspicious IP section provides the following information:

    Suspicious IP section

    • Suspicious IP. The IP address associated with a suspicious sign-in activity.

    • Location. The city, region, and country of the user. These locations are displayed based on the availability of data.

    • Potential organization level risk. Indicates any patterns of suspicious IP activity that Citrix Analytics has recently detected in your organization. The risky patterns include excessive login failures consistent with potential brute force attempts and unusual access by multiple users.

      If no risky pattern is detected for an IP address in your organization, you see the following message.

      No risky pattern

    • Community intelligence. Provides the threat score and the threat categories of an IP address that is identified as high risk in the external IP threat intelligence feed. Citrix Analytics assigns a risk score to the high risk IP address. The risk score starts from 80.

      If an IP address does not have any threat intelligence available on the external IP threat intelligence feed, you see the following message.

      No intelligence feed

  • The EVENT DETAILS section provides the following information about the suspicious sign-in activity:

    Logon from suspicious IP

    • Time. The time of the suspicious sign-in activity.

    • Client IP. The IP address of the user’s device that was used for the suspicious sign-in activity.

    • Device OS. The operating system of the browser.

    • Device Browser. The web browser used for the suspicious sign-in activity.

What actions you can apply to the user?

You can do the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Suspicious logon

Notes

  • This risk indicator replaces the Access from an unusual location risk indicator.

  • Any policies based on the Access from an unusual location risk indicator are automatically linked to the Suspicious logon risk indicator.

Citrix Analytics detects the user’s logons that appear unusual or risky based on multiple contextual factors, which are defined jointly by the device, location, and network used by the user.

When is the Suspicious logon risk indicator triggered?

The risk indicator is triggered by the combination of the following factors, where each factor is regarded as potentially suspicious based on one or more conditions.

Factor Conditions
Unusual device The user logs on from a device with a signature that is different from the devices used in the last 30 days. The device signature is based on the operating system of the device and the browser used.
Unusual location Log on from a city or a country that the user has not logged on in the last 30 days.
  The city or country is geographically far from the recent (last 30 days) logon locations.
  Zero or minimum users have logged on from the city or the country in the last 30 days.
Unusual network Log on from an IP address that the user has not used in the last 30 days.
  Log on from an IP subnet that the user has not used in the last 30 days.
  Zero or minimum users have logged on from the IP subnet in the last 30 days.
IP threat The IP address is identified as high risk by the community threat intelligence feed- Webroot.
  Citrix Analytics recently detected highly suspicious logon activities from the IP address from other users.

How to analyze the Suspicious logon risk indicator

Consider the user Adam Maxwell, who signs in from the Andhra Pradesh, India for the first time. He uses a device with a known signature to access the organization’s resources. But he connects from a network, which he has not used in the last 30 days.

Citrix Analytics detects this logon event as suspicious because the factors- location and network deviate from his usual behavior and triggers the Suspicious logon risk indicator. The risk indicator is added to Adam Maxwell’s risk timeline and a risk score is assigned to him.

To view Adam Maxwell’s risk time, select Security > Users. From the Risky Users pane, select the user Adam Maxwell.

From Adam Maxwell’s risk timeline, select the Suspicious logon risk indicator. You view the following information:

  • The WHAT HAPPENED section provides a brief summary of the suspicious activities that include the risk factors and the time of the event.

    Suspicious logon what happened

  • The LOGON DETAILS section provides detailed summary of the suspicious activities corresponding to each risk factor. Each risk factor is assigned a score that indicates the suspicion level. Any single risk factor does not indicate high risk from a user. The overall risk is based on the correlation of the multiple risk factors.

    Suspicion level Indication
    0–69 The factor appears normal and is not considered suspicious.
    70–89 The factor appears slightly unusual and is considered moderately suspicious with other factors.
    90–100 The factor is entirely new or unusual and is considered highly suspicious with other factors.

    Suspicious logon details

  • The LOGON LOCATION- LAST 30 DAYS displays a geographical map view of the last known locations and the current location of the user. The location data is shown for the last 30 days. You can hover over the pointers on the map to view the total logons from each location.

    Suspicious logon locations details

  • The SUSPICIOUS LOGON- EVENT DETAILS section provides the following information about the suspicious logon event:

    • Time: Indicates the date and time of the suspicious logon.

    • Device OS: Indicates the operating system of the user device.

    • Device browser: Indicates the web browser used to sign in to Citrix Gateway.

    Suspicious logon events

What actions you can apply to the user?

You can do the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Unusual authentication failure

Citrix Analytics detects access-based threats when a user has logon failures from an unusual IP address and triggers the corresponding risk indicator.

The risk factor associated with the Unusual authentication risk indicator is the Logon-failure-based risk indicators. For more information about the risk factors, see Citrix user risk indicators.

When is the unusual authentication failure indicator triggered?

You can be notified when a user in your organization has logon failures from an unusual IP address that is contrary to their usual behavior.

Citrix Gateway detects these events and reports them to Citrix Analytics. Citrix Analytics receives the events and increases the user’s risk score. The Unusual Authentication Failure risk indicator is added to the user’s risk timeline.

How to analyze the unusual authentication failure indicator?

Consider the user Georgina Kalou, who routinely signs into Citrix Gateway from her usual home and office networks. A remote attacker attempts to authenticate Georgina’s account by guessing different passwords, resulting in authentication failures from an unfamiliar network.

In this scenario, Citrix Gateway reports these events to Citrix Analytics, which assigns an updated risk score to Georgina Kalou. The Unusual Authentication Failure risk indicator is added to Georgina Kalou’s risk timeline.

From Georgina Kalou’s risk timeline, you can select the reported Unusual Authentication Failure risk indicator. The reason for the event is displayed along with details such as the time of the event, and location.

Authentication failure

  • In the WHAT HAPPENED section, you can view the brief summary that includes the total number of authentication failures and the time of the event.

  • In the RECOMMENDED ACTION section, you find the suggested actions that can be applied on the risk indicator. Citrix Analytics for Security recommends the actions depending on the severity of the risk posed by the user. The recommendation can be one or combination of the following actions:

    • Notify administrator(s)

    • Add to watchlist

    • Create a policy

    You can select an action based on the recommendation. Or you can select an action that you want to apply depending on your choice from the Actions menu. For more information, see Apply an action manually.

    Recommended action

  • In the EVENT DETAILS – LOGON SUCCESS and FAILURES section, you can view a graph indicating the unusual authentication failures, along with any other logon activity detected during the same duration.

  • In the UNUSUAL AUTHENTICATION DETAILS section, the table provides the following information about the unusual authentication failures:

    • Logon time – The date and time of the event

    • Client IP – IP address of the user device

    • Location – The location from where the event has occurred

    • Failure reason – The reason for authentication failure

      Authentication failure details

  • In the USER AUTHENTICATION ACTIVITY – PREVIOUS 30 DAYS section, the table provides the following information about the previous 30-days of authentication activity for the user:

    • Subnet – The IP address from the user network.

    • Success – The total number of successful authentication events and the time of the most recent success event for the user.

    • Failure – The total number of failed authentication events and the time of the most recent failed event for the user.

    • Location – The location from where the authentication event has occurred.

      Authentication activity

What actions you can apply to the user?

You can perform the following actions on the user’s account:

  • Add to watchlist. When you want to monitor a user for future potential threats, you can add them to a watchlist.

  • Notify administrator(s). When there is any unusual or suspicious activity on the user’s account, an email notification is sent to all or selected administrators.

  • Log off user. When a user is logged off from their account, they cannot access any resource through Citrix Gateway until the Citrix Gateway administrator clears the Log Off User action.

  • Lock user: When a user’s account is locked due to anomalous behavior, they cannot access any resource through Citrix Gateway until the Gateway administrator unlocks the account.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the user manually, navigate to the user’s profile and select the appropriate risk indicator. From the Actions menu, select an action and click Apply.

Note

Irrespective of the data source that triggers a risk indicator, actions pertaining to other data sources can be applied.

Citrix Gateway risk indicators