im l07 configuring enterprise vault data classification...
TRANSCRIPT
IM L07 Configuring Enterprise Vault Data Classification Services
Description This lab will enable you to configure Data Classification Services (DCS) to work with Enterprise Vault. See how DCS can help meet retention and governance requirements, how email can be instantly classified and how classified emails are easier to find in Discovery Accelerator (DA), Browser Search and Clearwell eDiscovery Platform.
At the end of this lab, you should be able to
Configure a Data Classification Policy and test the policy using test mode
Understand how to use Data Classification Services to tag emails pertaining to Mergers and Acquisition activity and search for the tags in Discovery Accelerator
Understand how to use Data Classification services to define emails containing contract related information as they are written to the archive to assist in retention management
Notes You should follow the lab exercises in order because each exercise is reliant on the previous ones being completed.
Always fully start the Domain Controller (VM_SERV1_x64) before starting the other virtual machines.
Do not use the Power Off option in VMware during the labs because this will revert the virtual machines to the starting snapshot, and you will lose all your work.
A brief presentation will introduce this lab session and discuss key concepts.
Be sure to ask your instructor any questions you may have.
Thank you for coming to our lab session.
Lab Exercise 1:
2 of 13
Topic 1: Introduction to and testing the Data Classification Server
In this lab exercise you are going to get an introduction to the Data Classification Server Enforce Console and test the operation of the Data Classification Server using test mode.
15 Minutes
Lab Exercise 2:
Topic 2: Testing the operation of the Data Classification Server against a Classification for eDiscovery use case
In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for eDiscovery use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify and tag emails containing discussions of sensitive Merger and Acquisition activity. You will then demonstrate to the legal department that a Discovery Accelerator search can be run to find only the tagged content.
20 Minutes
Lab Exercise 3:
Topic 3: Testing the operation of the Data Classification Server against a Classification for Retention Management use case
In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for Retention Management use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify emails containing contractual information and specify that Enterprise Vault use the „Contracts‟ retention category to archive the corresponding emails. You will demonstrate to the legal department that Enterprise Vault has correctly archived the identified content using the Enterprise Vault Web Browser Search.
20 Minutes
3 of 13
Lab Layout:
The lab exercises use three different VMware virtual machines, which are described below.
Virtual machine VM_SERV1_x64
Active Directory domain: evexample.local
Computer name: EVSERV1
IP address: 169.254.64.30/24
Domain controller
SQL server 2008
Exchange Server 2010 SP1
SharePoint 2010 (services are started and stopped by a desktop shortcut)
Discovery Accelerator client 10.0.1
Office 2010
Desktop shortcuts for users: Mike Smith, Diana Palmer and Vivian Vance
Virtual machine VM_SERV2_x64
Computer name: EVSERV2
IP address: 169.254.64.31/24
Enterprise Vault 10.0.1
Discovery Accelerator 10.0.1
Virtual machine Enforce
Computer name: ENFORCE
IP address: 169.54.64.40/24
Oracle 11g
Symantec DLP 11.1 with Enterprise Vault Data Classification Pack
Lab Exercise 1: Introduction and testing the operation of the Data Classification Server
In this lab exercise you are going to get an introduction to the Data Classification Server Enforce Console and test the operation of the Data Classification Server using test mode.
15 Minutes
1. Make sure that you are on the virtual machine Enforce and are logged in as Admin with a password of symc4now.
2. Select Start > Programs > Symantec Data Loss Prevention > Symantec Enforce Server. Click the link Continue to this website (not recommend).
3. In the Login field type Administrator (this is case sensitive) and in the Password field type protect4 and click Login.
4 of 13
4. When you first login to the Enforce console, you will land in the Home screen where you have the option of using 4 menu items to access other areas of the console. The options are Home, Incidents, Manage, and System. We‟ll take a quick run through of each area but will be mostly focused on the Manage area. Notice that the location for the Help is located at the far right. The Home screen shows recent items that have been flagged as a positive result against a DCS policy running test mode.
5. Click on Incidents. 6. In the Incidents area, custom reports can be created or a canned report for all classification entries can
be viewed. 7. Since there is only one saved report, click on Events – all. We haven‟t classified any messages with
DCS yet so the report is empty. 8. In the Menu, click on Manage. This will take you to the Manage Policies area. In this area you‟ll be
able to examine, edit, create, and delete policies. 9. In the Menu, mouse over Manage, then select Response Rules. In this section you can create,
modify, delete, and order the response rules (action of DCS upon a match) of DCS. 10. Next mouse over Manage, and then select Data Identifiers. In this section, you‟ll be able to view,
modify, and add data identifiers, for example the format of a social security number or bank account. 11. Finally, mouse over Manage and then select User Groups. In this section, you‟ll be able to set up
groups of users that can be used in Policy rules that allows DCS to compare the To or From fields to classify emails based on groups of users.
12. Mouse over System in the menu. We won‟t go through all of the options but some of the things you can do are add users for roles based administration, configure alerts, enable logging, and update the license key.
13. Now let‟s take a closer look at a DCS policy. 14. Choose Manage > Policies and this will list all the built-in EV data classification policies. Examine the
policies that are available then click Solicitations - Private Investment 15. Notice in the Policy Actions section that the policy is currently in Test Mode, do not change this
currently. In the Rules section click the rule to see the details of the rule. Notice that this rule is examining e-mail message for the proximity of keywords. Make a note of some of the keywords in both lists so that you will be able to create an e-mail message which causes a policy match. Click Cancel, then click OK at the warning dialog box.
16. Select the Groups tab and note that no group rules exist. Therefore, this policy is not concerned with specific groups of users as either recipients or senders.
17. Select the Response tab, note that there is one response rule called Classify Enterprise Vault
Content and click this link to examine the details of the rule. Click OK to discard changes to the main policy.
18. Note that the messages that match this policy will be archived and assigned the Default Retention
Category. Change the Rule Name to Classify Exchange Mailbox Extended. Change the Assign
5 of 13
retention category field to Exchange Mailbox Extended. Note that all the retention categories from Enterprise Vault are listed because they have been imported into DCS from Enterprise Vault using an export utility on the Enterprise Vault server. Click Save to save the response rule.
19. Click Policies, this will display the default policies again. Click the red icon next to Solicitations -
Private Investment to enable the policy, then click OK to confirm that you want the policy enabled. The circle should change from red to green.
20. Leave the Symantec Data Loss Prevention browser window open. 21. Switch to the virtual machine VM_SERV1_x64 and login as Admin with a password of symc4now. 22. Click the desktop icon Logon as Mike Smith.rdp and when prompted type symc4now in the
Password field and click OK. 23. Start Outlook 2010 using the desktop shortcut. 24. Send an e-mail to Diana Palmer including some of the keywords that you noted down earlier. Hint: If
you didn‟t write down words from the lists in the policy rule then use the following in the message body “I am looking for your support to establish a start-up. Please contact me at 111-111-1111 to discuss venture funding and to get in on the ground floor of the next great investment opportunity.”
25. Log off the Mike Smith.rdp session 26. Launch Microsoft Outlook on VM_SERV1_X64 and choose the Journal profile. 27. Logon to the Journal mailbox as username: Journal and password: symc4now 28. Monitor the Journal mailbox until the message has been archived by EV. 29. Switch to the virtual machine Enforce and return to the open Symantec Data Loss Prevention
browser window. Click Incidents > Classification to view the results from test mode.
30. Keep refreshing the view until you see an incident. Click the link to the incident and examine all the details including the policy matches.
6 of 13
31. Click the link to the incident and examine all the details including the policy matches.
Lab Exercise 2: Testing the operation of the Data Classification Server against a Classification for eDiscovery use case
In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for eDiscovery use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify and tag emails containing discussions of sensitive Merger and Acquisition activity. You will then demonstrate to the legal department that a Discovery Accelerator search can be run to find only the tagged content.
20 Minutes
1. Make sure that you are on the virtual machine Enforce and are logged in as Admin with a password of symc4now.
2. Select Start > Programs > Symantec Data Loss Prevention > Symantec Enforce Server. Click the
link Continue to this website (not recommend).
3. In the Login field type Administrator (this is case sensitive) and in the Password field type protect4
and click Login.
4. Choose Manage > Response Rules
5. Click Add Response Rule
6. Choose Automated Response and click the Nex>t button
7. Type „Classify M&A Activity’ in the Rule Name field
8. In the Action drop down box select Classification: Classify Enterprise Vault Content and click the
Add Action button
9. In the Assign retention category drop down select Mergers and Acquisitions
7 of 13
10. Click the Save button at the top of the screen
11. Choose Manage > Policies 12. Click on the Add Policy button 13. Choose Add a blank policy and click the Next> button 14. Fill in the policy Name: Mergers and Acquisition Activity 15. Fill in the Description: Mergers and Acquisition Activity 16. Change the Policy Group to Data_Classification_EV_v11.0 17. Uncheck the Enable Classification Test Mode box
18. In the Detection section, click the Add Rule button
19. Under Rule Type>Content, select Content Matches Keyword and then click the Next> button
20. Fill out the Rule Name box: M&A Activity Match
8 of 13
21. In the Conditions section, select the Keyword Separator: Comma 22. Uncheck the Match any Keyword box 23. Check the Keyword Proximity matching box 24. Click on the Add Pair of Keywords button 25. Fill in Expression List A box: acquisition,private,confidential communication,takeover target,historical
earnings valuation,pure stock 26. Fill in Expression List B box: hostile,friendly,public,endorsement of the transaction,spin-off,empty
shell,relative valuation 27. Fill in the Word Distance box: 10 28. Click on the OK (hint - it‟s located towards the top of the page) button
29. Back in the Policy configuration screen, select the Response tab
30. Click the drop down arrow in the box <choose response rule> 31. Select Classify M&A Activity 32. Click on the Add Response Rule button
33. Click the Save button
9 of 13
34. You will now need to generate some emails which the Data Classification server will classify from the Journal Archiving task
35. Switch to VM_SERV1_X64 and login as Admin with the password symc4now 36. Open the folder DCS Email Example on the desktop and execute the file MandA.cmd 37. Wait at least 5 minutes before EV has archived the messages from the Journal mailbox (The Journal
mailbox can be opened on the virtual machine VM_SERV2_X64 if you want to monitor the progress) 38. Once the messages have been Journal archived, open the shortcut Logon as Mike Smith.rdp on the
desktop of VM_SERV1_X64 39. Enter the password symc4now and press enter 40. Click on the OK button to complete the login 41. Launch Discovery Accelerator by clicking on Start>All Programs>Symantec Enterprise Vault Discovery
Accelerator Client>Discovery Accelerator Client 42. Once the Instance Discovery is populated, click on the Connect button 43. Click on the Cases tab 44. Double click M&A Activity on the left side to open the case 45. Click Searches along the navigation bar 46. Click New Search 47. Fill out the search Name: M&A Tag Search 48. Scroll down to the Policies section and expand it by clicking on the arrow to the left 49. Select Custom for Policy Type, Fill in the free form text box with Mergers and Acquisition Activity,
Select Category from type drop down as shown below
50. Click the Save button at the bottom to initiate the search only based on Tag information 51. Review the results. The script generated three emails, two contained the proper information and were
classified by DCS. In the screenshot below, you see the tag that was applied by DCS and was found by Discovery Accelerator.
10 of 13
Lab Exercise 3: Testing the operation of the Data Classification Server against a Classification for Retention Management use case
In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for Retention Management use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify emails containing contractual information and specify that Enterprise Vault use the „Contracts‟ retention category to archive the corresponding emails. You will demonstrate to the legal department that Enterprise Vault has correctly archived the identified content using the Enterprise Vault Web Browser Search.
20 Minutes
1. Make sure that you are on the virtual machine Enforce and are logged in as Admin with a password of symc4now.
2. Select Start > Programs > Symantec Data Loss Prevention > Symantec Enforce Server. Click the
link Continue to this website (not recommend).
3. In the Login field type Administrator (this is case sensitive) and in the Password field type protect4
and click Login.
4. Choose Manage > Response Rules
5. Click Add Response Rule
6. Choose Automated Response and click the Nex>t button
7. Type „Classify Contracts’ in the Rule Name field
8. In the Action drop down box select Classification: Classify Enterprise Vault Content and click the
Add Action button
9. In the Assign retention category drop down select Contracts
10. Click the Save button at the top of the screen
11. Choose Manage > Policies 12. Click on the Add Policy button 13. Choose Add a blank policy and click the Next> button 14. Fill in the policy Name: Contracts Retention 15. Fill in the Description: Contracts Retention 16. Change the Policy Group to Data_Classification_EV_v11.0
11 of 13
17. Uncheck the Enable Classification Test Mode box
18. In the Detection section, click the Add Rule button
19. Under Rule Type>Content, select Content Matches Keyword and then click the Next> button
20. Fill out the Rule Name box: Contracts Match 21. In the Conditions section, select the Keyword Separator: Comma 22. Uncheck the Match any Keyword box 23. Check the Keyword Proximity matching box 24. Click on the Add Pair of Keywords button 25. Fill in Expression List A box: legally enforceable agreement,mutual obligations,breach,offer,acceptance 26. Fill in Expression List B box: damages,monetary
compensation,misrepresentation,restitution,promissory 27. Fill in the Word Distance box: 5 28. Click on the OK button
12 of 13
29. Back in the Policy configuration screen, select the Response tab
30. Click the drop down arrow in the box <choose response rule> 31. Select Classify Contracts 32. Click on the Add Response Rule button
33. Click the Save button 34. You will now need to generate some emails which the Data Classification server will classify from the
Journal Archiving task 35. Switch to VM_SERV1_X64 and login as Admin with the password symc4now 36. Open the folder DCS Email Example on the desktop and execute the file Contracts.cmd 37. Wait at least 5 minutes before EV has archived the messages from the Journal mailbox (The Journal
mailbox can be opened on the virtual machine VM_SERV2_X64 if you want to monitor the progress) 38. Switch to VM_SERV2_X64 and login as evsvc with the password symc4now 39. Open Internet Explorer 40. In the IE toolbar, click the button for EV Browser Search 41. Click on the search button on the left 42. The Vault should already be set to Journal Archive, if not click the dropdown arrow and change it to
Journal Archive 43. Use a blank search and click on the red Search button at the bottom of the screen (Hint: You may need
to click on the drop down arrow for the Archived date to change the date range of the results.) 44. The three emails that were generated in step 34 will be the top three hits
13 of 13
45. The script generated three emails. One of the emails did not contain keywords with the configured proximity and thus wasn‟t classified by DCS (example, the message entitled Review Contract was archived with the standard Exchange Journaling retention category)
46. The two emails entitled Stipulation guidelines and Contract stipulations, both contained keywords within the configured proximity specified in the DCS policy. Therefore, they were classified by DCS and archived with the Exchange Mailbox Forever retention category.
47. You have now confirmed that the Contracts Match policy can classify emails properly and set the Enterprise Vault retention to the one specified in the policy configuration which provides the mechanism to keep these classified emails for a longer time period than non-classified Journal archived emails.
48. Additionally, you can search using the Advanced function of the EV Browser search to search for the tag Contracts Retention
49. Click on the Search button on the left hand side to start with a blank page 50. In the address bar of IE append ?Advanced to the end of the URL and hit enter
51. Scroll down to the Other Attribute section and fill in Name: evtag.category and Value: Contracts Retention
52. Only the two results that showed up with the retention category Exchange Mailbox Forever will be found in this search
53. Extra exercise: You can also search for the „Mergers and Acquisition Activity‟ tag as well to display the items tagged by DCS in the previous lab exercise.
54. You are now able to demonstrate the ability to search the Journal archive and verify that DCS has set the retention category by viewing the retention category in the search results or searching directly on the tag itself.