Ticket types for User Data Governance
Important
The tickets discussed in this article apply to devices running Windows or macOS Agents.
Coro generates tickets relating to data governance when it identifies security incidents involving the following sensitive data types:
- Privacy-sensitive data tickets
- Suspicious exposure of certificate
- Suspicious exposure of critical data
- Suspicious exposure of file type
- Suspicious exposure of password
- Suspicious exposure of source code
note
For an admin user to view sensitive data in the email content and findings sections of tickets related to User Data Governance, content inspection must be enabled. When disabled, these sections display a message stating Access to sensitive data is restricted if they contain sensitive data. For more information, see Managing admin users.
Privacy-sensitive data tickets
Coro detects when a user shares or emails information that includes sensitive data. When an admin user configures monitoring settings, Coro flags the data and creates one of the following user data governance tickets to alert them, based on the sensitive data types detected:
- Credit Card Data
- Health Data
- Non-Public Data
- Personal Data
note
Use the Type filter in the Ticket Log to find sensitive data ticket types.
Important
Coro renamed the following ticket types in version 3.4.2:
| Previous ticket type (deprecated) | Current ticket type |
|---|---|
| PCI | Credit Card Data |
| PHI | Health Data |
| NPI | Non-Public Data |
| PII | Personal Data |
Coro does not use deprecated ticket types for new tickets.
Coro shows both deprecated and current ticket types in the left pane of the Ticket Log when you use the Type filter.
To learn more about what information constitutes these sensitive data types, see Regulatory sensitive information types.
note
Admin users can configure permissions policies to control access and prevent exposure of sensitive data.
Data compliance officers might need to review privacy-sensitive tickets to meet regulatory standards, such as GDPR and HIPAA. Coro classifies these tickets as suggested for review and automatically closes them after two weeks.
Privacy-sensitive data tickets include the following actions:
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
For further information on how Coro protects an organization's user data, see Introducing User Data Governance.
For further information on data governance ticket management, see Ticket management.
Suspicious exposure of certificate
Coro identified a user account that was involved in a potential data exposure event with monitored security certificates (files with a .crt or .pem extension used to establish a secure connection between a client and a server). This occurs where monitoring for Certificates was enabled (see Monitoring). Coro classifies tickets as suggested for review and automatically closes the tickets after the review period of two weeks, or one week for Coro SOC clients.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of critical data
Coro identified a user account that was involved in a potential data exposure event with monitored critical data (specific defined keywords in email and shared file content). This occurs where monitoring for Specific keywords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of file type
Coro identified a user account that was involved in a potential data exposure event with monitored file types (specific defined file types added as email attachements and in shared drive content). This occurs where monitoring for Specific file types was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of password
Coro identified a user account that was involved in a potential data exposure event that included passwords. This occurs where monitoring for Passwords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of source code
Coro identified a user account that was involved in a potential data exposure event that included monitored source code files (files with a known code or script extension such as .md, .yaml, .sh). This occurs where monitoring for Source code was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close this ticket as considered remediated and take no further action. Note: When a device is removed from protection, Coro automatically closes all open tickets associated with the device. |
| Suspend user from all cloud apps | Coro suspends the user's access to their accounts on all protected cloud applications. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Suspend user from <cloud service> | Coro suspends the user's access to their account on the designated cloud application. Coro updates the ticket activity log with a corresponding entry for the event. To remove the suspension and restore access, select UNDO adjacent to the activity log entry. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message about the ticket. Coro adds a record of the action to the ticket and the activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |