Ticket types for Endpoint Detection and Response (EDR)

Important

The tickets discussed in this article apply to devices running Windows or macOS Agents.

Coro detects and creates tickets based on malicious processes detection rules.

EDR ticket components

EDR tickets contain the following components:

  • Description : The EDR ticket detection rule. Select See more to view a description of the detection rule that triggered the creation of the EDR ticket:

    EDR ticket description

    Coro displays the detection rule description:

    EDR ticket description

  • Process : The name of the process executable file which triggered the creation of the EDR ticket.
  • Hash : The unique process identifier.
  • Affected devices : Select the displayed device count to view the filtered Devices page showing the affected devices related to the EDR ticket.
  • Mitre : This section lists specific techniques and tactics from the MITRE ATT&CK framework associated with the security incident. Each entry includes the tactic category and a detailed technique description. Select a technique ID to view detailed entries in the MITRE ATT&CK database and learn more about the security incident.

    EDR ticket event details

  • Findings : This section displays additional details related to the process that triggered the creation of the EDR ticket:

    EDR ticket findings section

    Coro lists execution times for the process and any related parent or child processes.

    Where available, use the View link to open a Process graph visualizer showing parent-child relationships for the associated process. For more information, see Process graph.

    note

    The process graph link exists only where Coro can access data to support the visualization. If the data is unavailable, the View link is hidden.

    Select the dropdown adjacent to each finding to view more details:

    EDR ticket findings section

    • Command line : The full command used to start the process.
      note

      If the command line is base64 encoded, Coro automatically decodes and displays the text value.

    • Path : The directory path of the malicious processes image file.

Process graph

The process graph visually represents the process tree for the selected EDR ticket, highlighting both malicious and legitimate processes detected by Coro. Users can navigate through connected process nodes to explore parent and child processes, understand their relationships, and gather detailed information. This enables a quicker assessment of the investigated process to determine if it is malicious.

note

Coro supports process graphs for Windows and macOS devices.

The process graph is available only if Coro can access data for the selected process.

To view the process graph for an associated EDR ticket:

  1. Select the EDR ticket.
  2. Go to the Findings section, locate the process record, and select View under the Process graph header:

    EDR process graph view

    Coro displays the process graph with the Anchor Process node selected:

    EDR process graph actions

    Important

    Coro designates the anchor process node as the process you selected from the Findings section of the selected EDR ticket.

    The anchor process is the central node in the process graph. It links parent processes (showing all processes that led to the creation of the anchor process, starting from the root) to child processes (those initiated by the anchor process and its descendants). This provides a starting point for your investigation, enabling you to trace the lineage and impact of related processes.

    Related process counters show the number of additional processes linked to the selected process node:

    EDR process graph related process counters

Process graph node properties

Each process graph node displays a set of properties.

Select a process node to see the following process properties:

  • Related ticket : Select the link to go back to the related ticket.
  • PID : The unique process identifier assigned by the operating system (OS).
  • Related user : The user account that executed or interacted with the process.
  • Execution Time : The timestamp when the process executed.
  • Command Line Arguments : The full command used to start the process, including the path to the executable file and any passed arguments or parameters.
  • Image file location : The process image directory path of the executable file that started the process.
  • SHA256 Hash : The SHA-256 hash value of the selected process.

Process graph actions

Each process node has actions you can perform. To access these actions, select Actions for the selected process node:

EDR process graph actions

The table below describes the outcome of each process node action:

Action Outcome
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Allow process Prevents EDR tickets from triggering by marking the non-system process as safe. Related process information is not collected in the EDR Telemetry and Process tabs.

EDR detection rules

Coro identifies malicious processes based on detection rules and creates tickets for detected events.

Command and Control

Attackers use command and control techniques to control compromised devices, steal data, spread malware, or build botnets. They send commands and receive stolen data through command and control servers. Coro detects these activities and creates tickets for the following command and control rules:

Remote Access Tool Attack

Coro detects remote access tools on devices. Attackers often install and activate these tools covertly to gain unauthorized network access or expose private services. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Suspicious Usage of a LOLBin

Coro detects Living Off The Land Binaries (LOLBins) on devices. Attackers exploit these legitimate system tools to download or execute malicious activity while mimicking normal system processes. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Credential Access

Attackers use credential access techniques to steal or misuse login credentials and gain unauthorized access to data or devices. Coro detects these attempts and creates tickets for the following credential access rules:

Brute force attempt using a non-existent username

Coro detects suspicious account activity on one or more devices. This activity suggests attempts to manipulate accounts or brute force user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Repeated brute force attempts using wrong passwords

Coro detects suspicious account activity on one or more devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials and potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Defense Evasion

Attackers use defense evasion techniques to avoid detection and bypass security mechanisms. Coro detects these attempts and creates tickets for the following defense evasion rules:

Malicious UAC Bypass

Coro detects User Account Control (UAC) bypasses on devices. Attackers use UAC bypass techniques to gain elevated system privileges. Coro keeps the tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Execution of a renamed tool

Coro detects renamed tools on devices. Attackers use this masquerading technique to avoid detection. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Discovery

Attackers use discovery techniques to gather information about the devices, networks, or infrastructure they’ve infiltrated. Coro detects these actions and creates tickets for the following discovery rules:

Unauthorized System Discovery Activity

Coro detects use of the whoami command on devices. Attackers often run this command during system discovery to identify user accounts and privileges. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Execution

Attackers use execution techniques to run malicious code on target devices or networks. Coro detects these attempts and creates tickets for the following execution rules:

Malicious File Download and/or Execution

Coro detects use of curl commands on devices. Attackers often use curl to download and remotely execute payloads, enabling discreet transfer and execution of malicious files. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Malicious PowerShell Download from External Source

Coro detects PowerShell execution with signs of file download attempts on devices. Attackers often exploit PowerShell’s scripting capabilities to covertly download and execute malicious payloads. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Malicious Base64-Encoded PowerShell Command Usage

Coro detects Base64-encoded PowerShell commands on devices. Attackers often use Base64 encoding to hide malicious scripts from detection tools. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Initial Access

Attackers use initial access techniques to gain entry into a network or device. Coro detects these attempts and creates tickets for Remote Access Tool Attacks.

Persistence

Attackers use persistence techniques to maintain long-term control of a device or network, often stealthily. Coro detects these actions and creates tickets for the following persistence rules:

Malicious Scheduled Task Creation/Execution

Coro detects scheduled task creation or execution on devices, which might indicate that attackers are attempting to gain persistence or execute malicious code at predetermined times. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Modification of User Accounts in Elevated Groups

Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Password spray attack involving 200 login attempts

Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Password spray attack involving 100 login attempts

Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.

Privilege Escalation

Attackers use privilege escalation techniques to gain higher-level permissions on a device or network after initial access. Coro detects these attempts and creates tickets for the following privilege escalation events:

Elevated group adding and removal

Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.

Action Outcomes
Close ticket (Open tickets only) Closes the ticket and does not take any remediation action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Re-open (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation.
Reboot devices Reboots the affected device(s).

For further information, see EDR Processes.
Shut down devices Shuts down the affected device(s).

For further information, see EDR Processes.
Un-log and remove from audit reports (Closed tickets only) Removes the ticket from your workspace status update emails.

Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails.
Block process Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list.

For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes.
Isolate affected devices from network Used in the case of severe attacks.

Coro isolates the affected device(s) from the network.

An isolated device cannot communicate with resources on the network or the internet.

Coro remains functional and communicates with the Coro server via a command prompt.

For further information, see EDR Processes.