Jump to content
Updated Privacy Statement
  • Citrix Analytics for Security Custom Risk Indicators


    Citrix Analytics for Security Custom Risk Indicators

    What are risk indicators?

    There are two types of risk indicators that you see in Citrix Analytics for Security:

    When you create a custom risk indicator, you can set specific conditions and parameters based on your use cases. Once configured, if any user events meet your defined criteria, Citrix Analytics will identify and display the custom risk indicator on the user's risk timeline.

    Create custom risk indicators for the following data sources:

    • Citrix Content Collaboration
    • Citrix Gateway
    • Citrix Secure Private Access
    • Citrix Virtual Apps and Desktops on-premises
    • Citrix DaaS

    At Citrix Professional Services, we have worked with our customers on various deployments and developed custom risk indicators for specific use cases. After realizing that some of these indicators could be useful in other environments, I decided to create a blog article to share this information.

    Configuring Custom Risk Indicators

    Let's outline the steps required to create Custom Risk Indicators before we discuss the list.

    When first opening Citrix Analytics for Security, select "Custom Risk Indicators" from the default Dashboard.

    image.png

    Once you access the relevant page, you will be presented with a comprehensive overview of all Custom Risk Indicators created previously. This will include any pre-configured Risk Indicators, which can be activated if required.

    https://docs.citrix.com/en-us/security-analytics/preconf-custom-risk-indicators-policies#preconfigured-custom-risk-indicators-for-the-geofencing-scenario

    Click on “Create Indicator” to start creating a new one.

    image.png

    We have included standard templates that can be customized to suit individual customer requirements.

    image.png

    Let's say we want to be notified when someone uses Microsoft Print to PDF.

    image.png

    Click on Next to continue.

    Now, all the remaining items need to be filled in and selected.

    First, start with the Risk Category. We can choose from four different categories:

    • Data exfiltration
    • Compromised users
    • Insider threats
    • Compromised endpoints

    image.png

    Click the Create button to finalize the custom risk indicator.

    This will also be populated in the Risk Category Report dashboard.

    image.png

    For additional details about Risk Categories, you can refer to this resource:

    https://docs.citrix.com/en-us/security-analytics/users-dashboard.html#risk-categories

    You can refer to the online documentation for more detailed information about Custom Risk Indicators.

    https://docs.citrix.com/en-us/security-analytics/custom-risk-indicators#modifying-a-custom-risk-indicator

    List of Custom Risk Indicators

    Please find the following list that can be used for your benefit.

    Name

    Data Source

    Risk Category

    Custom Query

    Remarks

    Accessing Illegal Sites

    Secure Private Access

    Insider Threats

    Category-Group ~ Illegal

     

    ACS-Geofence crossing

    Secure Private Access

    Compromised Users

    where Country != "United States" AND Country != "" AND Country ~ ""

     

    CCC-Geofence crossing

    Content Collaboration

    Compromised Users

    where Is-Employee = "false" AND Operation-Name = "Login" AND Country != "United States" AND Country != "" AND Country ~ ""

     

    Clipboard Usage Tracker

    Apps and Desktops

    Data exfiltration

    Clipboard-Operation IN ( cut, copy, paste )

     

    CVAD - CWA Macintosh version check

    Apps and Desktops

    Data exfiltration

    Event-Type = "Session.Logon" AND Client-Type = "Macintosh" AND Workspace-App-Version != "22.11*"

    First Time for a new Client-Ip

    CVAD - CWA Unix/Linux version check

    Apps and Desktops

    Data exfiltration

    Event-Type = "Session.Logon" AND Client-Type = "Unix/Linux" AND Workspace-App-Version != "22.09*"

    First Time for a new Client-Ip

    CVAD - CWA Windows version check

    Apps and Desktops

    Data exfiltration

    Event-Type = "Session.Logon" AND Client-Type = "Windows" AND Workspace-App-Version != "22.10.5*"

    First Time for a new Client-Ip

    CVAD - First time access from new device

    Apps and Desktops

    Compromised Users

    Event-Type = "Session.Logon" AND Client-Type IN ("Windows", "Macintosh", "Chrome", "Android", "Unix/Linux", "iOS") AND User-Name ~ democloud

     

    CVAD-Session started inside risky geo-fence

    Apps and Desktops

    Compromised Users

    Event-Type = "Session.logon" AND Country IS NOT EMPTY AND Country IN ( "Russian Federation","Belarus","Korea (north)") AND User-Name NOT IN ( "anon000", "anon001", "anon002", "anon003", "anon004")

     

    CVAD-Session started outside of USA geo-fence

    Apps and Desktops

    Compromised Users

    Event-Type = "Session.logon" AND Country != "" AND Country ~ "" AND Country NOT IN ("United States","Canada","Ireland")

     

    Dangerous Web Browsing (10 times per hour)

    Secure Private Access

    Compromised Users

    Reputation ~ dangerous

     

    Downloading from SaaS Apps

    Apps and Desktops

    Data exfiltration

    Event-Type = "App.SaaS.File.Download"

     

    Excessive Downloading - 10MB-3 times in one hour

    Content Collaboration

    Data exfiltration

    Bytes-Downloaded >10000000

     

    Excessive Login Failures

    Gateway

    Compromised Endpoints

    Status-Code = "User not found"

     

    Gateway - First time access from new IP

    Gateway

    Compromised Users

    Event-Type = "Authentication" AND Status-Code = "Successful login" AND Client-IP-Type != "private" AND Access-Insight-Flags = 1

     

    GW-Geofence crossing

    Gateway

    Compromised Users

    where Event-Type = "Authentication" AND Country != "United States" AND Country != "" AND Country ~ ""

     

    Large Uploads

    Content Collaboration

    Data exfiltration

    File-Size-Uploaded >= 4000 AND User-Email ~ york.admin

     

    Logins from North Korea

    Apps and Desktops

    Data exfiltration

    where Event-Type = "Session.logon" AND Country != "" AND Country ~ "" AND Country = "North Korea"

     

    Custom Risk Indicators together with Citrix Session Recording Server

    Session Recording is a feature in Citrix DaaS that allows you to record user sessions. This is important for maintaining security and compliance, enabling administrators to monitor user activity and detect potential security threats.

    However, due to its complexity, many organizations have faced challenges in deploying and managing Session Recording. This has prevented them from fully utilizing the feature and reaping its benefits.

    To address this issue, Citrix has introduced the Session Recording service, which offers an advanced administration experience and simplifies deployment. With this service, you can easily configure and manage Session Recording policies, set up recording profiles for specific users or groups, and schedule recordings, among other things.

    Moreover, the Session Recording service provides enhanced security features, such as secure storage of recordings, role-based access control, and encryption of recordings at rest and in transit. This ensures that your recorded sessions are protected from unauthorized access and tampering.

    For additional details about the Session Recording service, you can refer to this resource: https://docs.citrix.com/en-us/session-recording/service

    After the administrator sets up the event detection policies on the Session Recording server and assigns them to the relevant user groups, machines, delivery groups, etc., the data will be sent to Citrix Analytics for Security. Citrix/security admins can configure risk-based indicators/triggers based on the in-session data. This creates an automated in-session risk detection system that can be configured for security and compliance teams. Furthermore, it allows for automated admin/end-user alerting, remediation, or recording in response to detected risks.

    Here are examples of basic in-session risk detection use cases that can be achieved using Session Recording telemetry data in Citrix Analytics for Security.

    Name

    Data Source

    Risk Category

    Custom Query

    Remarks

    Detect user account modification activity

    Apps and Desktops

    Insider Threats

    Event-Type = Citrix.EventMonitor.UserAccountModification AND Description IN (“An attempt was made to reset an account’s password.”,”A user account was enabled.”,”A user account was created.”,”A user account was disabled.”,”The name of an account was changed:”,”A user account was deleted.”)

    The triggers for all types of user account operations are account creation, enablement, disablement, deletion, name changes, and password modification.

    Detect Windows Registry Changes/Modifications

    Apps and Desktops

    Insider Threats

    Event-Type = “Citrix.EventMonitor.RegistryChange”  AND Registry-Operation IN ( “Create”, “Delete”, “DeleteValue”, “Rename”, “SetValue”)

    This triggers when a registry operation is performed. Possible registry operations are create, delete, rename, set value, and delete value.

    Detect when content is copied to clipboard from business-critical application/website

    Apps and Desktops

    Data exfiltration

    Event-Type = “Citrix.EventMonitor.Clipboard” AND Window-Title ~ Workday

    Potential Data Exfiltration – Triggers when clipboard operations are performed within the Workday browser window

    Detect file movements from host client to monitor for data exfiltration

    Apps and Desktops

    Data exfiltration

    Event-Type = “Citrix.EventMonitor.FileCreate” OR Event-Type = “Citrix.EventMonitor.FileMove”  OR Event-Type = “Citrix.EventMonitor.FileRename”  OR Event-Type = “Citrix.EventMonitor.FileTransfer”  OR Event-Type = “Citrix.EventMonitor.FileDelete” OR Event-Type = File.Download

    Potential Data Exfiltration – Triggers when file operations are performed within virtual desktop sessions. This can be used to detect file movements from host to client or file movements in monitored directories within the virtual desktop.

    Detect file movements from host client to monitor for data exfiltration

    Apps and Desktops

    Data exfiltration

    Event-Type = “Citrix.EventMonitor.CDMUSBDriveAttach” OR Event-Type = “Citrix.EventMonitor.GenericUSBDriveAttach”

    Detect Generic USB Redirection of CDM Mapped USB Redirection

     

     

     

    Download-Device-Type IN ( “RemoteDrive”, “USB”) AND Event-Type = “Citrix.EventMonitor.FileCreate” OR Event-Type = File.Download

     

     

    I hope the information provided in this blog article is useful.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Guest
    This is now closed for further comments

×
×
  • Create New...