Ticket types for User Data Governance
Coro generates tickets relating to data governance when it identifies security incidents involving the following sensitive data types:
- Privacy-sensitive data tickets
- Suspicious exposure of certificate
- Suspicious exposure of critical data
- Suspicious exposure of file type
- Suspicious exposure of password
- Suspicious exposure of source code
note
For an admin user to view sensitive data in the email content and findings sections of tickets related to User Data Governance, content inspection must be enabled. When disabled, these sections display a message stating Access to sensitive data is restricted if they contain sensitive data. For more information, see Managing admin users.
Privacy-sensitive data tickets
Coro detects when a user shares or emails information that includes sensitive data. Depending on your configured User Data Governance monitoring settings, Coro creates one of the following user data governance tickets to alert admin users of the event.
If you have configured Coro's Outbound Gateway proxy for your organization's outgoing email, Coro can optionally block emails that contain sensitive data, preventing data loss and unauthorized access. Admin users can release emails blocked by the Outbound Gateway from the corresponding tickets if the data exposure is deemed harmless, or deleted permanently if the data exposure is confirmed as unwanted.
Coro categorizes detected sensitive data into the following types:
- Credit Card Data
- Health Data
- Non-Public Data
- Personal Data
note
Use the Type filter in the Ticket Log to find sensitive data ticket types.
Important
Coro renamed the following ticket types in version 3.4.2:
| Previous ticket type (deprecated) | Current ticket type |
|---|---|
| PCI | Credit Card Data |
| PHI | Health Data |
| NPI | Non-Public Data |
| PII | Personal Data |
Coro does not use deprecated ticket types for new tickets.
Coro shows both deprecated and current ticket types in the left pane of the Ticket Log when you use the Type filter.
To learn more about what information constitutes these sensitive data types, see Regulatory sensitive information types.
note
Admin users can configure permissions policies to control access and prevent exposure of sensitive data.
Coro determines the ticket state (open for review or automatically closed) based on the severity of the violation of policy or regulation. Events that have a high potential of direct violation of regulatory requirements or involve very sensitive information result in a ticket marked open for admin review. These tickets remain open for two weeks.
Events that involve detection of certain sensitive information in an email, file, or file sharing, but are considered less severe, result in automatically closed tickets. Coro includes these tickets for audit and analysis; however, they require no immediate action. Data compliance officers might need to review privacy-sensitive tickets to meet regulatory standards, such as GDPR and HIPAA.
For further information on data governance ticket state, see Ticket management.
Privacy-sensitive data tickets include the following actions:
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
| Allow email | (Applies only to emails blocked by Coro's Outbound Gateway) Release the blocked email to all named recipients, or to a selected sub-set of the original recipients. |
| Delete email | (Applies only to emails blocked by Coro's Outbound Gateway) Permanently delete the email. |
Suspicious exposure of certificate
Coro identified a user account that was involved in a potential data exposure event with monitored security certificates (files with a .crt or .pem extension used to establish a secure connection between a client and a server). This occurs where monitoring for Certificates was enabled (see Monitoring). Coro classifies tickets as suggested for review and automatically closes the tickets after the review period of two weeks, or one week for Coro SOC clients.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
| Allow email | (Applies only to emails blocked by Coro's Outbound Gateway) Release the blocked email to all named recipients, or to a selected sub-set of the original recipients. |
| Delete email | (Applies only to emails blocked by Coro's Outbound Gateway) Permanently delete the email. |
Suspicious exposure of critical data
Coro identified a user account that was involved in a potential data exposure event with monitored critical data (specific defined keywords in email and shared file content). This occurs where monitoring for Specific keywords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
| Allow email | (Applies only to emails blocked by Coro's Outbound Gateway) Release the blocked email to all named recipients, or to a selected sub-set of the original recipients. |
| Delete email | (Applies only to emails blocked by Coro's Outbound Gateway) Permanently delete the email. |
Suspicious exposure of file type
Coro identified a user account that was involved in a potential data exposure event with monitored file types (specific defined file types added as email attachements and in shared drive content). This occurs where monitoring for Specific file types was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
| Allow email | (Applies only to emails blocked by Coro's Outbound Gateway) Release the blocked email to all named recipients, or to a selected sub-set of the original recipients. |
| Delete email | (Applies only to emails blocked by Coro's Outbound Gateway) Permanently delete the email. |
Suspicious exposure of password
Coro identified a user account that was involved in a potential data exposure event that included passwords. This occurs where monitoring for Passwords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
| Allow email | (Applies only to emails blocked by Coro's Outbound Gateway) Release the blocked email to all named recipients, or to a selected sub-set of the original recipients. |
| Delete email | (Applies only to emails blocked by Coro's Outbound Gateway) Permanently delete the email. |
Suspicious exposure of source code
Coro identified a user account that was involved in a potential data exposure event that included monitored source code files (files with a known code or script extension such as .md, .yaml, .sh). This occurs where monitoring for Source code was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | (Not applicable for events involving emails sent through Coro's Outbound Gateway) Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
| Allow email | (Applies only to emails blocked by Coro's Outbound Gateway) Release the blocked email to all named recipients, or to a selected sub-set of the original recipients. |
| Delete email | (Applies only to emails blocked by Coro's Outbound Gateway) Permanently delete the email. |