Citrix Analytics for Security

Provide feedback for User Risk indicators

Risk indicators are designed to detect and report potentially suspicious or anomalous user activity, while automatically increasing the user’s risk score. In practice, although some occurrences of a risk indicator correspond to a legitimate underlying security threat, others turn out to be benign.

The indicator feedback feature allows you to explicitly flag risk indicator occurrences:

  • As helpful when you believe there is true underlying user risk

  • As not helpful if you have determined that there is no security threat. In this case, the indicator occurrence is hidden from the user timeline by default, and the user’s risk score is automatically adjusted to exclude this indicator occurrence in subsequent calculations.

In addition, your collective feedback is used to drive future improvements in the risk indicator algorithms.

Provide feedback

A feedback banner (with a thumbs-up and down icon) is displayed for each default risk indicator entry in the user timeline.

  • Thumbs-up icon - Indicator is helpful and has correctly identified risky activity. You can click the thumbs up icon and provide additional comments on how the indicator is helpful and its benefit.

    You can save your feedback and mark the indicator as helpful. You can also edit your comment by clicking Edit Feedback. The feedback banner provides the timeline of the last submitted feedback.

    Edit feedback

    When a risk indicator is marked helpful, this feedback is displayed in the corresponding user timeline entry, and reported to Citrix Analytics. The user risk score is not impacted.

    Marked feedback

  • Thumbs-down icon - Indicator is not helpful or incorrectly triggered. You can mark the indicator as not helpful and categorize it as Noisy, False positive, or Inconclusive. This occurrence of the risk indicator will be excluded from all subsequent updates to the user’s risk score. You can also provide additional comments, if necessary.

    • Noisy – Triggered indicator is suspicious or is an anomaly, but not risky.

    • False positive – Triggered indicator is not risky, because of incorrect event data or logic.

    • Inconclusive – Can’t determine if the events are risky and needs investigation.

      Note

      It takes up to 15 minutes time to recalibrate the risk score.

      Feedback marked not needed

You can view the following results if an indicator is marked as not helpful:

  • That particular indicator is hidden from timeline.

  • The Risk score is recalibrated as a result of excluding this indicator occurrence from the risk score calculation in subsequent updates.

  • Any additional information given as textual feedback is persisted for later reference.

View filters

Indicators that are marked as not helpful are hidden by default.

Indicators hidden

To view the hidden indicators, click Filter. In the Filter Events window that appears, turn on the Show risk indicators marked as not helpful.

Show hidden indicators

You can search the indicators based on categories. For example, to view the location-based hidden risk indicators, select the category and click Apply Filters. You can view all the location-based indicators that are not helpful with the feedback details.

Apply filters

As an administrator, you can also perform the following actions as needed:

  • Change the feedback

  • Review previous feedback and the associated metadata

  • Review the feedback provided by other administrator and the associated metadata

    Note

    • You can provide the feedback per user level not tenant level. The feedback for one risk indicator doesn’t apply to all instances of that particular risk indicator.

    • The feedback for one user doesn’t apply to other users.

Provide feedback for User Risk indicators