Home
/
Coro public API
/
Coro API reference
/
tickets
/
Get tickets actions

Coro Cybersecurity Public API (v1)


This is the Coro Cybersecurity platform API specification reference.

This section provides a complete reference listing for the Coro Cybersecurity REST API resource model.

About the resource reference

This reference lists all the resources available through the Coro REST API.

Each section relates to a specific resource and provides its name, description, unique URI path, and the list of operations you can perform on it.

For each operation, you can find:

  • A complete description of the action
  • Request parameters
  • A list of potential responses
  • Security (authentication) requirements

The portal also provides code samples and examples for making requests in a number of programming languages, together with samples of the possible response bodies.

In addition to this, Coro provides a Try It feature where you can interact with the API directly through the portal. To use Try It, you'll need to first obtain Client ID and Secret credentials; for more information, see Authentication.

Download OpenAPI description
View and download the Coro API JSON specification
Overview
URL

https://support.coro.net

E-mail

support@coro.net

Terms of Service

Languages
Servers
Coro mock API server

https://docs.coro.net/_mock/api/api-docs/

Coro US API server target URL

https://api.secure.coro.net/

audit-logs

This is the audit log resource.

Operations

authentication

This is the resource for API authentication requests.

Use this resource to validate your identify and to obtain a bearer token to use when accessing other API resources.

Operations

devices

This is the Devices resource.

Use this resource to get details of all protected devices for a particular workspace.

Operations

portal-users

This is the portal user resource.

Use this resource to get details of all portal users added to the specified workspace.

Operations

subscriptions

This is the subscriptions resource.

Use this resource to view and manage workspace subscriptions.

Operations

tickets

This is the Tickets resource.

Use this resource to get details of all tickets stored in the Coro platform for a particular workspace.

Operations

Get tickets actions

Request

Get tickets actions by ticket id.

Security
JWT
Path
idstringrequired
Headers
Workspacestringrequired

The workspace identifier, which isolates API requests inside the provided workspace scope.

Example: corodevonmicrosoftcom_TX7T_u
curl -i -X GET \
  'https://docs.coro.net/_mock/api/api-docs/v1/tickets/{id}/actions' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Workspace: corodevonmicrosoftcom_TX7T_u'

Responses

Success

Bodyapplication/json
string
Response
application/json
"string"

Trigger a ticket action

Request

Trigger a ticket action by ticket id.

Security
JWT
Path
idstringrequired
Headers
Workspacestringrequired

The workspace identifier, which isolates API requests inside the provided workspace scope.

Example: corodevonmicrosoftcom_TX7T_u
Bodyapplication/jsonrequired
eventActionstring(EventAction)required

A ticket action, corresponding to an appropriate EventAction to trigger.

Example: "markAsProcessed"
Any of:
string
Enum"treatFileAsSafe""treatFileAsMalicious""excludeFolderFromScan""excludeCertificateFromScan""excludeFilePathAndCertificateFromScan""excludeFilePathAndFileHashFromScan""approveProcessGroup""enableFirewall""remoteScan""stopRemoteScan"
metadataobject

Additional data required for executing certain ticket actions. This is a key-value object, where the value format depends on the specific action type.

Ticket actions that require metadata:

  • addToDataGovernancePermissions
    • key: selectedSubEventTriggers
    • value: a list of data types aggregated by the event. These values correspond to one or more entries from the /tickets API response, under the ticketDetails.violatedDataTypes path.
Example: {"selectedSubEventTriggers":["dlpPersonalData"]}
curl -i -X POST \
  'https://docs.coro.net/_mock/api/api-docs/v1/tickets/{id}/actions' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Content-Type: application/json' \
  -H 'Workspace: corodevonmicrosoftcom_TX7T_u' \
  -d '{
    "eventAction": "markAsProcessed",
    "metadata": {
      "selectedSubEventTriggers": [
        "dlpPersonalData"
      ]
    }
  }'

Responses

Success

Bodyapplication/json
ticketActionsStatusobject

The status of the ticket action response

Response
application/json
{
  "ticketActionsStatus": {}
}

Get a list of all tickets

Request

Get a list of all tickets in the specified workspace. This call supports pagination; default page size includes 20 tickets.

Security
JWT
Query
ticketIdsArray of stringsunique
ticketTriggersArray of strings(EventTriggerDto)unique
processedboolean

Search by processed flag

fromTimenumber

Search for tickets that were occurred after this timestamp in milliseconds

toTimenumber

Search for tickets that were occurred before this timestamp in milliseconds

pagestring>= 0

API responses use pagination to reduce loading time. Return a specific page of results, using a zero-based page index (0..N).

Default "0"
Example: page=0
pageSizestring[ 10 .. 500 ]

API responses use pagination to reduce loading time. Return a maximum of this many items per page.

Default "20"
Example: pageSize=50
Headers
Workspacestringrequired

The workspace identifier, which isolates API requests inside the provided workspace scope.

Example: corodevonmicrosoftcom_TX7T_u
curl -i -X GET \
  'https://docs.coro.net/_mock/api/api-docs/v1/tickets?fromTime=0&page=0&pageSize=50&processed=true&ticketIds=string&ticketTriggers=malwareInCloudDrive&toTime=0' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Workspace: corodevonmicrosoftcom_TX7T_u'

Responses

Success

Bodyapplication/json
itemsArray of objects(TicketResponse)
totalElementsinteger(int64)

The total number of records that exist for the request.

_linksobject(TicketLinkDoc)
Response
application/json
{
  "items": [
    {}
  ],
  "totalElements": 0,
  "_links": {
    "autoRemediatedAuditLogs": {}
  }
}

Get a ticket

Request

Get a ticket by ticket id.

Security
JWT
Path
idstringrequired
Headers
Workspacestringrequired

The workspace identifier, which isolates API requests inside the provided workspace scope.

Example: corodevonmicrosoftcom_TX7T_u
curl -i -X GET \
  'https://docs.coro.net/_mock/api/api-docs/v1/tickets/{id}' \
  -H 'Authorization: Bearer <YOUR_JWT_HERE>' \
  -H 'Workspace: corodevonmicrosoftcom_TX7T_u'

Responses

Success

Bodyapplication/json
idstring

The unique identifier for the ticket

Example: "GYDU-1212"
ticketTriggerstring(EventTriggerDto)

The type of open ticket.

One of:
string
Enum"malwareInCloudDrive""abnormalAdminActivity""accessRestrictionsViolation""suspectedIdentityCompromise""malwareOnEndpoint""infectedProcess""vssBackupProtection""isUnencrypted""missingPinAndPasswordProtection""isDeveloperModeEnabled"
processedboolean

Indicates whether the ticket was processed/manually actioned/closed by an operator or by Coro

creationTimeinteger(int64)

UNIX timestamp in milliseconds for the time when the ticket was created in Coro

Example: 1662052343274
threatTimeinteger(int64)

UNIX timestamp in milliseconds for when the threat was detected

Example: 1662052343274
processedTimeinteger(int64)

UNIX timestamp in milliseconds for when the ticket was processed

Example: 1662052343274
lastEventTimeinteger(int64)

UNIX timestamp in milliseconds for the last event time

Example: 16620523284720
parentWorkspaceIdstring

The unique identifier of the parent workspace.

Example: "coroparent_123"
ticketDetailsTicketDetails (object)(TicketDetails)

Extra details about the ticket

One of:

Extra details about the ticket

object TicketDetails Recursive
workspaceIdstring

The unique identifier of the workspace.

Example: "corotest_123"
_linksobject(TicketLinkDoc)
Response
application/json
{
  "id": "GYDU-1212",
  "ticketTrigger": "malwareInCloudDrive",
  "processed": true,
  "creationTime": 1662052343274,
  "threatTime": 1662052343274,
  "processedTime": 1662052343274,
  "lastEventTime": 16620523284720,
  "parentWorkspaceId": "coroparent_123",
  "ticketDetails": {
    "deviceMetadata": {},
    "emailMetadata": {},
    "filesMetadata": [],
    "location": [],
    "malwareMetadata": {},
    "affectedUser": "test@example.com",
    "service": "Microsoft 365",
    "violationDirection": "access",
    "violatedDataTypes": []
  },
  "workspaceId": "corotest_123",
  "_links": {
    "autoRemediatedAuditLogs": {}
  }
}

tickets-summary

This is the Tickets Summary resource.

Use this resource to get details of tickets for a particular workspace, grouped by protection component.

Operations

usage

This is the resource for Coro usage.

Use this resource to obtain information about usage

Operations

users

This is the protected user resource.

Use this resource to get details of all protected users added to the specified workspace.

Operations

webhook-configuration

Use this resource to manage or view details of existing webhooks configurations, or to create new webhook configurations.

Operations

workspaces

Use this resource to view details of provisioned workspaces, or to create new workspaces.

Operations