Ticket types for users¶
Coro generates tickets for protectable users when it identifies the following security incidents:
- Access permission violation
- Mass data deletion
- Mass data download
- Suspected bot attacks
- Suspicious exposure of certificate
- Suspicious exposure of critical data
- Suspicious exposure of file type
- Suspicious exposure of password
- Suspicious exposure of source code
Access permission violation¶
Coro observed a login violation of the cloud app access permissions configured for a user group to which a user belongs, based on the origin country or IP address used in the login attempt. Tickets remain open for review by an Admin user and closed automatically after a period of time. To learn more, see Access permissions violation.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Mass data deletion¶
Coro observed an abnormally large data deletion event from the cloud app account of a protected user. These tickets are automatically closed. To learn more, see Mass event tickets.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Mass data download¶
Coro observed an abnormally large data download event from the cloud app account of a protected user. These tickets are automatically closed. To learn more, see Mass event tickets.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Suspected bot attacks¶
Coro identified a protected user account as being the target of a suspected bot login attempt from an external source. These tickets are automatically closed. To learn more, see Suspected bot attacks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Request user to sign-in to all cloud apps | A record is added to the Activity Log: "<user> was requested to re-login to all protected cloud applications that they are using." |
| Request user to sign-in to <cloud service> | A record is added to the Activity Log: "<user> was requested to re-login to <cloud service>" |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
Suspicious exposure of certificate¶
Coro identified a user account that was involved in a potential data exposure event with monitored security certificates (files with a .crt or .pem extension used to establish a secure connection between a client and a server). This occurs where monitoring for Certificates was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of critical data¶
Coro identified a user account that was involved in a potential data exposure event with monitored critical data (specific defined keywords in email and shared file content). This occurs where monitoring for Specific keywords was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of file type¶
Coro identified a user account that was involved in a potential data exposure event with monitored file types (specific defined file types added as email attachements and in shared drive content). This occurs where monitoring for Specific file types was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of password¶
Coro identified a user account that was involved in a potential data exposure event that included passwords. This occurs where monitoring for Passwords was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks. The duration depends on the potential impact of the detection.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of source code¶
Coro identified a user account that was involved in a potential data exposure event that included monitored source code files (files with a known code or script extension such as .md, .yaml, .sh). This occurs where monitoring for Source code was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |