Suspected identity compromise
Suspected Identity Compromise tickets report instances of potential user account breaches and abnormal admin activity, focusing on actions that pose a significant threat to customer data.
These tickets present key details of the event, including the access point location and descriptions of the specific activities deemed suspicious:
Suspected Identity Compromise tickets are triggered not only by password attempts but also by changes in the location or pattern of sign-in activity, which may indicate a potential compromise of the user's account.
Coro triggers a Suspected Identity Compromise ticket when there is a sign-in attempt from a location that significantly deviates from the user’s typical sign-in pattern. This is commonly referred to as an "impossible travel" scenario — for example, if a user signs in from Israel and then shortly afterward from France in a way that would be physically impossible, Coro flags the second sign-in as suspicious and triggers a Suspected Identity Compromise ticket.
note
If an access permissions policy applies to the user, Coro checks for access permissions policy violations and does not check for suspected identity compromise.
For more information, see Access permissions violation.
note
Suspected Identity Compromise tickets are classified as suggested for review, and are automatically closed after a review period of 28 days.
The Full Details section provides references to normative actions taken in close proximity to suspected activities. Suspected activities are indicated in red, while typical activities are in green. Coro uses IP lookup providers to derive metadata about connecting IP addresses to help admin users identify patterns in suspicious activity. Select the dropdown next to an activity to view any identified details, such as service provider, proxy, organization name, or threat type (where one is identified).
In the example below, Coro flagged suspicious Login activity due to its occurrence from different IP addresses within a short time frame. By using the dropdown next to each Login activity, Coro displays metadata associated with the IP address; in this case, the service provider (ISP) and proxy:
If the threat level associated with the IP address is high, the IP address is red. If the threat level is medium, the IP address is yellow:
For more information about ticket types, see Ticket types for Cloud Security.