Ticket types for User Data Governance

To learn more about how Coro protects an organization's user data, see Introducing User Data Governance. To learn more about what information constitutes these sensitive data types, see Regulatory sensitive information types.

Coro generates tickets relating to data governance when it identifies security incidents involving the following sensitive data types:

note

For an admin user to view sensitive data in the email content and findings sections of tickets related to User Data Governance, content inspection must be enabled. When disabled, these sections display a message stating Access to sensitive data is restricted if they contain sensitive data. For more information, see Managing admin users.

NPI, PII, PHI, and PCI

Coro detected that a user shared or emailed information that includes NPI, PII, PHI, or PCI, and the Admin user has monitoring enabled for that category. The Admin user might also have configured permissions policies governing user rights to access, or access and expose, these data types.

These tickets might require the attention of data compliance officers, in line with regulations such as GDPR, HIPAA, SOC2, and others, therefore are classified as suggested for review and automatically closed after the review period of two weeks.

Privacy sensitive data tickets include the following available actions:

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of certificate

Coro identified a user account that was involved in a potential data exposure event with monitored security certificates (files with a .crt or .pem extension used to establish a secure connection between a client and a server). This occurs where monitoring for Certificates was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of critical data

Coro identified a user account that was involved in a potential data exposure event with monitored critical data (specific defined keywords in email and shared file content). This occurs where monitoring for Specific keywords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of file type

Coro identified a user account that was involved in a potential data exposure event with monitored file types (specific defined file types added as email attachements and in shared drive content). This occurs where monitoring for Specific file types was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of password

Coro identified a user account that was involved in a potential data exposure event that included passwords. This occurs where monitoring for Passwords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.

Suspicious exposure of source code

Coro identified a user account that was involved in a potential data exposure event that included monitored source code files (files with a known code or script extension such as .md, .yaml, .sh). This occurs where monitoring for Source code was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.

Action Outcomes
Close ticket Close all tickets related to the selected protection component. Does not take any remediation actions.

Note: When a device is removed from protection, all open tickets associated with the device are automatically closed.
Suspend user from all cloud apps The user's access to their accounts on all protected cloud applications is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application.
Suspend user from <cloud service> The user's access to their account on the designated cloud application is temporarily suspended.

Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed.
Remove exposed sharing For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive.
Contact user Coro sends an email to the recipient containing a message and the ticket info.

An action: "Contact User" is recorded in the Ticket Log and Activity log.
Add to data governance permissions Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type.

To learn more, see data permissions.