Skip to content

Tickets in Coro

Tickets play a central role in Coro. They serve as records for detected events or a series of events where Coro identifies suspicious behavior.

For example, if you set up Coro to protect users against email phishing attacks, a ticket is generated each time a phishing attempt is detected.

The detection process is based on three principles:

Workspace settings detection

  • Admin users define the expected behavior of users and devices in the organization. For example, enabling firewall features on endpoint devices or restricting access to Microsoft 365 accounts from outside a specific country.
  • These detections are predefined based on the configuration set by Admin users in the Coro console.

Best practice detection

  • Coro follows industry best practices for deletion, modification, and remediation. For example, it verifies the authenticity of email servers used for specific domains.
  • It also detects malware fingerprints based on best practices, even if not explicitly specified by an admin user.

Data driven detection

  • Coro employs adaptive data-driven or artificial intelligence (AI) driven decisions for detection, alerting, and remediation. For example, text classification for email phishing detection or anomaly analysis for identifying suspicious access to cloud app accounts.

The ticket workflow

Each of the principles above is used by Coro to detect suspicious behavior. The event could be a single suspicious detection or a series of detections that triggers the creation of a ticket. In most cases, Coro takes the appropriate action and closes the ticket without intervention.


With tickets raised for users that are not currently protected, but classified as protectable, remediation is not applicable and Coro automatically moves opened tickets to a closed state immediately.

When manual review and remediation is required, the ticket remains open on the Coro Console for admin review. Admin users can access a categorized list of open tickets that require manual review and remediation. If a ticket remains unresolved after a period of time, Coro automatically closes the ticket and logs the event in the Activity Log.


Coro records all actions taken to generate and remediate tickets, as well as actions performed by admin users, in the Activity Log. Data recorded in the log can be used for audit and tracking purposes.

Viewing tickets

To view tickets in the Coro console, use the following:

Location Information shown
The Actionboard Shows summary and statistical information for tickets generated for protected users, sorted by individual protection module.
The Ticket Log Shows detailed information for tickets generated for all protected and protectable users.
The Activity Log Provides a record of ticket activity and the actions taken.

A ticket provides details to understand the cause, findings, duration, and context of an event. Admin users may need to take action on the ticket via the Ticket Log, depending on the ticket type and status. After tickets are selected for Admin remediation, Coro provides an option to close the ticket and consider it remediated. Unremediated tickets are closed automatically after a set period of time.


An admin user can re-open a closed ticket for further review as required.

Coro prioritizes protected users but also monitors the activity of protectable users who have not yet been added for protection. This allows organizations to observe patterns of behavior across their entire user base.

Tickets for protectable users are not represented in the Actionboard and appear in the Ticket Log for information use only. Admin users are unable to perform actions to remediate tickets raised for protectable users, and Coro's automatic remediation mechanism ignores them. In addition, these tickets are not retained in the Activity Log for future reference, and there is no specified timeframe for their availability in the Coro console.

However, admin users can make decisions to add or adjust users and user groups to be protected. For more information, see Protected users and user groups.