Citrix Analytics for Security

Self-service search for Apps and Desktops

Use the self-service search to get insights into the user events received from the Citrix Virtual Apps and Desktops data source and the Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) data source. When users use virtual apps or virtual desktops, events corresponding to their activities and actions are generated. Examples of user events are file download, account logon, and app start. Citrix Analytics for Security receives these user events and displays them on the self-service page. You can track the users and their activities.

For more information on the search functionalities, see Self-service search.

Select the Apps and Desktops data source

To view the events from Citrix Virtual Apps and Desktops or Citrix DaaS, select Apps and Desktops from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.

Select Citrix Virtual Apps and Desktops

By default, the self-service page displays the events for the last one month. The page also provides you with several facets and a search box to filter and focus on the required events.

Select the facets to filter events

Use the following facets that are associated to the Apps and Desktops events.

Virtual Apps and Desktops facets

  • Event Type- Search events based on the event type such as account logon, app end, and session end.

  • Domain- Search events based on the domains such as citrate.net.

  • OS- Search events based on the operating systems such as Chrome, iOS, and Windows used in the user’s device. Select the operating system name and versions to filter the events. For more information on the operating system versions, see Supported values for your search query.

Specify search query to filter events

Place your cursor in the search box to view the list of dimensions for the Apps and Desktops events. Use the dimensions and the operators to specify your query and search for the required events.

Virtual Apps and Desktops dimensions

For example, you want to search events for the user “John Doe” who is using the Windows operating system.

  1. Enter “U” in the search box to get the related suggestions.

    Virtual Apps and Desktop search query 1

  2. Click User-Name and enter the value “John” using the equal operator.

    Virtual Apps and Desktop search query 2

  3. Select the AND operator and the OS-Name dimension. Assign the value “Windows 7” using the equal operator.

    Virtual Apps and Desktop search query 3

  4. Select the time period and click Search to view the events based on the DATA table.

Event types and supported fields

The following fields are available for all the event types except VDA.Print:

  • City

  • Client IP

  • Country

  • Device ID

  • OS Name

  • OS Version

  • OS Extra Info

  • Time

  • User Name

  • Workspace App Version

  • Workspace App Status

The following table describes the event types available for the Apps and Desktops data source and fields specific to each event type.

Value Description Fields
Account.Logon Triggers when you log on to Store through Citrix Workspace app. Note: Account.Logon is not available for the HTML5 client. Check common fields as described above.
Session.Logon Triggers when you log on to your virtual session. App Protection Policies, Domain, Session Launch Type, Session Server Name, Session User Name
Session.End Triggers when you terminate your virtual session. Domain, Session Launch Type, Session Server Name, Session User Name
App.Start Triggers when you start a virtual app session. Note: This event type is not applicable when the application is launched within the desktop session. App Name, Domain, Session Launch Type, Session Server Name, Session User Name
App.End Triggers when you terminate a virtual app session. Note: This event type is not applicable when the application is launched within the desktop session. App Name, Domain, Session Launch Type, Session Server Name, Session User Name
File.Download Triggers when a user copies a file from remote virtual session to client device. It doesn’t get triggered for file transfers happening within the virtual sessions. Note: This event type is sent only when the server allows file redirection (check File Redirection Settings for more details) and client workspace File Access preference is set to Read and Write. Domain, Download Device Type, Download File Name, Download File Path, Download File Size, Session Server Name, Session User Name
Printing Triggers when you print a file with the Citrix Workspace app launched session through a client printer. Note: There are two technical limitations with Citrix Workspace app that affect printing events. First, the Printed Document Name telemetry is not included in the printing event due to a known issue across all platform variants. Second, the Printed File Size telemetry is not included in the printing event for Windows because of another known technical limitation. To collect these data sets (file name/file size) use VDA.Print event. For more information, see Enabling print telemetry for Citrix DaaS. Browser Name, Browser Version, Domain, Printer Name, Print File Format, Print File Size, Session Server Name, Session User Name
AppProtection.ScreenCapture Triggers when a user tries to capture a screenshot while in a protected session. Note: For more information, see App Protection. Protected App Titles, Screen Capture Tool Name, Screen Capture Tool Path
App.SaaS.Launch Triggers when Citrix Workspace app launches a SaaS app in Citrix Enterprise Browser. Browser Name, Browser Version, SaaS App Name, SaaS App URL
App.SaaS.End Triggers when Citrix Workspace app closes a SaaS app in Citrix Enterprise Browser. Browser Name, Browser Version, SaaS App URL
App.SaaS.Clipboard Triggers when a clipboard operation is performed in Citrix Enterprise Browser. Browser Name, Browser Version, Clipboard Details Format Size, Clipboard Details Format Type, Clipboard Details Initiator, Clipboard Details Result, Clipboard Operation, SaaS App URL
App.SaaS.File.Download Triggers when a file is downloaded in Citrix Enterprise Browser. Browser Name, Browser Version, Download Device Type, Download File Path, Download File Size
App.SaaS.File.Print Triggers when print is initiated in Citrix Enterprise Browser. Browser Name, Browser Version, Print File Name, SaaS App Name, SaaS App URL
App.SaaS.Url.Navigate Triggers when Citrix Enterprise Browser navigates a URL. Browser Name, Browser Version, SaaS App Name, SaaS App URL
Citrix.EventMonitor.AppStart Triggers when an application added into the Session recording server’s app monitoring list is started within a virtual desktop session. App Name
Citrix.EventMonitor.AppEnd Triggers when an application added into the Session recording server’s app monitoring list) is stopped within a virtual desktop session. App Name
Citrix.EventMonitor.Clipboard Triggers when a clipboard action has been performed within a session recording. Clipboard Data Format Type, Process Name, Window Title
Citrix.EventMonitor.FileTransfer Triggers when a user transfers a file between a virtual desktop session and the user’s machine. File Size, Operation Direction (Host to Client, Client to Host), Source Path, Destination Path
Citrix.EventMonitor.RegistryChange Triggers when a registry operation is performed. The possible registry operations are create, delete, rename, set value, and delete value. Registry Operation, Registry Name, Registry Path, Process ID, Process File Path
Citrix.EventMonitor.SessionEnd Triggers when a session recording ends. Description
Citrix.EventMonitor.SessionLaunch Triggers when a session recording has started. Session Recording Type
Citrix.EventMonitor.TopMost Triggers when topmost window changes. App Name
Citrix.EventMonitor.IdleStart Triggers when session becomes idle. Check common fields as described above.
Citrix.EventMonitor.IdleEnd Triggers when idle session ends. Check common fields as described above.
Citrix.EventMonitor.WebBrowsing Triggers when user interacts with webpages on browsers within a virtual desktop session. App Name, URL
Citrix.EventMonitor.FileCreate Triggers when a file or a folder is created in virtual desktop session inside the monitored file system path. File Name, File Path, File Size
Citrix.EventMonitor.FileRename Triggers when a file or a folder is renamed in a virtual desktop session inside the monitored file system path. Check common fields as described above.
Citrix.EventMonitor.FileMove Triggers when a file or a folder from the monitored file system path is moved in a virtual desktop session or between session hosts (VDAs) and client devices. Check common fields as described above.
Citrix.EventMonitor.FileDelete Triggers when a file or a folder inside the monitored file system path is deleted in a virtual desktop session. File Name, File Path, File Size
Citrix.EventMonitor.CDMUSBDriveAttach Triggers when a Client Drive Mapping (CDM) mapped USB mass storage device is inserted in a client from which the virtual Apps and Desktop Session is connected. Check common fields as described above.
Citrix.EventMonitor.GenericUSBDriveAttach Triggers when a Generic redirected USB mass storage device is inserted in a client from which the virtual Apps and Desktop Session is connected. Check common fields as described above.
Citrix.EventMonitor.RDPConnection Triggers when a user creates a remote desktop connection within a VDA machine. Destination IP, Process ID
Citrix.EventMonitor.UserAccountModification Triggers for all type of user account operations that are - account creation, enablement, disablement, deletion, name changes, and password modification. Description, Target User Name
VDA.Print Triggers when a print job is initiated in Apps and Desktops. Note: This event is only applicable for Citrix DaaS data source. For more information, see Enabling print telemetry for Citrix DaaS. Document User Name, Machine Name, Print File Name, Print File Size, Printer Name, Time, Total Copies Printed, Total Pages Printed
VDA.Clipboard Triggers when a clipboard operation is performed in Apps and Desktops. Note: This event is only applicable for Citrix DaaS data source. For more information, see Enabling clipboard telemetry for Citrix DaaS. Clipboard Format Type, Clipboard Operation, Clipboard Operation Direction, Clipboard Operation Permitted, Clipboard Size, Machine Name

Note

All the session recording events require the policy for logging their events to be enabled on Session Recording server. For more information, see Create a custom event detection policy.

Supported values for your search query

Enter the following values for the dimensions to define your search query.

Dimension Value Type Description
App-Name Application or desktop sessions. String Name of an application or desktop launched.
  Example application sessions: A session without farm name: #Cloud - Excel 2016 And a session with the farm name: XA65PROD#Concur    
  Example desktop sessions: A session without farm name: #SINXIAP0616 $S1-1 And a session with the farm name: XA65PROD#SINXIAP0616 $S1-1    
App-Protection-Policies Example: AntiScreenCaptureEnabled String Active application protection policies for the session.
Browser-Name Example: Google Chrome, Citrix Enterprise Browser, Microsoft Edge, FIREFOX, SAFARI String Browser name
Browser-Version Example: 80.0.3987.122, 101.0.9999.0 String Browser version
City Examples: Santa Clara, Houston, Chicago String The city name of a user.
Client-IP An IP address. Example: 10.10.10.10 String IP address of the user endpoint.
Client-Type Android, Windows, Macintosh, Chrome, HTML5, Unix/Linux, iOS, SessionRecording, Monitor String Indicates different types of Citrix Workspace app based on the operating systems or original data-source.
Clipboard-Format-Type Examples: text, html, CF_UNICODETEXT String The data format copied to the clipboard.
Clipboard-Initiator Examples: Keyboard, context menu, javascript String Indicates how the clipboard operation was initiated. Note: Supported only by the SaaS applications.
Clipboard-Operation Copy, cut, paste, or place String Indicates which clipboard operation is performed. Note: The place operation indicates data being placed on the clipboard. This does not guarantee if the data in the clipboard was pasted or used by the client. This operation is supported only for VDA.Clipboard Event.
Clipboard-Operation-Direction Client To Host, Host To Client String Indicates the direction of clipboard operation. Note: Supported only by Apps and Desktop (Citrix DaaS) Clipboard Operation.
Clipboard-Operation-Permitted Allowed or Denied String Indicates whether the clipboard operation is permitted in Apps and Desktop Session. Note: Supported only by Apps and Desktop (Citrix DaaS) Clipboard Operation.
Clipboard-Result Success or Blocked String Indicates the result of the clipboard operation. Note: Supported only by the SaaS applications.
Clipboard-Size Examples: 10, 20 Number Size of the data (in bytes) that is currently stored in the clipboard.
Country Examples: USA, India String The country name of a user.
Description For Citrix.EventMonitor.UserAccountModification events: A user account was created, a user account was enabled, an attempt was made to reset an account’s password. String Describes about user account modification status such as, the account was created, deleted, renamed, or an attempt was made to reset the password.
  For Citrix.EventMonitor.SessionEnd events: Unknown, Logoff, Rollover, Trigger, and Incomplete   Describes the reason for end of the session recording.
Destination-IP Example: 10.60.110.xxx String IP address of the remote desktop.
Destination-Path Example: \H$\Desktop\Folder\example.txt String The final path of the file after the transfer is completed.
Device-ID Example: cb781185-18ad-4f45-b75f String Device ID used for licensing, client name, or operating system hardware ID.
Domain Example: example.com Structure The domain name of a server that sent a request.
Download-Device-Type Examples: USB, Hard Disk Drive, RemoteDrive, cdrom, or browser downloads. String The device type where the file is downloaded or transferred.
Download-File-Format Example: txt, PDF, xlsx, docx String The format of the file downloaded.
Download-File-Name Example: example-file.txt String Name of the downloaded file.
Download-File-Path Example: C:\Users\admin\Desktop String The path of the downloaded file.
Download-File-Size Example: 8.05 Number The size of the downloaded file in kilobytes.
Event-Type Account.Logon, Session.Logon, Session.End, App.Start, App.End, File.Download, Printing, AppProtection.ScreenCapture, App.SaaS.Launch, App.SaaS.End, App.SaaS.Clipboard, App.SaaS.File.Download, App.SaaS.File.Print, App.SaaS.Url.Navigate, Citrix.EventMonitor.AppStart, Citrix.EventMonitor.AppEnd, Citrix.EventMonitor.TopMost, Citrix.EventMonitor.WebBrowsing, Citrix.EventMonitor.FileCreate, Citrix.EventMonitor.FileRename, Citrix.EventMonitor.FileMove, Citrix.EventMonitor.FileDelete, Citrix.EventMonitor.CDMUSBDriveAttach, Citrix.EventMonitor.GenericUSBDriveAttach, Citrix.EventMonitor.RDPConnection, Citrix.EventMonitor.UserAccountModification, VDA.Print, VDA.Clipboard, Citrix.EventMonitor.RegistryChange, Citrix.EventMonitor.SessionLaunch, Citrix.EventMonitor.SessionEnd, Citrix.EventMonitor.Clipboard, Citrix.EventMonitor.FileTransfer String For more details, see Event types and supported fields.
Jail-Broken Yes or No String Indicates if the device is rooted or not. Note: If this dimension is absent, the device is not rooted. This key applies to Citrix Workspace app for iOS and Android devices.
Operation-Direction Host to Client/ Client to Host String Indicates the direction of the file transfer.
OS-Extra-Info Example: 20G80, Service Pack 1, 19043 String Indicates the additional information of the operating system such as build numbers, service packs, and patches.
OS-Name Example: macOS 11, Windows 7, Android 8.1, Windows 10 Enterprise String Indicates the name of the operating system.
OS-Version Example: 11.5.1, 14.7.1, 2009 String Indicates the version of the operating system
Print-File-Format Examples: PDF, PS, DOCX String Format of the printed file.
Print-File-Name Example: example-file.pdf String Name of the printed file.
Print-File-Size Examples: 10, 20 String Size of the printed file in bytes.
Printer-Name Example: testprinter-1 String Name of the printer used.
Process-ID Example: 11248 String Refers to the process ID that is used to identify the specific process that performs two actions: Creating a new process and Making a remote desktop connection. Process-ID is currently associated only with Citrix.EventMonitor.RDPConnection event.
Protected-App-Titles Example: Admin Desktop - Citrix Workspace String Name of the application running in the protected session.
Registry-Name Name of the modified registry String The name of the registry that was modified.
Registry-Operation Rename, Create, Delete, SetValue, DeleteValue String Indicates which registry operation was performed.
Registry-Path Path of the modified registry String The path of the registry that was modified.
SaaS-App-Name Example: Workday String Name of the SaaS application.
SaaS-App-URL Example: https://xyz.com|String String URL of the SaaS application or gateway/proxy URL. Note: The gateway/proxy URL appears in the App.SaaS.Launch Event when the SaaS application is launched initially.
Screen-Capture-Tool-Name Example: ScreenShotTool.exe String Name of the screen capture tool.
Screen-Capture-Tool-Path Example: c:\Program files (x86)\ScreenContent Client String Path of the screen capture tool.
Session-Launch-Type Application or Desktop String Indicates if the launched session is an application or desktop type.
Session-Recording-Type Traditional recording/ Event only recording String Indicates the type of the launched session recording.
Session-Server-Name Examples: Hosted Desktop, Cloud-VDA-1 String Name of the application or desktop connected to as received from a server.
Session-User-Name Examples: demo-user, test-user String User name received from the server.
Source-Path Example: C:\Users\admin\Desktop\example.txt String The initial path of the file before it was transferred.
Target-User-Name Examples: user01 String Currently, the Target-User-Name is only used for the Citrix.EventMonitor.UserAccountModification event, in which it’s the user account which was modified.
Total-Copies-Printed Examples: 1, 2 Number Total number of copies printed by the user.
Total-Pages-Printed Examples: 1,2 Number Total number of the document pages printed by the user.
User-Name user name or Domain\username String The user name or domain\username. Used for StoreFront login. If the StoreFront logon is not through Citrix Workspace app for HTML5 or Chrome, then this value is same as the one received from server.
VDA-Name Example: TSVDA-19-01.xd.local String Indicates the name of the VDA machine.
Window-Title Example: Administrator - 01 Command Prompt String Indicates the title of the window in which the clipboard operation was performed.
Workspace-App-Version Example: 20.8.0.3 (2008) String Citrix Workspace app or Citrix Receiver version installed on the user’s device and used to launch remote virtual Apps and Desktop Sessions.
Workspace-App-Status Supported or Unsupported String Indicates whether the installed version of Citrix Workspace app or Citrix Receiver on the user’s device is supported or not supported by Citrix Analytics for Security. Hover over Unsupported when the Workspace App is not supported. A pop-up window appears with a link to view the list of supported versions. When a Workspace App version is approaching its unsupported status, a banner is displayed on the self-service search page, listing the available supported versions to which you can initiate an upgrade.

Operating system naming format

Citrix Analytics receives the operating system (OS) details of a user device and translates them into OS Name, OS Version, and OS Extra Info.

  • OS Name indicates the name of the operating system.

  • OS Version indicates the release ID or the release version of the operating system.

  • OS Extra Info indicates the additional information of the operating system such as build numbers, service packs, and patches.

The following table provides a few examples of the version numbering format of operating systems.

OS Name OS Version OS Extra Info
macOS 11 11.5.1 20G80
iOS 14 14.7.1 Not Available
Windows 10 Enterprise 2009 19043
Windows 7 6.1 Service Pack 1
Android 8.1 8.1.0 Not Available

Notes

  • To get the OS details for Mac version 11.x or later, the recommended client version is Citrix Workspace app for Mac 2108 or later.

  • The OS details for Windows 10 are currently not available.

Self-service search for Apps and Desktops