Using the Ticket Log

The Ticket Log in Coro provides a record of all tickets generated in the current workspace. These tickets are detailed records of all detected suspicious events or a series of suspicious events.

To learn more about how Coro creates and uses tickets, see Tickets in Coro.

View the Ticket Log by signing into the Coro console and selecting the Tickets icon in the toolbar:

Accessing the ticket log

note

The Tickets link in the toolbar shows all tickets in the system and provides an overview of the current ticket queue. To view tickets for a specific module, or of a specific type, use the ticket links provided in each detailed dashboard panel in the Actionboard. To learn more, see The Actionboard.

Coro raises tickets for all protected users, and also for protectable users. Protectable users are those user accounts that Coro is able to identify from your connected cloud applications, but that have not been explicitly added for protection. Tickets raised for protectable users are done so as information-only without any remediation options, in order to highlight events to Admin users to inform how protection might be extended or reconfigured. Such tickets are automatically closed upon being raised.

The Ticket Log contains the following features:

The Ticket Log

The left pane shows a summary of the ticket queue, based on the selected filters. Select a ticket to see details in the right pane.

Coro provides the following for each ticket:

Information describing the ticket. For example, the user affected, the date the ticket was opened, the file name and size, and more.
Further ticket details, findings, and a summary of recent activity that has been performed for this ticket. To view a complete list of all activity relating to the ticket, select the All Activity link.
A Comments section, enabling an Admin user to record specific comments and notes regarding the event against a ticket. To learn more, see Create a ticket comment .
An Actions button that provides relevant actions for the ticket. For more information, see Actions .

Above the ticket summary list, you can choose to display all tickets, only open tickets, or only closed tickets. You can also filter the Ticket Log using the drop-down selectors to the right.

Choose filters for:

Security module : The main component of protection as provided in the Actionboard. For example, Cloud Security. (select Everywhere for all security modules)
Type : A dynamic list of ticket types relevant to the selected module.
During : A selected time period for the Ticket Log. Choose from a number of preset periods, or specify a date range by using the calendar.

You can also search the Ticket Log using free text.

Adding comments to tickets

You can add comments to tickets. This is advantageous for both Coro customers and Coro SOC team members when communicating ticket analysis and recommended actions. Comments can also provide general information.

Comments in tickets can increase the efficiency of ticket resolution by eliminating the need to manually communicate ticket-related information via email or other messaging platforms.

In addition, customers will be able to respond to SOC's analysis and add their own general notes to tickets. Comments can also be sent to customers directly from the Coro console.

Creating a ticket comment

To create a ticket comment:

Log into the Coro console and navigate to the Ticket Log .
Select the ticket.
In the Comments area on the right-hand side of the screen, select the Comment field.
Enter your comment into the Comment field.
note
There is no limit to the total number of characters in a comment.
Select Notify and then select the recipients of the notification.
- Notify affected users - select this to notify the ticket recipient.
- Notify all workspace admins - select this to notify all the admin users for the workspace.
- Notify custom recipients - select this to notify named recipients. In the Recipient field enter a valid email address. If you enter more than one recipient, use a manual line break to separate them.
Select Comment .
The comment appears in the Comments section:

note

You cannot edit or delete a saved comment. Only the comments for highlighted or selected tickets appear on the screen.

Actions

A ticket in the Ticket Log has actions that you can perform on it. These actions are available on the Actions menu that appears when you select the Actions button for the selected tickets.

For example, a ticket of type "Reported by User" shows the following actions:

The actions available are the ones that you can apply to the selected tickets. The following table describes the outcome for the "Reported by User" ticket type.

Action	Outcomes
Contact user	Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity Log.
Download Eml File	Download the suspicious email (.eml format). This allows you to thoroughly examine potentially malicious emails before taking any further action. For further information, see Downloading suspicious emails for further inspection.
Allow	Coro presents a dialog offering you the choice of either allowing this email (return it from the quarantine folder back to the original recipients), or allowing this email and optionally adding the sender's email address or domain to the workspace allowlist.
Block	Coro presents a dialog offering you the choice of either permanently deleting this email, or deleting the email and optionally adding the sender's email address or domain to the workspace blocklist.
Re-open tickets	Reopens closed tickets for Admin user intervention and manual remediation.
Close tickets	Closes the tickets as considered remediated and take no further action.

If you select the checkbox for a ticket, an Actions button appears on the left-hand side of the screen.

Actions for the Ticket Log

The actions available are those that apply to the selected tickets. If you select more than one ticket, the action applies to the selected tickets.

Actions for the Ticket Log

Notes

Actions might vary depending on type and status of the ticket. For example, an open ticket of a particular type might contain more available actions than a ticket that has been closed.
When a device is removed from protection, all open tickets associated with the device are automatically closed.
Tickets raised for protectable users are automatically closed and have no remediation Actions available.

To learn more about the actions for each ticket type, see:

Closing or reopening multiple tickets together

To close multiple open tickets at once without remediation, use the checkboxes adjacent to each ticket in the summary pane.

Important

Make sure you have first reviewed all tickets that you intend to close.

Use the checkboxes to select or deselect each ticket you want to close. Or, to select all tickets in the current view, use the checkbox at the top of the list.

When one or more tickets are selected, Coro displays a dedicated Actions menu button at the top of the pane. To close all currently selected tickets without any further remediation, select Actions > Close tickets.

Apply the same process if you want to reopen multiple closed tickets. Go to the Closed tickets list and select or deselect each closed ticket you want to reopen. Then, select Actions > Reopen tickets. Coro places each selected ticket back into an open state.

Export CSV

You can export the Ticket Log to a comma-separated value (CSV) file. To save the Ticket Log to a CSV file, from the left-hand side Actions menu, select Export CSV.

Coro presents a message confirming that the export to CSV file is in progress and that it will be available at the Activity Log page later.

The CSV file has the following fields:

Date - the date when the Ticket Log record was created
Admin - the user who performed the activity
Event - the Ticket Log record message

note

Ticket log CSV exports are limited to a maximum time period of 90 days.