Ticket types for Cloud Security
Important
The tickets discussed in this article apply to devices running Windows or macOS Agents.
Coro generates tickets for cloud applications when it identifies the following security incidents:
- Abnormal admin activity
- Access permissions violation
- Impossible traveler
- Malware in cloud drive
- Mass data deletion
- Mass data download
- Suspected bot attacks
- Suspected identity compromise
Abnormal admin activity
Coro identified activity for an admin account of a connected cloud app where it originated from an unexpected IP address. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days.
Important
To enhance protection for admin users, Coro flags abnormal admin behavior even when originating from a country allowed by cloud application access permissions. A compromised admin user account presents a significantly higher risk than a regular user account.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | Coro requests the user to sign in to the specified cloud application. Coro adds a record to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
Access permissions violation
Coro detected a successful login that violated the cloud app access permissions configured for a user’s assigned group, based on the user's origin country or IP address. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days. To learn more, see Access permissions violation.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | Coro requests the user to sign in to the specified cloud application. Coro adds a record to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
Impossible traveler
Coro detected subsequent successful cloud application sign-ins by a protected user from multiple geographic locations within a 24-hour period that would be physically impossible to achieve based on the distance and travel time between them, based on the distance and required travel time between them. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days. To learn more, see Impossible traveler.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all affected cloud apps | Coro suspends the user's access to their accounts on all cloud applications connected to the sign-in events. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all affected cloud apps | Coro requests the user to sign in to all cloud applications connected to the sign-in events. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
Malware in cloud drive
Coro identified potential malware on a monitored cloud drive in one of your connected applications. Files detected as malicious are automatically moved to a quarantine folder and no further action is required. However, admin users have the option to review the ticket and choose to approve or permanently delete the file. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Approve file | Approve and return the quarantined file to its original location. Future identical files are not quarantined. The admin user has the option of immediately closing the current ticket and all related tickets. |
| Delete file | Delete the file as unapproved. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | Coro requests the user to sign in to the specified cloud application. Coro adds a record to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
Mass data deletion
Coro detected an abnormally large data deletion event in a protected user’s cloud application account. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days. To learn more, see Mass event tickets.
| Action | Outcomes |
|---|---|
| Export files list | Export and download a list of affected files in CSV format. |
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | Coro requests the user to sign in to the specified cloud application. Coro adds a record to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
Mass data download
Coro detected an abnormally large data download event in a protected user’s cloud application account. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days. To learn more, see Mass event tickets.
| Action | Outcomes |
|---|---|
| Export files list | Export and download a list of affected files in CSV format. |
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | Coro requests the user to sign in to the specified cloud application. Coro adds a record to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
Suspected bot attacks
Coro detected a protected user account as the target of a suspected bot login attempt from an external source. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days. To learn more, see Suspected bot attacks.
| Action | Outcomes |
|---|---|
| Re-open | Reopens this ticket for admin user intervention and manual remediation. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | Coro requests the user to sign in to the specified cloud application. Coro adds a record to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
Suspected identity compromise
Coro builds a normative behavior model for user accounts and raises a ticket if it detects anomalous activity or login behavior. Tickets remain open for review by an admin user until Coro closes them automatically after 10 days. To learn more, see Suspected identity compromise.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Request user to sign-in to all cloud apps | Coro requests the user to sign in to all of their connected cloud applications. Coro adds a record to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | Coro requests the user to sign in to the specified cloud application. Coro adds a record to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |