There are many use cases for Citrix Session Recording such as strengthening security posture, assistance to service/help desks, proactive/reactive monitoring and User Behavior Analysis but lets start with what is Session Recording Service?
It is the cloud management platform that provides comprehensive automation, faster troubleshooting, and informative insights. It provides a unified entry point to manage and observe the Session Recording server(s) across your organization. You may ask, do you still need Session Recording on-prem servers/infra? – Yes, once they are operational you can effectively plug them into the cloud service and manage all your SR sites in one portal.
I want to explain the architecture and then highlight some great features and use case examples that you can configure within service;
I do want to mention that whilst the on-premise environment components remain the same, for the service you need to ensure that you have a subscription to Citrix DaaS and a session recording server 1912 LTSE, 2203 or later deployment in place
In the above diagram, you can see an example of two resource locations with Session Recording Server(s) running both with the cloud client enabled thus connected to the Session Recording Service for centralized management.
Access Permissions
As the service is a Citrix Cloud Service, you may wish to define access levels. Therefore within Citrix Cloud’s Identify and Access Management, you can define Custom Access
Policies
Let’s now look at the Service console and review the powerful three policy pillars and provide use cases of them;
- Recording Policy
- Event Detection
- Event Response
Lets start with..
Recording Policy
I want to highlight a common misconception, you do not need to perform session screen recording, you can simply capture events defined in your event detection policy.
As you can see in my own instance I have selected to only capture events with now screen recording.
This is an alternative option if you are unable to screen capture for various reasons.
Check out the recording policy documentation to see all the recording options.
Event Detection Policy
Drilling into the event detection policy you will see the event capture options. As you can see there are many options available, security & compliance related to data exfiltration options. In my example, I have specified a number of .exe’s I wish to monitor.
Powerful options include the ability to monitor specific file locations and capture a potential data exfiltration event. Other great features many customers like include the ability to monitor registry or specific app start/stop events
Event Response Policy
It is this policy where you will be able to define the actions framework. You can define event triggers and perform the following actions
- Send email alerts
- Start screen recording immediately (with or without lossy screen recording enabled)
- Lock session
- Log off session
- Disconnect session
In my example, you can see I have selected three events that will trigger actions;
Drilling into the File Transfer event trigger, you can see I have decided to start screen recording for this specific event.
Specific to the Session Recording Service, you have access to trigger templates, some below. These templates include use case categorizations, such as security or troubleshooting as you can see below.
A specific use case that I suspect every troubleshooting admin will appreciate is the ability to capture an application that is not responding
Storage Considerations
Storage consumption will depend on a number of factors for individual environments based on customized recording policies and server storage settings, for example setting event only recording. A number of features within service you can customize which are highlighted in the below screenshot. You may also look enabling lossy screen recording on the session recording agent endpoint. Lossy screen recording lets you adjust compression options to reduce the size of recording files and to accelerate navigating recorded sessions during playback.
Automate archiving and deletion of recordings
Lossy screen recording lets you adjust compression options to reduce the size of recording files and to accelerate navigating recorded sessions during playback. You configure the settings on the Endpoint Session Recording Agent however you need to enable at Lossy screen recording in the response policy. The Lossy feature is available with Session Recording 2308 and later.
I could keep going… There are a lot of features available but if you would like to discuss and see more, reach out to your Account Technology Strategist for more info.
PoC reference: https://community.citrix.com/tech-zone/learn/poc-guides/session-recording
Also worth checking out https://citrixie.wordpress.com/2023/08/02/assume-breach-uncover-in-session-blind-spots-with-citrix-analytics-for-security-session-recording-you-can-only-secure-what-you-can-see/
citrixie.wordpress.com 