Skip to content

Ticket types for cloud apps

Coro generates tickets for cloud applications when it identifies the following security incidents:

Abnormal admin activity

Coro identified activity for an admin account of a connected cloud app where it originated from an unexpected IP address. Tickets are classified as suggested for review and are automatically closed after the review period of four weeks.

Action Outcomes
Close ticket Close this ticket as considered remediated and take no further action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Request user to sign-in to all cloud apps A record is added to the Activity Log:

"<user> was requested to re-login to all protected cloud applications that they are using."
Request user to sign-in to <cloud service> A record is added to the Activity Log:

"<user> was requested to re-login to <cloud service>"
Contact user Coro sends an email to the recipient containing a message about the ticket.

An action: "Contact User" is recorded in the Ticket Log and Activity log.

Malware in cloud drive

Coro identified potential malware on a monitored cloud drive in one of your connected apps. Files detected as malicious are automatically moved to a quarantined folder and no further action is required. However, admin users have the option to review the ticket and choose to approve or permanently delete the file. Tickets are suggested for review with a review time of two weeks.

Action Outcomes
Close ticket Close this ticket as considered remediated and take no further action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Approve file Approve and return the quarantined file to its original location.

Future identical files are not quarantined.

The Admin user has the option of immediately closing the current ticket and all related tickets.
Delete file Delete the file as unapproved.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Request user to sign-in to all cloud apps A record is added to the Activity Log:

"<user> was requested to re-login to all protected cloud applications that they are using."
Request user to sign-in to <cloud service> A record is added to the Activity log:

"<user> was requested to re-login to <cloud service>"
Contact user Coro sends an email to the recipient containing a message about the ticket.

An action: "Contact User" is recorded in the Ticket Log and Activity log.

Suspected identity compromise

Coro builds a normative behavior model for user accounts and raises a ticket if it detects anomalous activity or login behavior. Tickets are classified as suggested for review and are automatically closed after the review period of two weeks. To learn more, see Suspected identity compromise.

Action Outcomes
Close ticket Close this ticket as considered remediated and take no further action.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Request user to sign-in to all cloud apps A record is added to the Activity Log:

"<user> was requested to re-login to all protected cloud applications that they are using."
Request user to sign-in to <cloud service> A record is added to the Activity Log:

"<user> was requested to re-login to <cloud service>"
Contact user Coro sends an email to the recipient containing a message about the ticket.

An action: "Contact User" is recorded in the Ticket Log and Activity log.