Jump to content
Welcome to our new Citrix community!
  • 0

Cannot create custom risk indicator

Horia Georgescu


4 answers to this question

Recommended Posts

  • 0

hi There,

  Looking at the screenshot, it appears that you are trying to create the Custom Indicator with OR clause (Clipboard-Operation = "Copy" OR Clipboard-Operation = "Cut" OR Clipboard-Operation = "Paste"). Currently, we don't support OR clause in the query. Ideally it should show an error message but it is not. We have created a ticket to fix this.

  We are working on supporting the OR clause very soon. I will keep you posted once it is available. Thanks


- Jay

Link to comment
  • 0

Follow-up with this thread.

I was successful in setting up one clause. But that is not what I was trying to accomplish.

Jay and Team,

you didn't suggest any other way to resolve the evaluation I was interested in. is there any other way to accomplish that task?

Further question, once the risk indicator is created (using one operation), it is not showing up in the policies, to be able to select & use it. So far this exercise failed. 

For the default data exfiltration risk indicator, can you share what operations is it triggered by, and what are the thresholds?


More general question, it appears to me that the ability to customize the security analytics is minimal, and rather unusable for practical security monitoring. Do you see/have customers using this successfully, and can you share use cases where this fits out of the box, or accessible customizations? 

Link to comment
  • 0

hi There,

  Sorry you are having trouble with the Custom Indicators.


- regarding the use-case you were trying to accomplish (Clipboard-Operation = "Copy" OR Clipboard-Operation = "Cut" OR Clipboard-Operation = "Paste"), as I mentioned we will be supporting the OR clause very soon. Until then a temporary workaround could be to create 3 different Custom Indicators with one condition in each. So if a user tries to Copy, Cut or Paste then one of the Custom Indicators would trigger and use can use them in your Policy.

- regarding the Custom Indicator not showing up in the Policy UI, typically it happens when your Custom Indicator is not enabled. Can you please make sure it is enabled. 

- the Data Exfiltration Risk Indicators are raised due to excessive file sharing/upload/downloads/etc. You can find documentation on this here .. https://docs.citrix.com/en-us/security-analytics/risk-indicators/citrix-content-collaboration-risk-indicators.html


Please let me know if you have additional questions. Thanks


btw, you can reach out to me via email (jayaraj.muthukumarasamy@citrix.com) and I can connect you with our Product Manager who can walk you thru the use cases our customers are implementing using Citrix Analytics (Security)


- Jay

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...