Telemetry¶

The Telemetry page collects and aggregates various types of monitored forensic information from devices, which users can use to conduct malware-related investigations more efficiently.

Note

If a device loses network connectivity or the Coro agent is inactive, Coro EDR preserves your telemetry data. This saved data becomes accessible once the device re-establishes connection or the Coro agent resumes operation.

Telemetry is built from:

macOS logs: macOS uses the application console to collect logs generated by your macOS device. Account activity logs collected in the application console are crucial for diagnosing device issues and potentially malicious user account activity.
Windows event logs: The Windows event log is a comprehensive and chronological record of system, security, and application notifications stored by the Windows operating system, which network administrators use to diagnose system problems and predict future issues.

For Windows devices, when Tamper Protection is enabled, Coro EDR safeguards against malicious attempts to disable the Windows Event Viewer, which is critical for gathering Windows event log telemetry data.

When a malicious process disables the Windows Event Viewer, The Coro agent immediately restarts the service, and the following notification appears:

Note

When a process interacts with a telemetry source monitored by Coro EDR, the associated telemetry information of that process is available on the Telemetry page.

This article discusses the following topics:

Accessing the Telemetry page
Types of telemetry data monitored by Coro
Telemetry actions
Filtering telemetry records
Searching telemetry records

Accessing the Telemetry page¶

To access the Telemetry page:

Log into the Coro console and select Control Panel from the toolbar:
Select EDR:
Select the Telemetry tab:

The Telemetry page appears:

The forensic information is displayed as a list of monitored telemetry data. The list contains the following columns:

Forensic: The telemetry category (Registry key, Scheduled task, or Account event), name of the telemetry event, classification symbol, and timestamp.
Device: The device name related to the telemetry event.
Process: The process name related to the telemetry event.

Types of telemetry data monitored by Coro¶

The Telemetry page collects and monitors the following types of event log information:

Account events (Windows and macOS)
Scheduled tasks (Windows)
Registry keys (Windows)

Expand each type to display additional information. Filter for data types using the Type filter.

Account events¶

Account events are specific actions or activities related to user accounts and their interactions within a device’s OS environment. These events are logged by the event log system of the OS, and are crucial for security monitoring, troubleshooting, and auditing purposes. Account events provide insights into user behavior, account management, and potential security threats.

Note

Coro monitors Account events for both Windows and macOS devices.

The Telemetry page collects and monitors information related to the following account events:

A user account was created
A user account was enabled
An attempt was made to change an account's password
An attempt was made to reset an account's password
A user account was disabled
A user account was deleted
A user account was changed
The name of an account was changed
An account was successfully logged on
An account failed to log on
An account was logged off
A logon was attempted using explicit credentials
A user account was locked out

The following columns are displayed:

Forensic: The name of the Account event, for example, Authentication Attempt.
Device: The device name used to create the account event.
Process: The process name.

Expand an Account event record using the dropdown. The following additional information is displayed under the Detailed process info section:

User name: The account name that initiated a particular event.
Success: Specifies whether the event executed successfully.
Process Name: The name of the process executable.
Hash: The unique process identifier.
Command Line: The full command used to start the process, including the path to the executable file and any passed arguments or parameters.
Parent Process Name: The name of the parent process executable that initiated another process.
Hash (parent): The unique parent process identifier that initiated another process.

Note

Additional information is displayed under the Detailed process info section depending on the Account event type and the OS of the device.

Scheduled tasks¶

Scheduled Tasks are automated processes that run on a predetermined schedule in operating systems or applications. They perform specific actions at regular intervals, such as hourly, daily, or weekly, without manual intervention. These tasks are crucial for automating routine operations, data backups, updates, and maintenance, enhancing efficiency and ensuring timely execution of critical functions.

Note

Coro monitors Scheduled task events for Windows devices.

The Telemetry page collects and monitors information related to the addition of Scheduled tasks.

The following columns are displayed:

Forensic: The new scheduled task name, classification symbol, and timestamp.
Device: The name of the device on which the scheduled task was created.
Process: The process name.

Expand a Scheduled task record using the dropdown. The following additional information is displayed under the Detailed process info section:

User name: The account name that initiated a particular event.
Action: The executable action of the task.
Trigger: Specifies the action which initiates the event, for example, Calendar specifies a calendar based action.
Operation Type: The type of operation performed with the task. The value for a Scheduled task is: Scheduled task was created.
Process Name: The name of the process executable.
Hash: The unique process identifier.
Command Line: The full command used to start the process, including the path to the executable file and any passed arguments or parameters.

Note

Coro EDR automatically decodes base64-encoded command lines, rendering them understandable for the user.
Parent Process Name: The name of the parent process executable that initiated another process.
Hash: (parent): The unique parent process identifier that initiated another process.
Command Line: (parent): The full parent command used to initiate the event that triggered another process.

Note

Coro EDR automatically decodes base64-encoded command lines, rendering them understandable for the user.

Registry keys¶

Registry keys are hierarchical data structures in the Windows operating system registry. They serve as containers that store configuration settings and information about software, hardware, and system preferences. Each key can contain subkeys and values, facilitating the organization and retrieval of crucial system data.

Note

Coro monitors Registry keys events for Windows devices.

The Telemetry page collects and monitors information related to the addition, modification, and deletion of the following Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\System\CurrentControlSet\Services
HKLM\System\CurrentControlSet\Services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunEx
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

The following information is displayed in the Forensic column:

Current Value: The new registry key value, classification symbol, and timestamp.
Old Value: The old registry key value.
Operation Type: The type of operation performed with the registry key value. These operations are:
- New registry value created
- Registry value deleted
- Existing registry value modified
Process Name: The name of the process executable.
Hash: The unique process identifier.
Parent Process Name: The name of the parent process executable that initiated another process.
Hash (parent): The unique parent process identifier that initiated another process.

Telemetry actions¶

Each process listed on the Telemetry tab has a set of actions that can be applied to a monitored telemetry data record:

The following telemetry actions are available:

Isolate affected device from network (applicable to Registry keys and Scheduled tasks): Used in the case of severe attacks. The action isolates selected devices from the network. An isolated device cannot communicate with any resource on the network or the internet. The Coro process remains functional in order to communicate with the Coro server.

Note

Reconnect isolated devices to the network from the Devices page.

Note

You can isolate a process if at least one of the associated devices has either:

MacOS agent v2.1 or higher installed.

Windows agent v2.2 or higher installed.
Shutdown Devices: Shuts down selected devices.
Reboot Devices: Reboots selected devices.
Block Process: Blocks a process and adds an item to the list on the Allow/Block page of the Endpoint Security module:

For further information on blocking processes, see EDR Allow/Block lists and Endpoint Security Allow/Block lists
View full log: Displays the raw XML (for Windows) and JSON (for macOS) log related to the telemetry entry, as received from the agent in the tab:

Filtering telemetry records¶

Filter the Telemetry page records by using the following two filters:

Telemetry type
Telemetry time period

Telemetry type¶

The Telemetry type filter allows you to filter telemetry records by:

Registry key
Scheduled task
Account events

Telemetry time period¶

The Telemetry time period filter allows you to filter telemetry records by specified time periods using a calendar date picker:

Searching telemetry records¶

The Search field allows you to search and filter telemetry records using two methods:

Prefixed search
Free search

Prefixed search¶

A prefixed search allows you to search by the following prefixed terms:

EnrollmentCode: The Coro device ID.
DeviceName: The name of the device(s) linked to the forensic record.
ProcessHash: The unique process identifier.
ProcessName: The name of the process.

Note

Prefixed searches use exact matches for the selected prefixed term value entered.

Free search¶

A free search allows you to search without the use of prefixed terms.

Note

The free search functionality finds items that begin with a specific sequence of characters. By entering the initial characters, the system displays relevant results, saving time and improving efficiency in locating desired information.