im l07 configuring enterprise vault data classification...

Post on 19-Aug-2018






Click to see full reader


IM L07 Configuring Enterprise Vault Data Classification Services

Description This lab will enable you to configure Data Classification Services (DCS) to work with Enterprise Vault. See how DCS can help meet retention and governance requirements, how email can be instantly classified and how classified emails are easier to find in Discovery Accelerator (DA), Browser Search and Clearwell eDiscovery Platform.

At the end of this lab, you should be able to

Configure a Data Classification Policy and test the policy using test mode

Understand how to use Data Classification Services to tag emails pertaining to Mergers and Acquisition activity and search for the tags in Discovery Accelerator

Understand how to use Data Classification services to define emails containing contract related information as they are written to the archive to assist in retention management

Notes You should follow the lab exercises in order because each exercise is reliant on the previous ones being completed.

Always fully start the Domain Controller (VM_SERV1_x64) before starting the other virtual machines.

Do not use the Power Off option in VMware during the labs because this will revert the virtual machines to the starting snapshot, and you will lose all your work.

A brief presentation will introduce this lab session and discuss key concepts.

Be sure to ask your instructor any questions you may have.

Thank you for coming to our lab session.

Lab Exercise 1:

2 of 13

Topic 1: Introduction to and testing the Data Classification Server

In this lab exercise you are going to get an introduction to the Data Classification Server Enforce Console and test the operation of the Data Classification Server using test mode.

15 Minutes

Lab Exercise 2:

Topic 2: Testing the operation of the Data Classification Server against a Classification for eDiscovery use case

In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for eDiscovery use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify and tag emails containing discussions of sensitive Merger and Acquisition activity. You will then demonstrate to the legal department that a Discovery Accelerator search can be run to find only the tagged content.

20 Minutes

Lab Exercise 3:

Topic 3: Testing the operation of the Data Classification Server against a Classification for Retention Management use case

In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for Retention Management use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify emails containing contractual information and specify that Enterprise Vault use the „Contracts‟ retention category to archive the corresponding emails. You will demonstrate to the legal department that Enterprise Vault has correctly archived the identified content using the Enterprise Vault Web Browser Search.

20 Minutes

3 of 13

Lab Layout:

The lab exercises use three different VMware virtual machines, which are described below.

Virtual machine VM_SERV1_x64

Active Directory domain: evexample.local

Computer name: EVSERV1

IP address:

Domain controller

SQL server 2008

Exchange Server 2010 SP1

SharePoint 2010 (services are started and stopped by a desktop shortcut)

Discovery Accelerator client 10.0.1

Office 2010

Desktop shortcuts for users: Mike Smith, Diana Palmer and Vivian Vance

Virtual machine VM_SERV2_x64

Computer name: EVSERV2

IP address:

Enterprise Vault 10.0.1

Discovery Accelerator 10.0.1

Virtual machine Enforce

Computer name: ENFORCE

IP address:

Oracle 11g

Symantec DLP 11.1 with Enterprise Vault Data Classification Pack

Lab Exercise 1: Introduction and testing the operation of the Data Classification Server

In this lab exercise you are going to get an introduction to the Data Classification Server Enforce Console and test the operation of the Data Classification Server using test mode.

15 Minutes

1. Make sure that you are on the virtual machine Enforce and are logged in as Admin with a password of symc4now.

2. Select Start > Programs > Symantec Data Loss Prevention > Symantec Enforce Server. Click the link Continue to this website (not recommend).

3. In the Login field type Administrator (this is case sensitive) and in the Password field type protect4 and click Login.

4 of 13

4. When you first login to the Enforce console, you will land in the Home screen where you have the option of using 4 menu items to access other areas of the console. The options are Home, Incidents, Manage, and System. We‟ll take a quick run through of each area but will be mostly focused on the Manage area. Notice that the location for the Help is located at the far right. The Home screen shows recent items that have been flagged as a positive result against a DCS policy running test mode.

5. Click on Incidents. 6. In the Incidents area, custom reports can be created or a canned report for all classification entries can

be viewed. 7. Since there is only one saved report, click on Events – all. We haven‟t classified any messages with

DCS yet so the report is empty. 8. In the Menu, click on Manage. This will take you to the Manage Policies area. In this area you‟ll be

able to examine, edit, create, and delete policies. 9. In the Menu, mouse over Manage, then select Response Rules. In this section you can create,

modify, delete, and order the response rules (action of DCS upon a match) of DCS. 10. Next mouse over Manage, and then select Data Identifiers. In this section, you‟ll be able to view,

modify, and add data identifiers, for example the format of a social security number or bank account. 11. Finally, mouse over Manage and then select User Groups. In this section, you‟ll be able to set up

groups of users that can be used in Policy rules that allows DCS to compare the To or From fields to classify emails based on groups of users.

12. Mouse over System in the menu. We won‟t go through all of the options but some of the things you can do are add users for roles based administration, configure alerts, enable logging, and update the license key.

13. Now let‟s take a closer look at a DCS policy. 14. Choose Manage > Policies and this will list all the built-in EV data classification policies. Examine the

policies that are available then click Solicitations - Private Investment 15. Notice in the Policy Actions section that the policy is currently in Test Mode, do not change this

currently. In the Rules section click the rule to see the details of the rule. Notice that this rule is examining e-mail message for the proximity of keywords. Make a note of some of the keywords in both lists so that you will be able to create an e-mail message which causes a policy match. Click Cancel, then click OK at the warning dialog box.

16. Select the Groups tab and note that no group rules exist. Therefore, this policy is not concerned with specific groups of users as either recipients or senders.

17. Select the Response tab, note that there is one response rule called Classify Enterprise Vault

Content and click this link to examine the details of the rule. Click OK to discard changes to the main policy.

18. Note that the messages that match this policy will be archived and assigned the Default Retention

Category. Change the Rule Name to Classify Exchange Mailbox Extended. Change the Assign

5 of 13

retention category field to Exchange Mailbox Extended. Note that all the retention categories from Enterprise Vault are listed because they have been imported into DCS from Enterprise Vault using an export utility on the Enterprise Vault server. Click Save to save the response rule.

19. Click Policies, this will display the default policies again. Click the red icon next to Solicitations -

Private Investment to enable the policy, then click OK to confirm that you want the policy enabled. The circle should change from red to green.

20. Leave the Symantec Data Loss Prevention browser window open. 21. Switch to the virtual machine VM_SERV1_x64 and login as Admin with a password of symc4now. 22. Click the desktop icon Logon as Mike Smith.rdp and when prompted type symc4now in the

Password field and click OK. 23. Start Outlook 2010 using the desktop shortcut. 24. Send an e-mail to Diana Palmer including some of the keywords that you noted down earlier. Hint: If

you didn‟t write down words from the lists in the policy rule then use the following in the message body “I am looking for your support to establish a start-up. Please contact me at 111-111-1111 to discuss venture funding and to get in on the ground floor of the next great investment opportunity.”

25. Log off the Mike Smith.rdp session 26. Launch Microsoft Outlook on VM_SERV1_X64 and choose the Journal profile. 27. Logon to the Journal mailbox as username: Journal and password: symc4now 28. Monitor the Journal mailbox until the message has been archived by EV. 29. Switch to the virtual machine Enforce and return to the open Symantec Data Loss Prevention

browser window. Click Incidents > Classification to view the results from test mode.

30. Keep refreshing the view until you see an incident. Click the link to the incident and examine all the details including the policy matches.

6 of 13

31. Click the link to the incident and examine all the details including the policy matches.

Lab Exercise 2: Testing the operation of the Data Classification Server against a Classification for eDiscovery use case

In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for eDiscovery use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify and tag emails containing discussions of sensitive Merger and Acquisition activity. You will then demonstrate to the legal department that a Discovery Accelerator search can be run to find only the tagged content.

20 Minutes

1. Make sure that you are on the virtual machine Enforce and are logged in as Admin with a password of symc4now.

2. Select Start > Programs > Symantec Data Loss Prevention > Symantec Enforce Server. Click the

link Continue to this website (not recommend).

3. In the Login field type Administrator (this is case sensitive) and in the Password field type protect4

and click Login.

4. Choose Manage > Response Rules

5. Click Add Response Rule

6. Choose Automated Response and click the Nex>t button

7. Type „Classify M&A Activity’ in the Rule Name field

8. In the Action drop down box select Classification: Classify Enterprise Vault Content and click the

Add Action button

9. In the Assign retention category drop down select Mergers and Acquisitions

7 of 13

10. Click the Save button at the top of the screen

11. Choose Manage > Policies 12. Click on the Add Policy button 13. Choose Add a blank policy and click the Next> button 14. Fill in the policy Name: Mergers and Acquisition Activity 15. Fill in the Description: Mergers and Acquisition Activity 16. Change the Policy Group to Data_Classification_EV_v11.0 17. Uncheck the Enable Classification Test Mode box

18. In the Detection section, click the Add Rule button

19. Under Rule Type>Content, select Content Matches Keyword and then click the Next> button

20. Fill out the Rule Name box: M&A Activity Match

8 of 13

21. In the Conditions section, select the Keyword Separator: Comma 22. Uncheck the Match any Keyword box 23. Check the Keyword Proximity matching box 24. Click on the Add Pair of Keywords button 25. Fill in Expression List A box: acquisition,private,confidential communication,takeover target,historical

earnings valuation,pure stock 26. Fill in Expression List B box: hostile,friendly,public,endorsement of the transaction,spin-off,empty

shell,relative valuation 27. Fill in the Word Distance box: 10 28. Click on the OK (hint - it‟s located towards the top of the page) button

29. Back in the Policy configuration screen, select the Response tab

30. Click the drop down arrow in the box <choose response rule> 31. Select Classify M&A Activity 32. Click on the Add Response Rule button

33. Click the Save button

9 of 13

34. You will now need to generate some emails which the Data Classification server will classify from the Journal Archiving task

35. Switch to VM_SERV1_X64 and login as Admin with the password symc4now 36. Open the folder DCS Email Example on the desktop and execute the file MandA.cmd 37. Wait at least 5 minutes before EV has archived the messages from the Journal mailbox (The Journal

mailbox can be opened on the virtual machine VM_SERV2_X64 if you want to monitor the progress) 38. Once the messages have been Journal archived, open the shortcut Logon as Mike Smith.rdp on the

desktop of VM_SERV1_X64 39. Enter the password symc4now and press enter 40. Click on the OK button to complete the login 41. Launch Discovery Accelerator by clicking on Start>All Programs>Symantec Enterprise Vault Discovery

Accelerator Client>Discovery Accelerator Client 42. Once the Instance Discovery is populated, click on the Connect button 43. Click on the Cases tab 44. Double click M&A Activity on the left side to open the case 45. Click Searches along the navigation bar 46. Click New Search 47. Fill out the search Name: M&A Tag Search 48. Scroll down to the Policies section and expand it by clicking on the arrow to the left 49. Select Custom for Policy Type, Fill in the free form text box with Mergers and Acquisition Activity,

Select Category from type drop down as shown below

50. Click the Save button at the bottom to initiate the search only based on Tag information 51. Review the results. The script generated three emails, two contained the proper information and were

classified by DCS. In the screenshot below, you see the tag that was applied by DCS and was found by Discovery Accelerator.

10 of 13

Lab Exercise 3: Testing the operation of the Data Classification Server against a Classification for Retention Management use case

In this lab exercise you are going to test the operation of the Data Classification Server against a Classification for Retention Management use case. In this exercise, you are the data custodian who interfaces with the legal department. You have been tasked to configure Enterprise Vault and Data Classification Services to identify emails containing contractual information and specify that Enterprise Vault use the „Contracts‟ retention category to archive the corresponding emails. You will demonstrate to the legal department that Enterprise Vault has correctly archived the identified content using the Enterprise Vault Web Browser Search.

20 Minutes

1. Make sure that you are on the virtual machine Enforce and are logged in as Admin with a password of symc4now.

2. Select Start > Programs > Symantec Data Loss Prevention > Symantec Enforce Server. Click the

link Continue to this website (not recommend).

3. In the Login field type Administrator (this is case sensitive) and in the Password field type protect4

and click Login.

4. Choose Manage > Response Rules

5. Click Add Response Rule

6. Choose Automated Response and click the Nex>t button

7. Type „Classify Contracts’ in the Rule Name field

8. In the Action drop down box select Classification: Classify Enterprise Vault Content and click the

Add Action button

9. In the Assign retention category drop down select Contracts

10. Click the Save button at the top of the screen

11. Choose Manage > Policies 12. Click on the Add Policy button 13. Choose Add a blank policy and click the Next> button 14. Fill in the policy Name: Contracts Retention 15. Fill in the Description: Contracts Retention 16. Change the Policy Group to Data_Classification_EV_v11.0

11 of 13

17. Uncheck the Enable Classification Test Mode box

18. In the Detection section, click the Add Rule button

19. Under Rule Type>Content, select Content Matches Keyword and then click the Next> button

20. Fill out the Rule Name box: Contracts Match 21. In the Conditions section, select the Keyword Separator: Comma 22. Uncheck the Match any Keyword box 23. Check the Keyword Proximity matching box 24. Click on the Add Pair of Keywords button 25. Fill in Expression List A box: legally enforceable agreement,mutual obligations,breach,offer,acceptance 26. Fill in Expression List B box: damages,monetary

compensation,misrepresentation,restitution,promissory 27. Fill in the Word Distance box: 5 28. Click on the OK button

12 of 13

29. Back in the Policy configuration screen, select the Response tab

30. Click the drop down arrow in the box <choose response rule> 31. Select Classify Contracts 32. Click on the Add Response Rule button

33. Click the Save button 34. You will now need to generate some emails which the Data Classification server will classify from the

Journal Archiving task 35. Switch to VM_SERV1_X64 and login as Admin with the password symc4now 36. Open the folder DCS Email Example on the desktop and execute the file Contracts.cmd 37. Wait at least 5 minutes before EV has archived the messages from the Journal mailbox (The Journal

mailbox can be opened on the virtual machine VM_SERV2_X64 if you want to monitor the progress) 38. Switch to VM_SERV2_X64 and login as evsvc with the password symc4now 39. Open Internet Explorer 40. In the IE toolbar, click the button for EV Browser Search 41. Click on the search button on the left 42. The Vault should already be set to Journal Archive, if not click the dropdown arrow and change it to

Journal Archive 43. Use a blank search and click on the red Search button at the bottom of the screen (Hint: You may need

to click on the drop down arrow for the Archived date to change the date range of the results.) 44. The three emails that were generated in step 34 will be the top three hits

13 of 13

45. The script generated three emails. One of the emails did not contain keywords with the configured proximity and thus wasn‟t classified by DCS (example, the message entitled Review Contract was archived with the standard Exchange Journaling retention category)

46. The two emails entitled Stipulation guidelines and Contract stipulations, both contained keywords within the configured proximity specified in the DCS policy. Therefore, they were classified by DCS and archived with the Exchange Mailbox Forever retention category.

47. You have now confirmed that the Contracts Match policy can classify emails properly and set the Enterprise Vault retention to the one specified in the policy configuration which provides the mechanism to keep these classified emails for a longer time period than non-classified Journal archived emails.

48. Additionally, you can search using the Advanced function of the EV Browser search to search for the tag Contracts Retention

49. Click on the Search button on the left hand side to start with a blank page 50. In the address bar of IE append ?Advanced to the end of the URL and hit enter

51. Scroll down to the Other Attribute section and fill in Name: evtag.category and Value: Contracts Retention

52. Only the two results that showed up with the retention category Exchange Mailbox Forever will be found in this search

53. Extra exercise: You can also search for the „Mergers and Acquisition Activity‟ tag as well to display the items tagged by DCS in the previous lab exercise.

54. You are now able to demonstrate the ability to search the Journal archive and verify that DCS has set the retention category by viewing the retention category in the search results or searching directly on the tag itself.

top related