Self-service search for Content Collaboration 编辑

Use the self-service search to get insights into the user events received from the Content Collaboration data source. When users use the Content Collaboration service, events such as login, delete, download, and, upload are generated. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can track the users and their activities.

For more information on the search functionalities, see Self-service search.

Select the Content Collaboration data source

To view the Content Collaboration events, select Content Collaboration from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.

Content collaboration selects

Select the facets to filter events

Use the following facets that are associated to the Content Collaboration events.

  • Download File Size- Indicates the size of the file downloaded from Content Collaboration.

  • Event Type- Indicates the types of user activities such as file upload, file download, share link create, session login, folder create, and share link delete.

    Content collaboration facets

Specify search query to filter events

Place your cursor in the search box to view the list of dimensions for the Content Collaboration events. Use the dimensions and the operators to specify your query and search for the required events.

Content collaboration dimensions

For example, you want to search for the events originating from India and the file size is greater than 900,000 bytes. Specify the following query as shown in the figure.

  1. Enter “Co” in the search box to get the related suggestions.

    Content collaboration search query 1

  2. Select Country and enter the value “India” using the equal operator.

    Content collaboration search query 2

    Content collaboration search query 3

  3. Select the AND operator and then select the File-Size dimension. Select the > operator and enter the file size value in bytes.

    Content collaboration search query 4

  4. Select the time period and click Search to view the events on the DATA table.

Audit logs

The audit logs provide insights into the permissions and actions applied on the user accounts by the Content Collaboration administrators. Using these data, you can verify if the Content Collaboration administrators have taken valid actions on the user accounts.

You can view the following audit logs in the self-service search.

Note

To receive these logs on Citrix Analytics, you must integrate the Citrix Content Collaboration service with Citrix Workspace.

EventAttributes
Distribution Group CreateGroup ID, Group Shared, Client OS, Client IP, Group Name, Owner ID, User Email
Distribution Group DeleteGroup ID, Group Name
Distribution Group UpdateGroup ID, Is Shared
DLP Update, DLP Policy UpdateDLP Enabled, Client OS, Client IP, Saved Format, Download Enabled for Anonymous User, Download Enabled for Client User, Download Enabled for Employee User, Sharing Enabled for Client User, Sharing Enabled for Employee User
Login and Security Policy UpdateTrusted Domains, User Name, Client OS, Client IP, Logout Users After Activity, Maximum Failed Logins, Locked Out Duration, Enabled Two Factor Auth for Users, Enabled Two Factor Auth for Employees, Enabled Two Factor Auth, User Email
Report Create, Report Update, Report DeleteCreated Date, End Date, Report Title, Recurring Frequency, Subfolders Included, Recurring, Schedule Report, Last Run Date, Report Type, Saved Format, Saved Folder, Start Date
SSO Settings UpdateActive Profile Cookies, Client OS, Client IP, IP Restrictions, Activated SSO, Login URL, Logout URL, IdP Type, SP-Initiated Auth Context, SP-Initiated Auth Method, User Email, SP-Initiated Redirect Method, Enabled Web Authentication

Malware logs

The malware event File.VirusInfected is triggered when a file uploaded by a Content Collaboration user is infected with a malware. The following logs are specific to the malware event.

EventAttributes
File.VirusInfectedFile Creator Name, File Owner Name, File Creator Email Address, File Owner Email Address, File Size, Shared Folder Name, File Path, File Creation Date, File Hash, File ID, Virus Name

Supported dimensions for your search query

The following table describes the dimensions that you can view in the self-service search events. You can use these dimensions for defining your search query.

DimensionDescriptionValue typeExample
Account-IDIndicates the account ID of the user.Stringadb8477a-6bf1-2108-fa4b-55dea0b8c44c
Active-AccountIndicates whether the user account is active.Boolean“True” or “False”
Active-Profile-CookiesIndicates if the advance settings are used by the Content Collaboration active clients such as mobile clients, sync engine, and Outlook plug-in. This parameter might be required to automate selection in certain IdP configurations.String 
Alias-IDIndicates the alias ID of the user.Stringtestuser1
Bytes-TotalIndicates the total size (KB) of the file that is downloaded. If multiple files are downloaded simultaneously (batch download), then the bytes total indicates the total size of all the downloaded files.Number105
CityIndicates the city from which the user has logged on to the Content Collaboration service.StringChicago
Client-IPIndicates the IP address of the user’s network.String172.xxx.xxx.xx
Client-OSIndicates the operating system of the user’s device.StringWindows 10
Company-NameIndicates the company name of the user account.StringCitrix
Copy IDIndicates the identity of the file copy operation in Content Collaboration.Stringeif8c79f-fa87-0440-87b2-a0994eb029
CountryIndicates the country from which the user has logged on to the Content Collaboration service.StringUnited States
Create-DateIndicates the date and time when the report is created.String2021-05-25T13:54:36.167
Created-ByIndicates the user who created the report.Stringuser1
Creation-DateIndicates the date when the event occurred.String2021-08-20T14:44:46.6161227+00:00
Creator-IDIndicates the ID of the user who created the report.String77f300f8-8d89-4891-bb58
Delete-Single-VersionIndicates whether a single file version is deleted.Boolean“True” or “False”
Destination-File-PathIndicates the destination path where the file is moved or copied.String/0106-copy/123.xlsx
Destination-Parent-Folder-IDIndicates the ID of the parent folder in the destination location where the file is copied or moved.Stringfo674450-087d-42a0-8d26-de8838a04dae
Destination-Path-IDIndicates the ID of the destination path where the file is copied or moved.String/accountID/folderID/folderID/itemID
Destination-Zone-IDIndicates the Zone ID of the destination path where the file is copied or moved.Stringzp16ffd530-c756-44ca-9f59-7ed3376e37
Device-IDIndicates the ID of the device associated with the two factor authentication event.String450-087d-42a0-8d26-de88
Disable-User-AccountIndicates whether the user account is disabled.Boolean“True” or “False”
Download-Enabled-for-Anonymous-UserIndicates whether an anonymous user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan.Boolean“True” or “False”
Download-Enabled-for-Client-UserIndicates whether a third party client user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan.Boolean“True” or “False”
Download-Enabled-for-Employee-UserIndicates whether an employee user can download a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan.Boolean“True” or “False”
Download-File-SizeIndicates the size (in KB) of the file downloaded by the userNumber10.8 KB
Enabled-Web-AuthenticationIndicates if SAML IdP is configured for web-based authentication and the user account is using ShareFile Sync. for Windows, ShareFile Sync for Mac, or ShareFile Outlook plug-in.String“True” or “False”
Enabled-Two-Factor-AuthIndicates if the two factor authentication feature is enabled either for employee users or client users.String“True” or “False”
Enabled-Two-Factor-Auth-for-EmployeesIndicates if two factor authentication is enabled for employee users.String“True” or “False”
Enabled-Two-Factor-Auth-for-UsersIndicates if two factor authentication is enabled for client users.String“True” or “False”
End-DateIndicates the date after which the report is not generated for your Content Collaboration account.“2021-05-23T04:00:00+00:00” 
Event-IDIndicates the unique identity associated with a user event.String77f300f8-8d89-4891-bb58-53b05c44766d
Event-TypeIndicates the types of user activities such as file upload, file download, share link create, session login, folder create, and share link delete.StringFile.Upload, Session.Login, Share.Create
Event-User-IDIndicates the ID of the user who triggered the event.String8d89-4891-bb58-53b05
Expiration-DateIndicates the expiry date of the event.String2022-01-10T13:35:22.313236Z
File-Creation-DateIndicates the date when the infected file is created.String2021-05-25T13:54:36.16
File-Creator-Email-AddressIndicates the email ID of the user who originally created the file that is infected with a malware.Stringuser1@citrix.com
File-Creator-NameIndicates the user name who originally created the file that is infected with a malware.StringUser1
File-Download-IDIndicates the ID of the file download event.Stringdta152b49ddc7542a0a9fe2e
File-FormatIndicates the format of the file that is shared or downloaded.String.csv, .png, .jpeg, .txt
File-HashIndicates the MD5 hash of a file that is uploaded.String88e300f8-8d89-4891-bb58
File-IDIndicates the unique ID of the infected file.Stringfib0257-1bd802-0707-44c12
File-NameIndicates the name of the file shared, uploaded, or downloaded by the user.StringUsage Report 2021
File-Owner-NameIndicates the current owner of the infected file.StringUser2
File-Owner-Email-AddressIndicates the email ID of the current owner of the infected file.Stringuser2@citrix.com
File-PathIndicates the path of the infected file in Content Collaboration.String/testfolder/test-file.pdf
File-SizeIndicates the size of the infected file in bytes.Number10 B
First-NameIndicates the first name of the user that is specified while creating the user account.StringJoe
Folder-IDIndicates the ID of the folder created on Content Collaboration.String8d89-4891-bb58-53b05c
Folder-NameIndicates the name of the folder that is being archived, created, deleted, or updated.Stringtest-folder
Folder-PathIndicates the path where the folder is created.String/analytics/security/sharefile/2022/new folder
FrequencyIndicates the recurring frequency of the report that is generated for your Content Collaboration account.String“Daily”, “Weekly”, or “Monthly”
Group-IDIndicates the ID of the Distribution Group.Stringg0183f52-f219-4816-9b8e-9584e504a083
Group-NameIndicates the name of the Distribution Group.StringTest group 1
IdP-TypeIndicates the type of identity provider configured for the user.String 
IPIndicates the IP address of the user.String172.xx.xxx.xxx
IP-RestrictionsIndicates the IP addresses from which the users are restricted from signing in to their Content Collaboration accounts.  
Inactive-Logout-DurationIndicates the duration of inactivity after which the inactive users are logged out of their account. The duration is measured in minutes. By default, this duration is set to 1 hour (60 minutes).Number60
Include-Sub FoldersIndicates whether the report is created for a selected folder and its sub folders.Boolean“True” or “False”
Infected-File-HashIndicates the hash value of the infected file.String88e300f8-8d89-4891-bb58
Is-ActiveIndicates if single sign-on is enabled for non-administrator employees using your IdP.Boolean“True” or “False”
Is-EmployeeIndicates if the user is an employee of your organization.String“True” or “False”
Is-EnabledIndicates whether Data Loss Prevention is enabled for your Content Collaboration account.Boolean“True” or “False”
Is-RecurringIndicates whether the report generates after a regular interval.Boolean“True” or “False”
Is-ScheduledIndicates whether the report is scheduled.Boolean“True” or “False”
Is-SharedIndicates if the Distribution Group sharing is enabled for all employees.String“True” or “False”
Last-NameIndicates the last name of the user that is specified while creating the user account.StringSmith
Last-Run-DateIndicates when the report was last generated.String“0001-01-01T00:00:00”
Lock-IDIndicates the ID of the file lock event.Stringcb36113c468a8c29c48
Lock-TypeIndicates the type of file lock.StringCoauth Lock: Multiple users can use the lock file in the specified way.
   Hard Lock: Exclusive lock
Locked-Out-DurationIndicates the duration for which the user is locked out of their account when they failed to log on and exceeded the maximum allowed logon attempts. The duration is measured in seconds.Number120
Login-URLIndicates the URL of the user’s IdP assertion consumer service.Stringhttps://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=fa7a185d-d748-459
Logout-URLIndicates the URL that Content Collaboration use when a user logs out of their single sign-on session.Stringhttps://secure.sharefiletest.com
Maximum-Failed-AttemptsIndicates the maximum number of attempts a user is allowed to enter an invalid password before being locked out of the account for a specific time period.Number5
Maximum-Download-per-UserIndicates the maximum number of downloads allowed per user from a share link.1, 2, 3 
Notify SenderIndicates whether the file share notification is sent to the sender.Boolean“True” or “False”
OAuth-Client-IDIndicates the unique ID of the user that uses the authorization server.StringDzi4UPUAg5l8beKjioecdchmHUTWWln9
Operation-NameIndicates the types of operations performed on Content Collaboration.StringCreate, Delete, Upload, Download, Share, Login, Copy, Update
Owner-IDIndicates the owner ID of the Distribution Group.String10812e09-ab02-4115-8405-8uas5e71258f
Parent-Folder-IDIndicates the ID of the parent folder in the source location from where the file is copied or movedStringfo674450-087d-42a0-8d26-de8838a04dae
Path IDIndicates the ID of the source path from where the file is copied or moved.String/accountID/folderID/folderID/itemID
Permanently-DeleteIndicates whether the file is deleted permanently.Boolean“True” or “False”
Primary-EmailIndicates the email of the user who triggered the eventStringtestuser@citrix.com
Recipient-IDIndicates the ID of the first recipient user in a share event.String10812e09-ab02-4115-8405
Report-TypeIndicates the type of report that is created. The following are the report type and its corresponding ID.Number0, 2, 10
 0- Access report  
 1- Activity report  
 2- Storage report  
 3- Messaging report  
 4- Bandwidth detail report  
 5- Bandwidth summary report  
 6- Encrypted email report  
 7- Storage summary report  
 8- User summary report  
 9- Access change report  
 10- Share send report  
 11- Share request report  
Require-LoginIndicates whether user login is required to access the share link.Boolean“True” or “False”
Require-User-InfoIndicates whether user information is required to access the share link.Boolean“True” or “False”
Resource-IDIndicates the ID of the resource.String6bf1-2108-fa4b-55dea0b
Resource-TypeIndicates the resources on which operations are performed.StringFile, Users, Session, Account
Shared-Folder-NameIndicates the shared folder in which the infected file is uploaded.Stringtest folder
SP-Initiated Auth ContextIndicates the comparison level for the authentication context. The IdP needs to match the selected authentication method when the “Exact” comparison is used. Or a higher relative strength method when the “Minimum” comparison is used.String“Minimum” or “Exact”
SP-Initiated-Auth-MethodIndicates the method for the authentication context. Based on the selection, it can be Unspecified, User Name and Password, Password Protected Transport, Transport Layer Security Client, X.509 Certificate, Integrated Windows Authentication, or Kerberos.Stringurn:oasis:names:tc:SAML:2.0:ac:classes:Password
SP-Initiated-Redirect-MethodIndicates the method of SP initiated redirection based on the size of the certificate provided by Content Collaboration.String“Default”, “HTTP” or “POST”
Save-FormatIndicates the format of the saved report.String“Excel” or “CSV”
Save-To-FolderIndicates whether the report should be saved in a particular folder.Boolean“True” or “False”
Server-NameIndicates the server from where the file is downloaded or shared.StringCitrix-SZC
Share-TypeIndicates the type of share link. The type can be either “Send” or “Request”. Send shares are used to send files and folders to the specified users. Request shares are used to allow users to upload files to a location specified by the share owner.0: Request, 1: Send0, 1
Shared-Folder-NameIndicates the name of the shared folder.Stringtest folder
Sharing-Enabled-for-Client UserIndicates whether a third party client user can share a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan.Boolean“True” or “False”
Sharing-Enabled-for-Employee-UserIndicates whether an employee user can share a file from a storage zone based on the result of the Data Loss Prevention (DLP) scan.Boolean“True” or “False”
Start-DateIndicates the date from which the report is generated for your Content Collaboration account.String“2021-05-23T04:00:00+00:00”
Storage-Center-ServerIndicates the host name of the client server from where the file is downloaded.Stringsf-downloadstreamer-sharefile-us.test.com
Stream-IDIndicates the ID of the item stream. An item represents a single version of a file system object. The stream identifies all versions of the same file system object. For example, when users upload or modify an existing file, a new item is created with the same Stream ID. All item enumerations return only the latest version of a given stream.Stringst279e5d-cahg-4f8-824f-34a3704840c
Support-File-VersioningIndicates whether there are multiple versions of the file that has been uploaded.Boolean“True” or “False”
Template-Based-FolderIndicates whether the folder is created from a predefined folder template.Boolean“True” or “False”
TitleIndicates the title of the report generated for your Content Collaboration account.StringTest report
Trusted-DomainsIndicates the domains that are allowed for iframe embedding and Cross-Origin Resource Sharing.Stringcitrix.com
Upload-File-SizeIndicates the size (in Kilobytes) of the file uploaded by the user.Number10 KB
Upload-IDIndicates the ID of the file upload operation.Stringst279e5d-cahg-4f8-824f-34a3704840c
User-EmailIndicates the email address associated with the Citrix Analytics account.Stringtestuser@citrix.com
User-IDIndicates the ID of the user who shared the file.Stringtest user
User-NameIndicates the name of the user who triggered the event.Stringkevin.smith@citrix.com
View-onlyIndicates whether the download file is in the read-only mode.Boolean“True” or “False”
Virus-NameIndicates the name of the malware that has infected the file.String{HEX}EICAR.TEST.3.UNOFFICIAL
WatermarkIndicates whether the download file contains a watermark.Boolean“True” or “False”
Zone-IDIndicates the ID of the storage zone where the folder is locatedStringzpB65440AE-4FBC-4405-BE2F-2B9CDE962C82

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:27 次

字数:40416

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文