Skip to content

Ticket types for users

Coro generates tickets for protectable users when it identifies the following security incidents:

Access permission violation

Coro observed a login violation of the cloud app access permissions configured for a user group to which a user belongs, based on the origin country or IP address used in the login attempt. Tickets remain open for review by an Admin user and closed automatically after a period of time. To learn more, see Access permissions violation.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Request user to sign-in to all cloud apps A record is added to the Activity Log:

"<user> was requested to re-login to all protected cloud applications that they are using."
Request user to sign-in to <cloud service> A record is added to the Activity Log:

"<user> was requested to re-login to <cloud service>"
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.

Mass data deletion

Coro observed an abnormally large data deletion event from the cloud app account of a protected user. These tickets are automatically closed. To learn more, see Mass event tickets.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Request user to sign-in to all cloud apps A record is added to the Activity Log:

"<user> was requested to re-login to all protected cloud applications that they are using."
Request user to sign-in to <cloud service> A record is added to the Activity Log:

"<user> was requested to re-login to <cloud service>"
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.

Mass data download

Coro observed an abnormally large data download event from the cloud app account of a protected user. These tickets are automatically closed. To learn more, see Mass event tickets.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Request user to sign-in to all cloud apps A record is added to the Activity Log:

"<user> was requested to re-login to all protected cloud applications that they are using."
Request user to sign-in to <cloud service> A record is added to the Activity Log:

"<user> was requested to re-login to <cloud service>"
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.

Suspected bot attacks

Coro identified a protected user account as being the target of a suspected bot login attempt from an external source. These tickets are automatically closed. To learn more, see Suspected bot attacks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Request user to sign-in to all cloud apps A record is added to the Activity Log:

"<user> was requested to re-login to all protected cloud applications that they are using."
Request user to sign-in to <cloud service> A record is added to the Activity Log:

"<user> was requested to re-login to <cloud service>"
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.

Suspicious exposure of certificate

Coro identified a user account that was involved in a potential data exposure event with monitored security certificates (files with a .crt or .pem extension used to establish a secure connection between a client and a server). This occurs where monitoring for Certificates was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of critical data

Coro identified a user account that was involved in a potential data exposure event with monitored critical data (specific defined keywords in email and shared file content). This occurs where monitoring for Specific keywords was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of file type

Coro identified a user account that was involved in a potential data exposure event with monitored file types (specific defined file types added as email attachements and in shared drive content). This occurs where monitoring for Specific file types was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of password

Coro identified a user account that was involved in a potential data exposure event that included passwords. This occurs where monitoring for Passwords was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks. The duration depends on the potential impact of the detection.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of source code

Coro identified a user account that was involved in a potential data exposure event that included monitored source code files (files with a known code or script extension such as .md, .yaml, .sh). This occurs where monitoring for Source code was enabled (see Monitoring). These tickets are classified as suggested for review, with the period ranging from 1-2 weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.