Ticket types by component¶

The Coro console displays data monitoring tickets where sensitive data is identified as being used or shared in a manner that violates your permissions and monitoring policies.

Widgets on the Coro Actionboard can be selected to view tickets generated for a specific type. Each widget displays the number of tickets awaiting review as well as the number of tickets resolved in the previous 90 days.

There are three Widgets related to data governance:

• Data
• Devices
• Users

Select an individual Widget to view a summary panel of tickets displayed in a specific Widget. The tickets displayed are categorized by Type and the total number of tickets is displayed.

Select a ticket type to display Individual ticket information:

Additionally, for Open tickets, the Resolve button can be selected:

Each summary panel is unique based on the following Widgets and contain additional information:

• Data widget
• Devices widget
• Users widget

Data widget¶

The Data widget can display the following sensitive data ticket Types in data object transactions:

• Personally identifiable information (PII)
• Payment card industry (PCI)
• Protected health information (PHI)
• Non-Public personal information (NPI)

When the Data widget is selected, the information summary pane displays the following sensitive data transaction related information:

• Total number of Data objects processed in the last 90 days.
• Permission Violation count for the last 90 days, grouped per individual User email address.
• Resolved ticket count for the last 90 days, grouped by ticket Type.
• Open (Unresolved) ticket count for the last 90 days, grouped by ticket Type.

Each ticket Type can be selected to view individual ticket details. Once a ticket is selected, the Ticket Log is displayed, filtered by the selected Type:

Filtered tickets show Key Details about the triggered transaction, including the File name, File size, originating Service, creation timestamp, and more.

The Full Details section contains Policy Violations, Findings, and Activity Log:

Policy violations¶

When a transaction violates a sensitive data policy, it results in a policy violation and generates a ticket.

Findings¶

Displays more detailed information related to the Policy Violation:

Archive path¶

The filename, extension, and directory path of the file containing the sensitive data, for example: archive.zip → archive/dir/PCI_keywords.docx.

Type¶

The type of sensitive data, for example, Credit card number.

Quote¶

The text string in quotes containing the sensitive data, for example, "of PCI that can lead to identifying an individual . 6945 CVV 123 Test".

Activity log¶

Logs all ticket related activity for audit reports:

Devices widget¶

The Devices widget can display the following sensitive data ticket Types found during scans (initiated by administrators) on endpoint devices:

• Endpoint drive with PII
• Endpoint drive with PCI
• Endpoint drive with PHI
• Endpoint drive with NPI

When the Devices widget is selected, the information summary pane displays the following sensitive data related information:

Devices¶

A donut graph which displays the total number of endpoint devices with Open vs Closed (resolved) tickets. Select View to display the individual endpoint device details.

Resolved¶

Ticket count for the last 90 days, grouped by ticket Type.

Open¶

(Unresolved) ticket count for the last 90 days, grouped by ticket Type.

Each ticket Type can be selected to view individual ticket details. Once a ticket is selected, the Ticket Log is displayed, filtered by the selected Type:

Each filtered ticket displays Device information and Key Details related to the endpoint device that triggered the ticket creation during an initiated scan. This includes Model, ID, & OS, the target Drive name which was scanned, the IP/Country of the device, etc.

The Full Details section contains Findings which lists files grouped by filename, the # of findings per filename, and Activity Log:

Each filename under Findings can be expanded using the dropdown to the left of the filename:

The following information related to the filename are displayed:

• FilePath:The directory path of the scanned file containing the sensitive data, for example: C:\PCI\PCI_red.bmp.

• File size: The size of the file scanned, in KB.

• Type: The type of sensitive data found in the scanned file, for example, Credit card number.

• Quote: The text string in quotes containing the sensitive data, for example, "of PCI that can lead to identifying an individual. 6945 CVV 123 Test".

• Activity Log: Logs all ticket related activity for audit reports:

Users widget¶

The Users widget can display the following custom sensitive data ticket Types in data object transactions:

• Suspicious Exposure of Certificate
• Suspicious Exposure of Password
• Suspicious Exposure of Source Code
• Suspicious Exposure of Critical Data

When the Users widget is selected, the information summary pane displays the following custom sensitive data transaction related information:

• Protected Users: a donut graph which displays the total number of protected users with Open vs Closed (resolved) tickets. Select View to display an individual protected user's details.
• Resolved ticket count for the last 90 days, grouped by ticket Type.
• Open (Unresolved) ticket count for the last 90 days, grouped by ticket Type.

Each ticket Type can be selected to view individual ticket details. Once a ticket is selected, the Ticket Log is displayed, filtered by the selected Type:

Each filtered ticket displays Users information and Key Details related to the transaction that triggered the ticket creation. This includes details related to the detected custom sensitive data (Passwords, Certificates, Source codes, Specific keywords). For example, a Suspicious Exposure of Password ticket includes the File name, File size, email address of the Owner, and email address of the individual the data was Shared with.

The Full Details section contains Findings which lists files grouped by filename, the # of findings per filename, and Activity Log:

• Findings: The custom sensitive data policy which has been violated during a transaction, resulting in the ticket being created.
• Type: The type of custom sensitive data, for example, Password.
• Quote: The text string in quotes containing the sensitive data, for example, "Qwerty78+red: sasWAW505 pass Ws%Rd% cred: Qwerty+ pass: uQT(tt pass hOH)HH Password ;hjO*--gg Password ydfe._"
• Activity Log: Logs all ticket related activity for audit reports.

Data monitoring ticket types¶

The Coro console generates the following types of data monitoring tickets:

Manually reviewed tickets¶

Tickets that trigger a high level of suspicion or have a high potential of direct violation of regulatory requirements (GDPR, HIPAA, SOC2, etc.) are marked as requiring review by an administrator or security personnel. These tickets often contain very sensitive information and it is important that action is taken.

Tickets are classified as suggested for review, with a review time window of two weeks, after which a ticket is automatically closed and logged. This review period is designed to ensure that all potential security incidents or violations are captured and addressed in a timely manner..

Examples include:

• PCI: Detection of a credit card number.
• PII: US Passport and person name.
• NPI: SSN and bank statement.
• PHI: Medical image or scan.

The Action options for manually reviewed tickets are:

• Close ticket: Close this ticket immediately as reviewed.
• Suspend user from all cloud apps: Temporarily suspend the user from all Coro-protected cloud applications.
• Suspend user from Microsoft 365 / Google Workspace: Temporarily suspend the user from the Microsoft 365 or Google Workspace account indicated in the ticket.
• Remove exposing sharing: Remove all shares with people from outside of your organization.
• Contact User: Send a direct message that the user that has violated the policy.

Automatically closed tickets¶

These are tickets containing sensitive data, but do not require manual review by administrators.

Such tickets are included in the Ticket Log for audit, monitoring, analysis, and to satisfy regulatory compliance requirements. They are typically triggered automatically by events such as the detection of sensitive information in an email, file, or file sharing.

Examples include:

• PII: IP and MAC address.
• NPI: Monthly payment (Financial Content) and email address.
• PHI: Medical Records Number (MRN).

The Action options for automatically closed tickets are:

• Re-open: Reopen this closed ticket for manual review.
• Suspend user from all cloud apps: Temporarily suspend the user from all Coro-protected cloud applications.
• Suspend user from Microsoft 365 / Google Workspace: Temporarily suspend the user from the Microsoft 365 or Google. Workspace account indicated in the ticket.
• Contact user: Send a direct message that the user that violated the policy.
• Un-log and remove from audit reports: Exclude this ticket from the log if the ticket details constitute a false positive.

The following diagram illustrates the ticket actions process: