Ticket types for User Data Governance¶
To learn more about how Coro protects an organization's user data, see Introducing User Data Governance. To learn more about what information constitutes these sensitive data types, see Regulatory sensitive information types.
Coro generates tickets relating to data governance when it identifies security incidents involving the following sensitive data types:
- NPI (Non-public information)
- PII (Personally identifiable information)
- PHI (Protected health information)
- PCI (Payment card information)
- Suspicious exposure of certificate
- Suspicious exposure of critical data
- Suspicious exposure of file type
- Suspicious exposure of password
- Suspicious exposure of source code
Note
For an admin user to view sensitive data in the email content and findings sections of tickets related to User Data Governance, content inspection must be enabled. When disabled, these sections display a message stating Access to sensitive data is restricted if they contain sensitive data. For more information, see Managing admin users.
NPI, PII, PHI, and PCI¶
Coro detected that a user shared or emailed information that includes NPI, PII, PHI, or PCI, and the Admin user has monitoring enabled for that category. The Admin user might also have configured permissions policies governing user rights to access, or access and expose, these data types.
These tickets might require the attention of data compliance officers, in line with regulations such as GDPR, HIPAA, SOC2, and others, therefore are classified as suggested for review and automatically closed after the review period of two weeks.
Privacy sensitive data tickets include the following available actions:
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of certificate¶
Coro identified a user account that was involved in a potential data exposure event with monitored security certificates (files with a .crt or .pem extension used to establish a secure connection between a client and a server). This occurs where monitoring for Certificates was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of critical data¶
Coro identified a user account that was involved in a potential data exposure event with monitored critical data (specific defined keywords in email and shared file content). This occurs where monitoring for Specific keywords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of file type¶
Coro identified a user account that was involved in a potential data exposure event with monitored file types (specific defined file types added as email attachements and in shared drive content). This occurs where monitoring for Specific file types was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of password¶
Coro identified a user account that was involved in a potential data exposure event that included passwords. This occurs where monitoring for Passwords was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |
Suspicious exposure of source code¶
Coro identified a user account that was involved in a potential data exposure event that included monitored source code files (files with a known code or script extension such as .md, .yaml, .sh). This occurs where monitoring for Source code was enabled (see Monitoring). Tickets are classified as suggested for review and are automatically closed after the review period of two weeks.
| Action | Outcomes |
|---|---|
| Close ticket | Close all tickets related to the selected protection component. Does not take any remediation actions. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Suspend user from all cloud apps | The user's access to their accounts on all protected cloud applications is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. The user's access to their accounts is suspended until a cloud application administrator (not a Coro Admin user) reactivates the user's account via the admin console of the cloud application. |
| Suspend user from <cloud service> | The user's access to their account on the designated cloud application is temporarily suspended. Notifications "User's access to cloud app has been suspended" and "Users updated" are displayed. |
| Remove exposed sharing | For tickets involving data shared on cloud drives, remove the exposed data share and render any link to it as inactive. |
| Contact user | Coro sends an email to the recipient containing a message and the ticket info. An action: "Contact User" is recorded in the Ticket Log and Activity log. |
| Add to data governance permissions | Extend the identified user's data governance permissions to allow access and exposure for this sensitive data type. To learn more, see data permissions. |