Skip to content

Using the ticket log

The ticket log in Coro provides a record of all tickets generated in the current workspace. These tickets are detailed records of all detected suspicious events or a series of suspicious events.

To learn more about how Coro creates and uses tickets, see Tickets in Coro.

View the ticket log by selecting the ticket log icon in the toolbar:

Accessing the ticket log


The ticket log link in the toolbar shows all tickets in the system and provides an overview of the current ticket queue. To view tickets of a specific type, use the ticket links provided in each detailed ticket panel in the Actionboard. To learn more, see The Actionboard.

The ticket log contains the following features:

The Ticket Log

The left pane shows a summary of the ticket queue, based on the selected filters. Select a ticket to see details in the right pane. This displays:

  • Information describing the ticket. For example, the user affected, the date the ticket was opened, the file name and size, and more.

  • An Actions icon that provides relevant actions for the ticket. For example, a ticket of type Malware in Cloud Drive shows the following actions:

    • Close ticket: Close the ticket without further action.
    • Approve file: Approve and move the quarantined file from the Suspected folder to its original location.
    • Delete File: Delete the file as unapproved.
    • Suspend user from all cloud apps: Suspend the user's account on all connected cloud applications.
    • Suspend user from <cloud app>: Suspend the user's account on the designated cloud application.
    • Request user to sign-in to all cloud apps: Make a request to the user to sign in to all connected cloud applications.
    • Request user to sign-in to <cloud app>: Make a request to the user to sign in to the designated cloud application.
    • Contact user: Send an email to the user containing all details of the ticket.

    Actions menu


    Actions might vary depending on type and status of the ticket. For example, an open ticket of a particular type might contain more available actions than a ticket that has been closed.


    When a device is removed from protection, all open tickets associated with the device are automatically closed.

To learn more about the actions for each ticket type, see:

Further ticket details and a summary of recent activity that has been performed for this ticket. To view a complete list of all activity relating to this ticket, select the All Activity link.

Above the ticket summary list, you can choose to display all tickets, only open tickets, or only closed tickets. You can also filter the Ticket Log using the drop-down selectors to the right.

Choose filters for:

  • Security component: The main component of protection as provided in the console. For example, Cloud Apps, email, and so on. (select Everywhere for all components)
  • Ticket type: A dynamic list of ticket types relevant to the selected component.
  • Time period: A selected time period for the ticket log. Choose from a number of preset periods, or specify a date range by using the calendar.

You can also search the ticket log using free text.

Adding comments to tickets

Comments can be added to tickets. This is advantageous for both Coro customers and Coro SOC team members when communicating ticket analysis and recommended actions. Comments can also provide general information.

Comments in tickets can increase the efficiency of ticket resolution by eliminating the need to manually communicate ticket-related information via email or other messaging platforms.

In addition, customers will be able to respond to SOC's analysis and add their own general notes to tickets. Comments can also be sent to customers directly from the Coro console.

Creating a ticket comment

To create a ticket comment:

  1. Navigate to the Ticket Log.
  2. Select the ticket to which you would like to add a comment.
  3. Select the Comments icon, located next to the Actions button:

    Ticket Comments icon The Comments section is displayed:

    Ticket Comments section 4. Click +.

    The New comment dialog is displayed: Ticket New comment dialog

  4. Enter your comment into the Comment field.


    There is no limit to the total number of characters in comments.


    Comments must contain at least one string in order to be saved.

  5. Click ADD.

    Add the ticket comment The comment is saved and displayed under the Comments section:

    Ticket comment added


    Note: Saved comments cannot be edited or deleted.

Emailing a ticket comment

Ticket comments can be emailed in order to notify the following recipients:

  • Affected users: Emails the ticket comment to the ticket recipient.
  • All workspace admins: Emails the ticket comment to all workspace admins
  • Custom recipients: Emails the ticket comment to one or more specified email addresses.

To email a ticket comment:

  1. Create a new ticket comment.

  2. Expand the Email Comment dropdown:

    Email Comment dropdown

    The email notification options are displayed:

    Email notification options

  3. Select one or multiple notification options:

    Selected email notification options

  4. Click ADD.

    The ticket comment is saved and the selected recipients are notified via email.

    Confirmation is displayed under the Comments section:

    Ticket comment recipient notification

    The email notification recipient(s) can view the ticket comment from their inbox:

    View the ticket comment from inbox

    The email notification recipient(s) can click the link within the email to navigate to the corresponding ticket in the Ticket Log:

    Click the link within the email

Closing or reopening multiple tickets together

To close multiple open tickets at once without remediation, use the checkboxes adjacent to each ticket in the summary pane.


Make sure you have first reviewed all tickets that you intend to close.

Use the checkboxes to select or deselect each ticket you want to close. Or, to select all tickets in the current view, use the checkbox at the top of the list.

When one or more tickets are selected, Coro displays a dedicated Actions menu button at the top of the pane. To close all currently selected tickets without any further remediation, select Actions > Close tickets.

Apply the same process if you want to reopen multiple closed tickets. Go to the Closed tickets list and select or deselect each closed ticket you want to reopen. Then, select Actions > Reopen tickets. Coro places each selected ticket back into an open state.