Citrix Analytics for Security

Citrix Analytics data exports format for SIEM

Citrix Analytics for Security allows you to integrate with your Security Information and Event Management (SIEM) services. This integration enables Citrix Analytics for Security to send data to your SIEM services and helps you gain insight into your organization’s security risk posture.

Currently, you can integrate Citrix Analytics for Security with the following SIEM services:

The Data Exports option is now globally available under Settings. To view the Data source events, navigate to Settings > Data Exports > Data source events.

Data export

The risk insights data sent by Citrix Analytics for Security to your SIEM service are of two types:

  • Risk insights events (Default exports)
  • Data Source events (Optional exports)

    Data exports

Risk insights data for SIEM

Once you have completed the account configuration and SIEM setup, default datasets (risk insights events) start flowing into your SIEM deployment. Risk insights datasets include user risk score events, user profile events, and risk indicator alerts. These are generated by Citrix Analytics machine learning algorithms and user behavior analysis, by leveraging user events.

The risk insights datasets of a user include the following:

  • Risk score change: Indicates a change in the user’s risk score. When a user’s risk score change is equal to or more than 3 and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
  • Risk indicator summary: The details of the risk indicator triggered for a user.
  • Risk indicator event details: The user events associated with a risk indicator. Citrix Analytics sends a maximum of 1000 event details for each risk indicator occurrence to your SIEM service. These events are sent in chronological order of occurrence.
  • User risk score event: The current risk score of a user. Citrix Analytics for Security sends this data to the SIEM service every 12 hours.
  • User profile: The user profile data can be categorized into:

    • User apps: The applications that a user has launched and used. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and sends it to the SIEM service every 12 hours.
    • User device: The devices associated with a user. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Citrix Endpoint Management and sends it to SIEM service every 12 hours.
    • User location: The city that a user was last detected in. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). Citrix Analytics for Security sends this information to your SIEM service every 12 hours.
    • User client IP: The client IP address of the user device. Citrix Analytics for Security retrieves this data from Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service), and sends this information to your SIEM service every 12 hours.

If you are only able to view but unable to configure data source event preferences, then you do not have the necessary administrator permissions. To learn more, see Manage Administrator roles for Security Analytics.

In the following example, the Save Changes button is disabled. The risk insight events are enabled by default.

Risk insights data

Schema details of the risk insights events

The following section describes the schema of the processed data generated by Citrix Analytics for Security.

Note

The field values shown in the following schema samples are only for representational purposes. The actual field values vary based on the user profile, user events, and the risk indicator.

The following table describes the field names that are common across the schema for all user profile data, user risk score, and risk score change.

Field name Description
entity_id The identity associated with the entity. In this case, the entity is the user.
entity_type The entity at risk. In this case, the entity is the user.
event_type The type of data sent to your SIEM service. For example: user’s location, user’s data usage, or user’s device access information.
tenant_id The unique identity of the customer.
timestamp The date and time of the recent user activity.
version The schema version of the processed data. The current schema version is 2.

User profile data schema

User location schema


{
  "tenant_id": "demo_tenant", "entity_id": "demo_user", "entity_type": "user", "timestamp": "2021-02-10T15:00:00Z", "event_type": "userProfileLocation", "country": "India", "city": "Bengaluru", "cnt": 4, "version": 2
  }

<!--NeedCopy-->

Field description for user location

Field name Description
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s location.
country The country from where the user has logged in.
city The city from where the user has logged in.
cnt The number of times the location was accessed in the last 12 hours.

User client IP schema


{
  "client_ip": "149.147.136.10",
  "cnt": 3,
  "entity_id": "r2_up_user_1",
  "entity_type": "user",
  "event_type": "userProfileClientIps",
  "tenant_id": "xaxddaily1",
  "timestamp": "2023-09-18T10:45:00Z",
  "version": 2
}


<!--NeedCopy-->

Field description for client IP

Field name Description
client_ip The IP address of the user device.
cnt The number of times the user has accessed the device in the last 12 hours.
entity_id The identity associated with the entity. In this case, the entity is the user.
entity_type The entity at risk. In this case, the event type is the user’s client IP.
event_type The type of data sent to your SIEM service. For example: the user’s location, the user’s data usage, or the user’s device access information.
tenant_id The unique identity of the customer.
timestamp The date and time of the recent user activity..
version The schema version of the processed data. The current schema version is 2.

User data usage schema


{
  "data_usage_bytes": 87555255, "deleted_file_cnt": 0, "downloaded_bytes": 87555255, "downloaded_file_cnt": 5, "entity_id": "demo@demo.com", "entity_type": "user", "event_type": "userProfileUsage", "shared_file_cnt": 0, "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "uploaded_bytes": 0, "uploaded_file_cnt": 0, "version": 2
  }

<!--NeedCopy-->

Field description for user data usage

Field name Description
data_usage_bytes The amount of data (in bytes) used by the user. It is the aggregate of the downloaded and uploaded volume for a user.
deleted_file_cnt The number of files deleted by the user.
downloaded_bytes The amount of data downloaded by the user.
downloaded_file_count The number of files downloaded by the user.
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s usage profile.
shared_file_count The number of files shared by the user.
uploaded_bytes The amount of data uploaded by the user.
uploaded_file_cnt The number of files uploaded by the user.

User device schema


{
  "cnt": 2, "device": "user1612978536 (Windows)", "entity_id": "demo", "entity_type": "user", "event_type": "userProfileDevice", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T21:00:00Z", "version": 2
  }

<!--NeedCopy-->

Field description for user device.

Field name Description
cnt The number of times the device is accessed in the last 12 hours.
device The name of the device.
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.

User app schema


{
  "tenant_id": "demo_tenant", "entity_id": "demo", "entity_type": "user", "timestamp": "2021-02-10T21:00:00Z", "event_type": "userProfileApp", "version": 2, "session_domain": "99e38d488136f62f828d4823edd120b4f32d724396a7410e6dd1b0", "user_samaccountname": "testnameeikragz779", "app": "Chromeeikragz779", "cnt": 189
  }

<!--NeedCopy-->

Field description for user app.

Field name Description
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s device access information.
session_domain The ID of the session that the user has logged on.
user_samaccountname The logon name for clients and servers from a previous version of Windows such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. This name is used to log on to Citrix StoreFront and also logon to a remote Windows machine.
app The name of the application accessed by the user.
cnt The number of times the application is accessed in the last 12 hours.

User risk score schema


{
  "cur_riskscore": 7, "entity_id": "demo", "entity_type": "user", "event_type": "userProfileRiskscore", "last_update_timestamp": "2021-01-21T16:14:29Z", "tenant_id": "demo_tenant", "timestamp": "2021-02-10T20:45:00Z", "version": 2
  }

<!--NeedCopy-->

Field description for user risk score.

Field name Description
cur_riskscore The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
event_type The type of data sent to the SIEM service. In this case, the event type is the user’s risk score.
last_update_timestamp The time when the risk score was last updated for a user.
timestamp The time when the user risk score event is collected and sent to your SIEM service. This event is sent to your SIEM service after every 12 hours.

Risk score change schema

Sample 1:


{
  "alert_message": "Large risk score drop percent since last check", "alert_type": "riskscore_large_drop_pct", "alert_value": -21.73913, "cur_riskscore": 18, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T05:45:00Z", "version": 2
  }

<!--NeedCopy-->

Sample 2:


{
  "alert_message": "Risk score increase since last check", "alert_type": "riskscore_increase", "alert_value": 39.0, "cur_riskscore": 76, "entity_id": "demo_user", "entity_type": "user", "event_type": "riskScoreChange", "tenant_id": "demo_tenant", "timestamp": "2021-02-11T03:45:00Z", "version": 2
  }

<!--NeedCopy-->

Field description for risk score change.

Field name Description
alert_message The message displayed for the risk score change.
alert_type Indicates whether the alert is for increase in risk score or significant drop in risk score percentage. When a user’s risk score change is equal to or more than three and this change increases at any rate or drops by more than 10%, the data is sent to the SIEM service.
alert_value A numerical value assigned for the risk score change. The risk score change is the difference between the current risk score and the previous risk score for a user. The alert value varies from -100 to 100.
cur_riskscore The current risk score assigned to the user. The risk score varies from 0 to 100 depending on the threat severity associated with the user’s activity.
event_type The type of data sent to the SIEM service. In this case, the event type is the change in the user’s risk score.
timestamp The date and time when the latest change in the risk score is detected for the user.

Risk indicator schema

The risk indicator schema consists of two parts: indictor summary schema and indicator event details schema. Based on the risk indicator, the fields and their values in the schema change accordingly.

The following table describes the field names common across all indicator summary schema.

Field name Description
data source The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
data_source_id The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
entity_type The entity at risk. It can be a user.
entity_id The ID associated with the entity at risk.
event_type The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
indicator_category Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
indicator_id The unique ID associated with the risk indicator.
indicator_category_id The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
indicator_name The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
indicator_type Indicates whether the risk indicator is default (built-in) or custom.
indicator_uuid The unique ID associated with the risk indicator instance.
indicator_vector_name Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
indicator_vector_id The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
occurrence_details The details about the risk indicator triggering condition.
risk_probability Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
severity Indicates the severity of the risk. It can be low, medium, or high.
tenant_id The unique identity of the customer.
timestamp The date and the time when the risk indicator is triggered.
ui_link The link to the user timeline view on the Citrix Analytics user interface.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.

The following table describes the field names common across all the indicator event details schema.

Field name Description
data_source_id The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
indicator_category_id The ID associated with a risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoint
entity_id The ID associated with the entity at risk.
entity_type The entity that is at risk. It can be user.
event_type The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
indicator_id The unique ID associated with the risk indicator.
indicator_uuid The unique ID associated with the risk indicator instance.
indicator_vector_name Indicates the risk vector associated with a risk indicator. The risk vectors are Device-based Risk Indicators, Location-based Risk Indicators, Logon-failure-based Risk Indicators, IP-based Risk Indicators, Data-based Risk Indicators, File-based Risk Indicators, and Other Risk Indicators.
indicator_vector_id The ID associated with a risk vector. ID 1 = Device-based Risk Indicators, ID 2 = Location-based Risk Indicators, ID 3 = Logon-failure-based Risk Indicators, ID 4 = IP-based Risk Indicators, ID 5 = Data-based Risk Indicators, ID 6 = File-based Risk Indicators, ID 7 = Other Risk Indicators, and ID 999 = Not available
tenant_id The unique identity of the customer.
timestamp The date and the time when the risk indicator is triggered.
version The schema version of the processed data. The current schema version is 2.
client_ip The IP address of the user’s device.

Note

  • If an integer data type field value is unavailable, the value assigned is -999. For example, "latitude": -999, "longitude": -999.

  • If a string data type field value is unavailable, the value assigned is NA. For example, "city": "NA", "region": "NA".

Citrix Secure Private Access risk indicators schema

Attempt to access blacklisted URL risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "8f2a39bd-c7c2-5555-a86a-5cfe5b64dfef",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:59:58Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Attempt to access blacklisted URL",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-15T10:44:59Z",
    "relevant_event_type": "Blacklisted External Resource Access"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 401,
  "indicator_uuid": "c421f3f8-33d8-59b9-ad47-715b9d4f65f4",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-15T10:57:21Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "googleads.g.doubleclick.net",
  "executed_action": "blocked",
  "reason_for_action": "URL Category match",
  "client_ip": "157.xx.xxx.xxx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Attempt to access the blacklisted URL.

Field name Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
executed_action The action applied on the blacklisted URL. The action includes Allow and Block.
reason_for_action The reason for the applying the action for the URL.

Excessive data downloads risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Excessive data download",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 403,
  "indicator_uuid": "67d21b81-a89a-531e-af0b-c5688c2e9d40",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "downloaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive data downloads.

Field name Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
data_volume_in_bytes The amount of data in bytes that is downloaded.
relevant_event_type Indicates the type of the user event.
domain_name The name of the domain from which data is downloaded.
downloaded_bytes The amount of data in bytes that is downloaded.

Unusual upload volume risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "4f2a249c-9d05-5409-9c5f-f4c764f50e67",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Insider threats",
  "indicator_name": "Unusual upload volume",
  "severity": "low",
  "data_source": "Citrix Secure Private Access",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2018-03-16T10:00:00Z",
    "data_volume_in_bytes": 24000,
    "relevant_event_type": "External Resource Access"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 402,
  "indicator_uuid": "c6abf40c-9b62-5db4-84bc-5b2cd2c0ca5f",
  "indicator_category_id": 2,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 4,
  "timestamp": "2018-03-16T10:30:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "domain_name": "www.facebook.com",
  "client_ip": "157.xx.xxx.xxx",
  "uploaded_bytes": 24000
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual upload volume.

Field names Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
data_volume_in_bytes The amount of data in bytes that is uploaded.
relevant_event_type Indicates the type of the user event.
domain_name The name of the domain in which the data is uploaded.
uploaded_bytes The amount of data in bytes that is uploaded.

Citrix Endpoint Management risk indicators schema

Jailbroken or rooted device detected indicators schema

Indicator summary schema

{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 200,
  "indicator_name": "Jailbroken / Rooted Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "aa872f86-a991-4219-ad01-2a070b6e633d",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:05Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema
{
  "indicator_id": 200,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "9aaaa9e1-39ad-4daf-ae8b-2fa2caa60732",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:35Z",
  "version": 2
}

<!--NeedCopy-->

Device with blacklisted apps detected

Indicator summary schema
{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 201,
  "indicator_name": "Device with Blacklisted Apps Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "3ff7bd54-4319-46b6-8b98-58a9a50ae9a7",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T17:49:23Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema
{
  "indicator_id": 201,
  "client_ip": "122.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "743cd13a-2596-4323-8da9-1ac279232894",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T17:50:39Z",
  "version": 2
}

<!--NeedCopy-->

Unmanaged Device Detected

Indicator summary schema
{
  "data_source": "Citrix Endpoint Management",
  "data_source_id": 2,
  "indicator_id": 203,
  "indicator_name": "Unmanaged Device Detected",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised endpoints",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_type": "builtin",
  "indicator_uuid": "e28b8186-496b-44ff-9ddc-ae50e87bd757",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-13T12:56:30Z",
  "ui_link": "https://analytics.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema
{
  "indicator_id": 203,
  "client_ip": "127.xx.xx.xxx",
  "data_source_id": 2,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_category_id": 4,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "indicator_uuid": "dd280122-04f2-42b4-b9fc-92a715c907a0",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-04-09T18:41:30Z",
  "version": 2
}

<!--NeedCopy-->

Citrix Gateway risk indicators schema

EPA scan failure risk indicator schema

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "EPA scan failure",
  "severity": "low",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "event_description": "Post auth failed, no quarantine",
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "EPA Scan Failure at Logon"
  }
}

<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 100,
  "indicator_uuid": "3c17454c-86f5-588a-a4ac-0342693d8a70",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Other Risk Indicators",
    "id": 7 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:12:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Post auth failed, no quarantine",
  "gateway_domain_name": "10.102.xx.xx",
  "gateway_ip": "56.xx.xxx.xx",
  "policy_name": "postauth_act_1",
  "client_ip": "210.91.xx.xxx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "cs_vserver_name": "demo_vserver",
  "device_os": "Windows OS",
  "security_expression": "CLIENT.OS(Win12) EXISTS",
  "vpn_vserver_name": "demo_vpn_vserver",
  "vserver_fqdn": "10.xxx.xx.xx"
}
<!--NeedCopy-->

The table describes the field names specific to the summary schema and the event details schema for the EPA scan failure risk indicator.

Field names Description
event_description Describes the reasons for EPA scan failure such as post authentication failed and no quarantine group.
relevant_event_type Indicates the type of the EPA scan failure event.
gateway_domain_name The domain name of Citrix Gateway.
gateway_ip The IP address of Citrix Gateway.
policy_name The EPA scan policy name configured on the Citrix Gateway.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.
cs_vserver_name The name of the content switch virtual server.
device_os The operating system of the user’s device.
security_expression The security expression configured on the Citrix Gateway.
vpn_vserver_name The name of the Citrix Gateway virtual server.
vserver_fqdn The FQDN of the Citrix Gateway virtual server.

Excessive authentication failure risk indicator schema

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "4bc0f759-93e0-5eea-9967-ed69de9dd09a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Excessive authentication failures",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/”,
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2017-12-21T07:00:00Z",
    "relevant_event_type": "Logon Failure"
  }
}
<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 101,
  "indicator_uuid": "a391cd1a-d298-57c3-a17b-01f159b26b99",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2017-12-21T07:10:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo-user",
  "version": 2,
  "event_description": "Bad (format) password passed to nsaaad",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "auth_server_ip": "10.xxx.x.xx",
  "client_ip": "24.xxx.xxx.xx",
  "gateway_ip": "24.xxx.xxx.xx",
  "vserver_fqdn": "demo-fqdn.citrix.com",
  "vpn_vserver_name": "demo_vpn_vserver",
  "cs_vserver_name": "demo_cs_vserver",
  "gateway_domain_name": "xyz",
  "country": "United States",
  "region": "California",
  "city": "San Jose",
  "nth_failure": 5
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Excessive authentication failure.

Field names Description
relevant_event_type Indicates the type of event such as logon failure.
event_description Describes the reason for the excessive authentication failure event such as an incorrect password.
authentication_stage Indicates whether the authentication stage is primary, secondary, or tertiary.
authentication_type Indicates the types of authentication such as LDAP, Local, or OAuth.
auth_server_ip The IP address of the authentication server.
gateway_domain_name The domain name of Citrix Gateway.
gateway_ip The IP address of Citrix Gateway.
cs_vserver_name The name of the content switch virtual server.
vpn_vserver_name The name of the Citrix Gateway virtual server.
vserver_fqdn The FQDN of the Citrix Gateway virtual server.
nth_failure The number of times the user authentication has failed.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.

Impossible travel risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "111",
  "indicator_uuid": "83d68a6d-6588-5b77-9118-8a9e6a5b462b",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 1,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_os": "Linux OS",
  "device_browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name Description
distance The distance (km) between the events associated with impossible travel.
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
device_browser The web browser used by the user.
device_os The operating system of the user’s device.
ip_organization Registering organization of the client IP address
ip_routing_type Client IP routing type

Logon from suspicious IP risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "0100e910-561a-5ff3-b2a8-fc556d199ba5",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.91,
  "indicator_category": "Compromised users",
  "indicator_name": "Logon from suspicious IP",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon",
    "client_ip": "1.0.xxx.xx",
    "observation_start_time": "2019-10-10T10:00:00Z",
    "suspicion_reasons": "brute_force|external_threat"
  }
}
<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 102,
  "indicator_uuid": "4ba77b6c-bac0-5ad0-9b4a-c459a3e2ec33",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "data_source_id": 1,
  "timestamp": "2019-10-10T10:11:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "suspicion_reasons": "external_threat",
  "gateway_ip": "gIP1",
  "client_ip": "128.0.xxx.xxx",
  "country": "Sweden",
  "city": "Stockholm",
  "region": "Stockholm",
  "webroot_reputation": 14,
  "webroot_threat_categories": "Windows Exploits|Botnets|Proxy",
  "device_os": "Windows OS",
  "device_browser": "Chrome"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Login from a suspicious IP.

Field name Description
suspicious_reasons The reason for the IP address to be identified as suspicious.
webroot_reputation The IP reputation index provided by the threat intelligence provider- Webroot.
webroot_threat_categories The threat category identified for the suspicious IP by the threat intelligence provider- Webroot.
device_os The operating system of the user device.
device_browser The web browser used.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.

Unusual authentication failure risk indicator schema

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "dc0174c9-247a-5e48-a2ab-d5f92cd83d0f",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:44:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Unusual authentication failure",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Logon Failure",
    "observation_start_time": "2020-04-01T05:45:00Z"
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 109,
  "indicator_uuid": "ef4b9830-39d6-5b41-bdf3-84873a77ea9a",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Logon-Failure-Based Risk Indicators",
    "id": 3 },
  "data_source_id": 1,
  "timestamp": "2020-04-01T06:42:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "event_description": "Success",
  "authentication_stage": "Secondary",
  "authentication_type": "LDAP",
  "client_ip": "99.xxx.xx.xx",
  "country": "United States",
  "city": "San Jose",
  "region": "California",
  "device_os": "Windows OS ",
  "device_browser": "Chrome",
  "is_risky": "false"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Unusual authentication failure.

Field names Description
relevant_event_type Indicates the type of event such as logon failure.
event_description Indicates whether the logon is successful or unsuccessful
authentication_stage Indicates whether the authentication stage is primary, secondary, or tertiary.
authentication_type Indicates the types of authentication such as LDAP, Local, or OAuth.
is_risky For a successful logon, the is_risky value is false. For an unsuccessful logon, the is_risky value is true.
device_os The operating system of the user device.
device_browser The web browser used by the user.
country The country from which the user activity has been detected.
city The city from which the user activity has been detected.
region The region from which the user activity has been detected.

Suspicious logon risk indicator

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd935-a6a3-5397-b596-636aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 0.71,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Gateway",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "observation_start_time": "2020-06-06T12:00:00Z",
    "relevant_event_type": "Logon",
    "event_count": 1,
    "historical_observation_period_in_days": 30,
    "country": "United States",
    "region": "Florida",
    "city": "Miami",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"New York\",\"city\":\"New York City\",\"latitude\":40.7128,\"longitude\":-74.0060,\"count\":9}]",
    "user_location_risk": 75,
    "device_id": "",
    "device_os": "Windows OS",
    "device_browser": "Chrome",
    "user_device_risk": 0,
    "client_ip": "99.xxx.xx.xx",
    "user_network_risk": 75,
    "webroot_threat_categories": "Phishing",
    "suspicious_network_risk": 89
  }
}


<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "110",
  "indicator_uuid": "67fd6935-a6a3-5397-b596-63856aa1588c",
  "indicator_category_id": 3,
  "indicator_vector": [
    {
      "name": "Location-Based Risk Indicators",
      "id": 2
    },
    {
      "name": "IP-Based Risk Indicators",
      "id": 4
    },
    {
      "name": "Other Risk Indicators",
      "id": 7
    }
  ],
  "data_source_id": 1,
  "timestamp": "2020-06-06T12:08:40Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "country": "United States",
  "region": "Florida",
  "city": "Miami",
  "latitude": 25.7617,
  "longitude": -80.1918,
  "device_browser": "Chrome",
  "device_os": "Windows OS",
  "device_id": "NA",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name Description
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
occurrence_event_type Indicates the user event type such as account logon.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
device_browser The web browser used by the user.
device_os The operating system of the user’s device.
device_id The name of the device used by the user.
user_location_risk Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_device_risk Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_network_risk Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
suspicious_network_risk Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
webroot_threat_categories Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Citrix DaaS and Citrix Virtual Apps and Desktops risk indicators schema

Impossible travel risk indicator

Indicator summary schema
{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Compromised users",
  "indicator_name": "Impossible travel",
  "severity": "medium",
  "data_source": "Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Impossible travel",
    "distance": 7480.44718,
    "observation_start_time": "2020-06-06T12:00:00Z",
    "historical_logon_locations": "[{\"country\":\"United States\",\"region\":\"Florida\",\"city\":\"Miami\",\"latitude\":25.7617,\"longitude\":-80.191,\"count\":28},{\"country\":\"United States\",\"latitude\":37.0902,\"longitude\":-95.7129,\"count\":2}]",
    "historical_observation_period_in_days": 30
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": "313",
  "indicator_uuid": "c78d1dd4-5e70-5642-ba6f-1cdf31bc6ab2",
  "pair_id": 2,
  "indicator_category_id": 3,
  "indicator_vector": {
    "name": "Location-Based Risk Indicators",
    "id": 2
  },
  "data_source_id": 3,
  "timestamp": "2020-06-06T05:05:00Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "client_ip": "95.xxx.xx.xx",
  “ip_organization”: “global telecom ltd”,
  “ip_routing_type”: “mobile gateway”,
  "country": "Norway",
  "region": "Oslo",
  "city": "Oslo",
  "latitude": 59.9139,
  "longitude": 10.7522,
  "device_id": "device1",
  "receiver_type": "XA.Receiver.Linux",
  "os": "Linux OS",
  "browser": "Chrome 62.0.3202.94"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Impossible travel.

Field name Description
distance The distance (km) between the events associated with impossible travel.
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
browser The web browser used by the user.
os The operating system of the user’s device.
device_id The name of the device used by the user.
receiver_type The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
ip_organization Registering organization of the client IP address
ip_routing_type Client IP routing type

Potential data exfiltration risk indicator

Indicator summary schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:59:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "risk_probability": 1,
  "indicator_category": "Data exfiltration",
  "indicator_name": "Potential data exfiltration",
  "severity": "low",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details": {
    "relevant_event_type": "Download/Print/Copy",
    "observation_start_time": "2018-04-02T10:00:00Z",
    "exfil_data_volume_in_bytes": 1172000
  }
}

<!--NeedCopy-->
Indicator event details schema

{
  "tenant_id": "demo_tenant",
  "indicator_id": 303,
  "indicator_uuid": "fb649ff7-5b09-5f48-8a04-12836b9eed85",
  "indicator_category_id": 1,
  "indicator_vector": {
    "name": "Data-Based Risk Indicators",
    "id": 5 },
  "data_source_id": 3,
  "timestamp": "2018-04-02T10:57:36Z",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "demo_user",
  "version": 2,
  "occurrence_event_type": "App.SaaS.Clipboard",
  "file_size_in_bytes": 98000,
  "file_type": "text",
  "device_id": "dvc5",
  "receiver_type": "XA.Receiver.Windows",
  "app_url": "https://www.citrix.com",
  "client_ip": "10.xxx.xx.xxx",
  "entity_time_zone": "Pacific Standard Time"
}

<!--NeedCopy-->

The following table describes the fields specific to the summary schema and the event details schema for Potential data exfiltration.

Field name Description
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
relevant_event_type Indicates the user activity such as download, print, or copy the data.
exfil_data_volume_in_bytes The amount of data exfiltration.
occurrence_event_type Indicates how the data exfiltration has happened such as the clipboard operation in a SaaS app.
file_size_in_bytes The size of the file.
file_type The type of the file.
device_id The ID of the user device.
receiver_type The Citrix Workspace app or Citrix Receiver installed on the user device.
app_url The URL of the application that is accessed by the user.
entity_time_zone The time zone of the user.

Suspicious logon risk indicator schema

Indicator summary schema
{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06T12:14:59Z",
  "event_type": "indicatorSummary",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "risk_probability": 0.78,
  "indicator_category": "Compromised users",
  "indicator_name": "Suspicious logon",
  "severity": "medium",
  "data_source": "Citrix Apps and Desktops",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "indicator_type": "builtin",
  "occurrence_details":
  {
    "user_location_risk": 0,
    "city": "Some_city",
    "observation_start_time": "2020-06-06T12:00:00Z",
    "event_count": 1,
    "user_device_risk": 75,
    "country": "United States",
    "device_id": "device2",
    "region": "Some_Region",
    "client_ip": "99.xx.xx.xx",
    "webroot_threat_categories": "'Spam Sources', 'Windows Exploits', 'Web Attacks', 'Botnets', 'Scanners', 'Denial of Service'",
    "historical_logon_locations": "[{\"country\":\"United States\",\"latitude\":45.0,\"longitude\":45.0,\"count\":12},{\"country\":\"United States\",\"region\":\"Some_Region_A\",\"city\":\"Some_City_A\",\"latitude\":0.0,\"longitude\":0.0,\"count\":8}]",
    "relevant_event_type": "Logon",
    "user_network_risk": 100,
    "historical_observation_period_in_days": 30,
    "suspicious_network_risk": 0
  }
}

<!--NeedCopy-->
Indicator event details schema
{
  "tenant_id": "tenant_1",
  "indicator_id": "312",
  "indicator_uuid": "1b97c3be-abcd-efgh-ijkl-1234567890",
  "indicator_category_id": 3,
  "indicator_vector":
  [
    {
      "name": "Other Risk Indicators",
      "id": 7
    },
    {
      "name":"Location-Based Risk Indicators",
      "id":2
    },
    {
      "name":"IP-Based Risk Indicators",
      "id":4
    },
    {
      "name": "Device-Based Risk Indicators",
      "id": 1
    },
  ],
  "data_source_id": 3,
  "timestamp": "2020-06-06 12:02:30",
  "event_type": "indicatorEventDetails",
  "entity_type": "user",
  "entity_id": "user2",
  "version": 2,
  "occurrence_event_type": "Account.Logon",
  "city": "Some_city",
  "country": "United States",
  "region": "Some_Region",
  "latitude": 37.751,
  "longitude": -97.822,
  "browser": "Firefox 1.3",
  "os": "Windows OS",
  "device_id": "device2",
  "receiver_type": "XA.Receiver.Chrome",
  "client_ip": "99.xxx.xx.xx"
}

<!--NeedCopy-->

The following table describes the field names specific to the summary schema and the event details schema for Suspicious logon.

Field name Description
historical_logon_locations The locations accessed by the user and the number of times each location has been accessed during the observation period.
historical_observation_period_in_days Each location is monitored for 30 days.
relevant_event_type Indicates the type of event such as logon.
observation_start_time The time from which Citrix Analytics starts monitoring the user activity until the time stamp. If any anomalous behavior is detected in this time period, a risk indicator is triggered.
occurrence_event_type Indicates the user event type such as account logon.
country The country from which the user has logged on.
city The city from which the user has logged on.
region Indicates the region from which the user has logged on.
latitude Indicates the latitude of the location from which the user has logged on.
longitude Indicates the longitude of the location from which the user has logged on.
browser The web browser used by the user.
os The operating system of the user’s device.
device_id The name of the device used by the user.
receiver_type The type of the Citrix Workspace app or Citrix Receiver installed on the user’s device.
user_location_risk Indicates the suspicion level of the location from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_device_risk Indicates the suspicion level of the device from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
user_network_risk Indicates the suspicion level of the network or the subnet from which the user has logged on. Low suspicion level: 0–69, Medium suspicion level: 70–89, and High suspicion level: 90–100
suspicious_network_risk Indicates the IP threat level based on the Webroot IP threat intelligence feed. Low threat level: 0–69, Medium threat level: 70–89, and High threat level: 90–100
webroot_threat_categories Indicates the types of threat detected from the IP address based on the Webroot IP threat intelligence feed. The threat categories can be Spam Sources, Windows Exploits, Web Attacks, Botnets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Unspecified, Mobile Threats, and Tor Proxy

Microsoft Active Directory Indicator

Indicator summary schema

{
  "data_source": "Microsoft Graph Security",
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_id": 1000,
  "indicator_name": "MS Active Directory Indicator",
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_type": "builtin",
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "occurrence_details": {},
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "ui_link": "https://analytics-daily.cloud.com/user/",
  "version": 2
}

<!--NeedCopy-->

Indicator event details schema

{
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorEventDetails",
  "indicator_id": 1000,
  "indicator_vector": {
    "name": "IP-Based Risk Indicators",
    "id": 4 },
  "indicator_uuid": "9880f479-9fbe-4ab0-8348-a613f9de5eba",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-01-27T16:03:46Z",
  "version": 2
}

<!--NeedCopy-->

Custom risk indicator schema

The following section describes the schema for the custom risk indicator.

Note

Currently, Citrix Analytics sends the data related to the custom risk indicators of Citrix DaaS and Citrix Virtual Apps and Desktops to your SIEM service.

The following table describes the field names for the custom risk indicator summary schema.

Field name Description
data source The products that send data to Citrix Analytics for Security. For example: Citrix Secure Private Access, Citrix Gateway, and Citrix Apps and Desktops.
data_source_id The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
entity_id The ID associated with the entity at risk.
entity_type The entity at risk. In this case, the entity is a user.
event_type The type of data sent to the SIEM service. In this case, the event type is the summary of the risk indicator.
indicator_category Indicates the categories of risk indicators. The risk indicators are grouped into one of the risk categories- compromised endpoint, compromised users, data exfiltration, or insider threats.
indicator_id The unique ID associated with the risk indicator.
indicator_category_id The ID associated with the risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
indicator_name The name of the risk indicator. For a custom risk indicator, this name is defined while creating the indicator.
indicator_type Indicates whether the risk indicator is default (built-in) or custom.
indicator_uuid The unique ID associated with the risk indicator instance.
occurrence_details The details about the risk indicator triggering condition.
pre_configured Indicates whether the custom risk indicator is preconfigured.
risk_probability Indicates the chances of risk associated with the user event. The value varies from 0 to 1.0. For a custom risk indicator, the risk_probability is always 1.0 because it is a policy-based indicator.
severity Indicates the severity of the risk. It can be low, medium, or high.
tenant_id The unique identity of the customer.
timestamp The date and the time when the risk indicator is triggered.
ui_link The link to the user timeline view on the Citrix Analytics user interface.
version The schema version of the processed data. The current schema version is 2.

The following table describes the field names common across the custom risk indicator event details schema.

Field name Description
data_source_id The ID associated with a data source. ID 1 = Citrix Gateway, ID 2 = Citrix Endpoint Management, ID 3 = Citrix Apps and Desktops, ID 4 = Citrix Secure Private Access
indicator_category_id The ID associated with the risk indicator category. ID 1 = Data exfiltration, ID 2 = Insider threats, ID 3 = Compromised users, ID 4 = Compromised endpoints
event_type The type of data sent to the SIEM service. In this case, the event type is the details of the risk indicator event.
tenant_id The unique identity of the customer.
entity_id The ID associated with the entity at risk.
entity_type The entity that is at risk. In this case, it is the user.
indicator_id The unique ID associated with the risk indicator.
indicator_uuid The unique ID associated with the risk indicator instance.
timestamp The date and the time when the risk indicator is triggered.
version The schema version of the processed data. The current schema version is 2.
event_id The ID associated with the user event.
occurrence_event_type Indicates the type of user event such as session logon, session launch, and account logon.
product Indicates the type of Citrix Workspace app such as Citrix Workspace app for Windows.
client_ip The IP address of the user’s device.
session_user_name The user name associated with the Citrix Apps and Desktops session.
city The name of the city from which the user activity is detected.
country The name of the country from which the user activity is detected.
device_id The name of the device used by the user.
os_name The operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
os_version The version of the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.
os_extra_info The extra details associated with the operating system that is installed on the user’s device. For more information, see Self-service search for Apps and Desktops.

Custom risk indicator for Citrix DaaS and Citrix Virtual Apps and Desktops

Indicator summary schema

{
  "data_source": " Citrix Apps and Desktops",
  "data_source_id": 3,
  "entity_id": "demo_user",
  "entity_type": "user",
  "event_type": "indicatorSummary",
  "indicator_category": "Compromised users",
  "indicator_category_id": 3,
  "indicator_id": "ca97a656ab0442b78f3514052d595936",
  "indicator_name": "Demo_user_usage",
  "indicator_type": "custom",
  "indicator_uuid": "8e680e29-d742-4e09-9a40-78d1d9730ea5",
  "occurrence_details": {
    "condition": "User-Name ~ demo_user", "happen": 0, "new_entities": "", "repeat": 0, "time_quantity": 0, "time_unit": "", "type": "everyTime"},
  "pre_configured": "N",
  "risk_probability": 1.0,
  "severity": "low",
  "tenant_id": "demo_tenant",
  "timestamp": "2021-02-10T14:47:25Z",
  "ui_link": "https://analytics.cloud.com/user/ ",
  "version": 2
}

<!--NeedCopy-->
Indicator event details schema for the session logon event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "SYD04-MS1-S102",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session logon event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
Indicator event details schema for the session launch event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session launch event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
Indicator event details schema for the account logon event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Account.Logon",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the account logon event.

Field name Description
app_name Name of an application or desktop launched.
Indicator event details schema for the session end event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Session.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the session end event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
Indicator event details schema for the app start event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.Start",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app start event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
module_file_path The path of the application that is being used.
Indicator event details schema for the app end event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "app_name": "notepad",
  "launch_type": "Application",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "module_file_path": "/root/folder1/folder2/folder3"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app end event.

Field name Description
app_name Name of an application or desktop launched.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
module_file_path The path of the application that is being used.
Indicator event details schema for the file download event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "File.Download",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "file_download_file_name": "File5.txt",
  "file_download_file_path": "/root/folder1/folder2/folder3",
  "file_size_in_bytes": 278,
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "device_type": "USB"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the file download event.

Field name Description
file_download_file_name Name of the download file.
file_download_file_path The destination path where the file is downloaded.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
device_type Indicates the type of the device where the file is downloaded.
Indicator event details schema for the printing event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "Printing",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "printer_name": "Test-printer",
  "launch_type": "Desktop",
  "domain": "test_domain",
  "server_name": "test_server",
  "session_guid": "f466e318-9065-440c-84a2-eec49d978a96",
  "job_details_size_in_bytes": 454,
  "job_details_filename": "file1.pdf",
  "job_details_format": "PDF"
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the printing event.

Field name Description
printer_name Name of the printer used for the printing job.
launch_type Indicates either application or desktop.
domain The domain name of the server that sent the request.
server_name Name of the server.
session_guid The GUID of the active session.
job_details_size_in_bytes The size of the printed job such as file or folder.
job_details_filename Name of the printed file.
job_details_format The format of the printed job.
Indicator event details schema for the app SaaS launch event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.Launch",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS launch event.

Field name Description
launch_type Indicates either application or desktop.
Indicator event details schema for the app SaaS end event
{
  "event_type": "indicatorEventDetails",
  "data_source_id": 3,
  "indicator_category_id": 3,
  "tenant_id": "demo_tenant",
  "entity_id": "demo_user",
  "entity_type": "user",
  "indicator_id": "9033b2f6a8914a9282937b35ce497bcf",
  "timestamp": "2021-03-19T10:08:05Z",
  "indicator_uuid": "e0abfcb4-fd41-4612-ad59-ef7567508ac0",
  "version": 2,
  "event_id": "8fc3dd5e-d049-448a-ab70-0fc4d554e41e",
  "occurrence_event_type": "App.SaaS.End",
  "product": "XA.Receiver.Windows",
  "client_ip": "103.xx.xxx.xxx",
  "session_user_name": "user01",
  "city": "Mumbai",
  "country": "India",
  "device_id": "5-Synthetic_device",
  "os_name": "Windows NT 6.1",
  "os_version": "7601",
  "os_extra_info": "Service Pack 1",
  "launch_type": "Desktop",
}

<!--NeedCopy-->

The following table describes the field names specific to the event details schema for the app SaaS end event.

Field name Description
launch_type Indicates either application or desktop.

Data source events

Additionally, you can configure the Data exports feature to export user events from your Citrix Analytics for Security enabled product data sources. When you perform any activity in the Citrix environment, the data source events are generated. The exported events are unprocessed real-time user and product usage data as available in the self-service view. The metadata contained in these events can further be used for deeper threat analysis, creating new dashboards, and co-related with other non-Citrix data source events across your security and IT infra.

Currently, Citrix Analytics for Security sends user events to your SIEM for the Citrix Virtual Apps and Desktops data source.

Schema details of the data source events

Citrix Virtual Apps and Desktops events

The user events are received in real-time in Citrix Analytics for Security when users use virtual apps or virtual desktops. For more information, see Citrix Virtual Apps and Desktops and Citrix DaaS data source. You can view the following user events associated with Citrix Virtual Apps and Desktops in your SIEM:

  • All event types
  • Account logon
  • App (start, launch, end)
  • Clipboard
  • File (print, download)
  • HDX session source
  • Printing
  • Session (logon, launch, end, termination)
  • VDA data
  • VDA process creation

For more information about the events and their attributes, see Self-service search for Virtual Apps and Desktops.

You can review what event types are enabled and flowing to SIEM. You can configure or remove the event type that is applicable for a tenant and click the Save Changes button to save your settings.

Data source event

Secure Private Access events

The user events are received in real-time in Citrix Analytics for Security when users access applications through Citrix Secure Private Access, such as Citrix Workspace App, Citrix Secure Access clients, or Citrix Enterprise Browser. You can view the following user events associated with Secure Private Access in your SIEM:

  • All event types
  • Account logon
  • App (connect, launch, end, error)
  • File (print, download)
  • Policy Evaluation
  • Clipboard
  • Session (connect, launch)
  • Url
  • User Login
  • SPA Service Logs

Secure private access event

Device Posture service events

The user events are generated when the Citrix Endpoint Analysis (EPA) client performs a posture check on a device attempting to access Citrix Virtual Apps and Desktops or Citrix Secure Private Access resources. You can view the following user events associated with Device Posture service in your SIEM:

  • All event types
  • Device Posture Evaluation

Device posture service event

You can review the event types enabled for your tenant and ensure they are flowing to the SIEM. You can configure or remove applicable event types and click the Save Changes button to apply your settings.

Citrix Analytics data exports format for SIEM