Insider threat and Data exfiltration monitoring with VDI insession clipboard events

Insider threat and Data exfiltration monitoring with VDI insession clipboard events

Citrix Analytics for Security now allows aggregation and export of VDA.Clipboard events.
These events are triggered by VDI session clipboard place (movement of clipboard data from Session to endpoints) in Citrix Apps and Desktops. Clipboard logs provide vital information from proprietary Citrix protocols (HDX) such as the VDA name, clipboard size, clipboard format type, client IP, clipboard operation, clipboard operation direction, and whether the clipboard operation was permitted. This provides admins visibility into any Data exfiltration risks across VDI environments. The VDA Clipboard events are available for search, reporting and correlation across various Citrix Analytics for Security features as listed below.

• Self-service search: You can review the VDA.Clipboard results along with all its attribute details and save reporting queries for compliance
• Custom Risk Indicators:  Clipboard events and metadata attribtes are available within Custom Indicators framework. You can use these event key/value pairs to configure custom indicator triggers and create action policies with it.
• SIEM Data export: Clipboard events and metadata is also made available for SIEM event export with Splunk, Sentinel, Elastic and via our generic Kafka export mechanism. This will enable SOC threat hunting to build in-session profiles for end users for risk analysis and post incidence triage.

To enable the clipboard telemetry and transmission of clipboard logs to Citrix Analytics for Security, you need to create registry keys and configure your VDA accordingly.

For more information, see the following article/blog:

• Enabling clipboard telemetry for Citrix DaaS
• Uncover VDI and DaaS data risks with in-session clipboard monitoring