Tickets in Coro¶
Tickets play a central role in Coro. They serve as records for detected events or a series of events where Coro identifies suspicious behavior.
For example, if you set up Coro to protect users against email phishing attacks, a ticket is generated each time a phishing attempt is detected.
The detection process is based on three principles:
Workspace settings detection¶
- Admin users define the expected behavior of users and devices in the organization. For example, enabling firewall features on endpoint devices or restricting access to Microsoft 365 accounts from outside a specific country.
- These detections are predefined based on the configurations set by admin users in the Console.
Best practice detection¶
- Coro follows industry best practices for deletion, modification, and remediation. For example, it verifies the authenticity of email servers used for specific domains.
- It also detects malware fingerprints based on best practices, even if not explicitly specified by an admin user.
Data driven detection¶
- Coro employs adaptive data-driven or artificial intelligence (AI) driven decisions for detection, alerting, and remediation. For example, text classification for email phishing detection or anomaly analysis for identifying suspicious access to cloud app accounts.
Each of the principles above is used by Coro to detect suspicious behavior. The event could be a single suspicious detection or a series of detections that triggers the creation of a ticket. In most cases, Coro takes the appropriate action and closes the ticket without intervention.
In detection-only mode, remediation is not applicable and Coro automatically moves opened tickets to a closed state after a period of time. For more information, see Detection modes in Coro.
When manual review is required, the ticket remains open on the Coro Console for admin review. Admin users can access a categorized list of open tickets that require manual review and remediation. If a ticket remains unresolved after a period of time, Coro automatically closes the ticket and logs the event in the Activity Log.
Coro records all actions taken to generate and remediate tickets, as well as actions performed by admin users, in the Activity Log. Data recorded in the log can be used for audit and tracking purposes.
To view tickets in the Coro Console, use the following:
|The Actionboard||Shows summary and statistical information for tickets generated for protected users.|
|The Ticket Log||Shows detailed information for tickets generated for all protectable users.|
|The Activity Log||Provides a record of ticket activity and the actions taken.|
A ticket provides details to understand the cause, duration, and context of an event. Admin users may need to take action on the ticket via the Ticket Log, depending on the ticket type and status. Once tickets are selected for remediation, there is an option to close them, or they can be automatically closed depending on the ticket type.
An admin user can re-open a closed ticket for further review as required.
Coro prioritizes protected users but also monitors the activity of protectable users who have not yet been added for protection. This allows organizations to observe patterns of behavior across their entire user base.
Tickets for protectable users are not represented in the Actionboard and appear in the Ticket Log for information use only. Admin users are unable to perform actions to remediate tickets raised for protectable users, and Coro's automatic remediation mechanism ignores them. In addition, these tickets are not retained in the Activity Log for future reference, and there is no specified timeframe for their availability in the Coro Console.
However, admin users can make decisions to add or adjust user and user groups to be protected. For more information, see Protected users and user groups.