Abnormal admin activity¶
The Full Details section for Abnormal Admin Activity tickets is similar to that of Suspected Identity Compromise tickets. A list of log records is displayed detailing from where the admin activity was performed. The suspected admin activities are highlighted in red, while the presumably normative admin activities are highlighted in green. In the example below, suspicious Admin Login has been identified due to the fact the activity took place from different IP's in close time proximity:
Coro detects identity compromise suspicions for both regular and admin user accounts by analyzing data from all customers, specific customers, and specific users behind a ticket. Coro then creates normative behavior models, detecting anomalies from these models. The models range from simple statistical anomaly models to more complex models that cross-correlate data from various sensors throughout the system to uncover evidence of abnormal behavior.
Note
Both Suspected Identity Compromise and Abnormal Admin Activity tickets are classified as suggested for review, and are automatically closed after the review period of two and four weeks, respectively.