Mass event tickets

Coro provides two ticket types for detected data exposure in large amounts:

• Mass Data Download
• Mass Data Deletion

Coro creates these ticket types when it detects abnormally large amounts of data deletion or data download from cloud application accounts of individual users.

To identify mass data events, Coro creates and uses normative and non-normative behavior models for individual users, customers as an organization, and a set of global models capturing the patterns of all Coro customers. Coro creates a ticket when the behavior of a user falls outside these parameters.

An admin user can review mass data event tickets in the Ticket Log, and inspect information such as the cloud Service used for the event, and full details of the files involved, to determine if action should be taken. If the admin user takes no action within two weeks, Coro closes the ticket.

The mass data event ticket shows:

• The type of ticket: Mass Data Deletion or Mass Data Download .
• If closed, when the ticket was closed.
• Users : The email address of who made the deletions or downloads.
• IP/Country : Each IP address and country from which the deletion or download was made.
• When ( From and To ): The start and end times when the deletions or downloads occurred.
• Service : The cloud application on which the deletions or downloads occurred.
• Full details : Country or IP Address and Host , if applicable.
• Files : The Path and number of Files affected.
  To list the files and the type of each file select the down arrow next to the path.
• Activity Log : Lists all activity since Coro raised the ticket, including who made the activity and when. If the activity can be undone (the ticket closed or re-opened), you can select UNDO to reverse the action. Actions that have been undone are preceded with UNDONE: .
• Comments : Shows any comments added to the ticket.

For more information about ticket types, see Ticket types for Cloud Security.