Citrix share link risk indicators 编辑

Citrix share link risk indicators are activities that look suspicious or can pose a security threat to your organization.

Citrix share link risk indicators span across the Citrix Content Collaboration data source used in your deployment. The indicators are based on share link behavior and are triggered where the share link’s behavior deviates from the normal.

For more information, see Share Links dashboard.

Anonymous sensitive share link download

Citrix Analytics detects access threats based on anonymous downloads for a share link and triggers the corresponding risk indicator.

This risk indicator is triggered when an anonymous user downloads from a share link, sensitive files identified by a Data Loss Prevention (DLP) solution, and did not require the recipient to log on. By identifying share links with sensitive file downloads, based on previous behavior, you can monitor the share link for potential attacks.

When is the Anonymous sensitive share link download risk indicator triggered?

You are notified when an anonymous user has downloaded a file deemed sensitive by a DLP solution during a given time period. Also, the file does not require the recipient to log on. When Content Collaboration detects this behavior, Citrix Analytics receives the events and the Anonymous sensitive share link download risk indicator is added to the share link’s risk timeline.

How to analyze the Anonymous sensitive share link download risk indicator?

Consider an anonymous user downloaded from a share link, a sensitive file identified by DLP and did not require any recipient logon. The Anonymous sensitive share link download risk indicator is triggered because the share link exceeds a threshold. The threshold is calculated based on the fact that the sensitive file is accessible by any recipient without a logon. From the share link’s timeline, select the reported Anonymous sensitive share link download risk indicator. The reason for the event and details such as download time, file name, and file size are displayed.

For more information about share link risk timeline, see Share Link risk timeline.

To view the Anonymous sensitive share link download risk indicator, select Security > Share Links, and select the share link URL.

• In the WHAT HAPPENED section, you can view a summary of the Anonymous sensitive share link download risk indicator and the time the event occurred.

  

• The EVENT DETAILS section, the events are displayed in tabular format. The table provides the following key information:

• Time. Time when the sensitive file was downloaded.
• File name. The name and extension of the downloaded file.

• File size. The size of the file downloaded.

  

What actions you can apply to the share link

You can do the following action to the share link:

• Expire link. When a share link triggers the Anonymous sensitive share link download risk indicator, you can expire the share link. Click Action > Expire link. When a share link is expired, it is not accessible by the users with whom the link was shared.

• Change link to view-only sharing. You can change a share link to the view-only sharing mode. Click Action > Change link to view-only sharing. The action prevents other users from downloading, copying, or printing the files associated with the share link.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the share link manually, navigate to the share link profile. On the Actions menu, select Expire share link.

Excessive share link downloads

Citrix Analytics detects access threats based on excessive downloads for a share link and triggers the corresponding risk indicator.

This risk indicator is triggered when users download data from a share link that is excessive and anomalous. By identifying share links with excessive downloads, based on previous behavior, you can monitor the share link for potential attacks. The Excessive share link downloads risk indicator helps you identify excessive file download activity.

When is the Excessive share link downloads risk indicator triggered?

You are notified when users have downloaded large amounts of data from a share link excessively for a given time period. When Content Collaboration detects this behavior, Citrix Analytics receives the events and the Excessive share link downloads risk indicator is added to the share link’s risk timeline.

How to analyze the Excessive share link downloads risk indicator?

Consider a user downloaded from a share link, data that were excessive, and anomalous. The Excessive share link downloads risk indicator is triggered because the share link exceeds a threshold. The threshold is calculated based on files contained within the share link and the share link is downloaded multiple times by multiple users. The download is deemed excessive compared to historical download behavior on share links. From the share link’s timeline, select the reported Excessive share link downloads risk indicator. Reasons for the event and event details are displayed on the right pane.

For more information about share link risk timeline, see Share Link risk timeline.

To view the Excessive share link downloads risk indicator, select Security > Share Links, and select the share link URL.

• In the WHAT HAPPENED section, you can view a summary of the Excessive share link downloads risk indicator and the time the event occurred.

  

• In the EVENT DETAILS section, the events are displayed in tabular format. The table provides the following key information:

  • Time: Date and time of the excessive download activity that took place.

  • File name: The name of the file that was downloaded from the share link.

  • User email: Email address of the user that downloaded the file from the share link.

  • File size: Size of the file that was downloaded.

    

What actions you can apply to the share link

You can do the following action on the share link:

• Expire link. When a share link triggers the Excessive share link downloads risk indicator, you can expire the share link. Click Action > Expire link. When a share link is expired, it is not accessible by the users with whom the link was shared.

• Change link to view-only sharing. You can change a share link to the view-only sharing mode. Click Action > Change link to view-only sharing. The action prevents other users from downloading, copying, or printing the files associated with the share link.

To learn more about actions and how to configure them manually, see Policies and Actions.

To apply the actions to the share link manually, navigate to the share link profile. On the Actions menu, select Expire share link.