Ticket types for Cloud Security¶
Coro generates tickets for cloud applications when it identifies the following security incidents:
- Abnormal admin activity
- Access permissions violation
- Malware in cloud drive
- Mass data deletion
- Mass data download
- Suspected bot attacks
- Suspected identity compromise
Abnormal admin activity¶
Coro identified activity for an admin account of a connected cloud app where it originated from an unexpected IP address. Tickets are classified as suggested for review and are automatically closed after the review period of four weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Access permissions violation¶
Coro observed a successful login in violation of the cloud app access permissions configured for a user group to which a user belongs, based on the user's origin country or IP address. Tickets remain open for review by an Admin user and closed automatically after a period of time. To learn more, see Access permissions violation.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Malware in cloud drive¶
Coro identified potential malware on a monitored cloud drive in one of your connected apps. Files detected as malicious are automatically moved to a quarantine folder and no further action is required. However, admin users have the option to review the ticket and choose to approve or permanently delete the file. Tickets are suggested for review with a review time of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Approve file | Approve and return the quarantined file to its original location. Future identical files are not quarantined. The Admin user has the option of immediately closing the current ticket and all related tickets. |
| Delete file | Delete the file as unapproved. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Mass data deletion¶
Coro observed an abnormally large data deletion event from the cloud app account of a protected user. These tickets are automatically closed. To learn more, see Mass event tickets.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Mass data download¶
Coro observed an abnormally large data download event from the cloud app account of a protected user. These tickets are automatically closed. To learn more, see Mass event tickets.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Suspected bot attacks¶
Coro identified a protected user account as being the target of a suspected bot login attempt from an external source. These tickets are automatically closed. To learn more, see Suspected bot attacks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Suspected identity compromise¶
Coro builds a normative behavior model for user accounts and raises a ticket if it detects anomalous activity or login behavior. Tickets are classified as suggested for review and are automatically closed after the review period of two weeks. To learn more, see Suspected identity compromise.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. An action: "Contact User" is recorded in the Ticket Log and Activity log. |