Preconfigured custom risk indicators and policies 编辑

Citrix Analytics for Security provides a list of preconfigured custom risk indicators and a policy to help you monitor the security of your Citrix infrastructure. The conditions of these preconfigured custom risk indicators and the policy are already defined according to specific security risk scenarios such as compromised users, insider threats, and data exfiltration. You can also modify these preconfigured conditions or add your own conditions according to your security requirements and use the custom risk indicators to mitigate the risks.

Currently, the preconfigured custom risk indicators are available for the following scenarios:

  • Geofencing

  • First time access

Preconfigured custom risk indicators for the geofencing scenario

Use the following preconfigured custom risk indicators to detect the user events from outside the geofenced areas.

  • CVAD-Session started outside of geofence

  • GW-Geofence crossing

  • CCC-Geofence crossing

The preconfigured custom risk indicators are triggered whenever users access the Citrix products from outside their usual country of operation or the geofence. By default, the geofence is set to “United States”. You can set your required country as a geofence.

Note

The CVAD-Session started outside of geofence risk indicator is linked to the Geofence Settings of the Access Assurance Location feature. So, you cannot directly modify the geofenced countries in the condition of the risk indicator. To update the geofenced countries in the risk indicator, select the countries in the Geofence Settings of the Access Assurance Location dashboard. For more information, see the Access assurance location dashboard.

To view the preconfigured custom risk indicators, select Security > Custom Risk Indicators.

By default, the preconfigured custom risk indicators are in the disabled state. Use the STATUS button to enable them.

Preconfigured custom risk indicators

The following table describes the various preconfigured custom risk indicators for geofencing.

Custom risk indicator nameScenarioCustom indicator conditionsData sourceRisk category
CVAD-Session started outside of geofenceUser has started a virtual session outside their country of operationEvent-Type = Session.logon Country != “United States”Citrix Workspace appCompromised users
GW-Geofence crossingUser has successful authentication from outside their country of operationEvent-Type = “VPN_AI” AND Country != “United States”Citrix Gateway (on-premises)Compromised users
CCC-Geofence crossingLogin of a non-employee from outside of country of operationIs-Employee = “False” AND Operation-Name = “Login” AND Country != “United States”Citrix Content CollaborationCompromised users

Preconfigured policy for the geofencing scenario

Citrix provides a preconfigured policy that applies the Request End User Response action to a user account whenever the user start a virtual session from outside their country of operation. The user receives an email and based on the user’s response, an appropriate action is taken such as adding the user to the watchlist or notifying the administrator for further action. For more information, see Request end user response.

To view the preconfigured policy, select Security > Policies.

Preconfigured policy

The following table describes the preconfigured policy for geofencing.

Policy nameScenarioPolicy conditionApplied action
Session start outside of geofenceAbility for an administrator to validate the user’s legitimacy through the ‘Request End-user Response’ action when the user starts the virtual session outside their country of operationUse with preconfigured custom risk indicator- “CVAD-Session started outside of geofence”Request End-User Response
   Based on the following user’s response, the corresponding action is applied:
   If the user does not recognize the activity: Add to watchlist
   If the user recognizes the activity: No action required
   If the user does not respond within 60 minutes of receiving the email: Add the user to the watchlist

Note

The Request End User Response action is supported only in the United States region. So, if your organization is onboarded to the European Union region in Citrix Cloud, the preconfigured policy does not get applied to your account. To use the preconfigured policy, modify the policy and select another action of your choice.

Create your own policy with preconfigured custom risk indicators for geofencing

You can also create your own policies with these preconfigured custom risk indicators and apply actions such as lock users or log off users whenever the indicators are triggered. For information on how to create policies, see Configure policies and actions.

The following example shows a policy that locks users who try to access the Citrix services from outside the United States. The user access is locked if the user does not recognize their access activity.

Condition: GW-Geofence crossing

Action: Request end user response

Next action: Lock the user if the user does not recognize the activity

Geofencing example

Note

The Request End User Response action is supported only in the United States region. So, if your organization is onboarded to the European Union region, select another action of your choice instead of the Request End User Response action.

Preconfigured custom risk indicators for the first time access scenario

Use the following custom risk indicators to detect the user events for the first time access scenarios:

  • CVAD-First time access from new device

  • Gateway-First time access from new IP

By default, these preconfigured custom risk indicators are in the enabled state. Use the STATUS button if you want to disable them.

List of first time access ci

The following table describes the preconfigured custom risk indicators for first time access.

Custom indicator nameScenarioPreconfigured conditionsData sourceRisk category
CVAD-First time access from new deviceWhen a Citrix Workspace app user signs in from one of the following:The following conditions are enabled by default:Citrix Virtual Apps and Desktops on-premises and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service)Compromised users
 A new deviceThe First time for a new Device-ID.  
 An existing device that has not been used for the last 90 days.Event-Type = "Session.Logon" AND Client-Type IN ("XA.Receiver.Windows", "XA.Receiver.Mac", "XA.Receiver.Chrome", "XA.Receiver.Android", "XA.Receiver.Linux", "XA.Receiver.iOS")  
Gateway-First time access from new IPWhen a Citrix Gateway user successfully signs from one of the following:The following conditions are enabled by default:Citrix GatewayCompromised users
 A new public IP addressThe First time for a new Client-IP  
 An existing public IP address that has not been used for the last 90 days.Event-Type = "Authentication" AND Status-Code = "Successful login" AND Client-IP-Type != "private" AND Access-Insight-Flags = 1  

On the condition bar, you can also add your own conditions in addition to the preconfigured conditions to identify threats as per your requirements.

For example, if you want to identify the user events from a particular country, you can add the country dimension along with the preconfigured condition:

  • Event-Type = "Session.Logon" AND Client-Type IN ("XA.Receiver.Windows", "XA.Receiver.Mac", "XA.Receiver.Chrome", "XA.Receiver.Android", "XA.Receiver.Linux", "XA.Receiver.iOS") AND Country = “United States”

  • Event-Type = "Authentication" AND Status-Code = "Successful login" AND Client-IP-Type != "private" AND Access-Insight-Flags = 1 AND Country = “United States”

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:97 次

字数:12153

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文