Suspected identity compromise
Suspected Identity Compromise tickets report instances of potential user account breaches and abnormal admin activity, focusing on actions that pose a significant threat to customer data.
These tickets present key details of the event, including the access point location and descriptions of the specific activities deemed suspicious:
The main trigger for a Suspected Identity Compromise ticket is when there is a sign-in attempt from a suspected location that is different from the user's usual sign-in pattern. For example, if you usually sign in from Israel and then, shortly afterwards, attempt to sign in from France, Coro triggers a Suspected Identity Compromise ticket for the France sign-in.
Suspected Identity Compromise tickets are triggered not only by password attempts but also by changes in the location or pattern of sign-in activity, which may indicate a potential compromise of the user's account.
note
Suspected Identity Compromise tickets are classified as suggested for review, and are automatically closed after a review period of two weeks.
The Full Details section provides references to normative actions taken in close proximity to suspected activities. Suspected activities are indicated in red, while typical activities are in green. Coro uses IP lookup providers to derive metadata about connecting IP addresses to help admin users identify patterns in suspicious activity. Select the dropdown next to an activity to view any identified details, such as service provider, proxy, organization name, or threat type (where one is identified).
In the example below, Coro flagged suspicious Login activity due to its occurrence from different IP addresses within a short time frame. By using the dropdown next to each Login activity, Coro displays metadata associated with the IP address; in this case, the service provider (ISP) and proxy:
For more information about ticket types, see Ticket types for Cloud Security.