Chat now with support
Chat with Support

Unified Communications Analytics 8.6.1 - User Guide

Introducing Quest UC Analytics Viewing UC Analytics insights Modifying UC Analytics insights Exporting and importing UC Analytics insights Automatically exporting and sending insights (subscriptions) Appendix A:Questions and Answers for UC Analytics insights Appendix B:List of UC Analytics insights

What information is shown in the DLP insights?

If we implement Data Loss Prevention (DLP) policies in our Exchange environment, what information is shown in the DLP insights?

Answer

Data Loss Prevention (DLP) policies are packages containing sets of conditions which are made up of transport rules, actions, and exceptions. You create DLP policies in the Exchange Administration Center (EAC) and activate them to filter email messages and attachments.

DLP information gets written to the Exchange message tracking logs. These logs contain data from the Agents that are involved in processing mail flow content. For DLP, the Transport Rule Agent [TRA] is used to scan message content and to apply the policies defined as part of the Exchange Transport Rules [ETRs].

The DLP Matches - Activity insight shows a summary of the DLP matches in your organization. You can see the number of Exchange DLP matches generated and the top senders associated with the DLP matches.

The DLP Matches - Details insight provides information about the email messages that have matched the defined DLP rules including the name of the rule that was matched, the DLP Policy in which the rule resides, and the actions that were taken on the message because of the rule. The insight also shows the sender, receiver, and subject of the message that triggered the rule match.

 
Table 11. Fields in the DLP matches insights
Fields
Definition

Match Date

The sent date of the message that triggered the DLP rule match event.

Sender

The email address or display name for the sender of the message that triggered the DLP rule match event.

Recipients

The email addresses or display names of the recipients of the message that triggered the DLP rule match event.

Subject

Data found in the subject field of the message that triggered the DLP rule match event.

Policy Name

Name of the DLP policy for which the rule match was made.

Rule Name

Name of the DLP rule that the message violated.

Severity

Audit severity of the rule hit; displays the highest severity if multiple rules were hit. Severity can be low, medium, or high.

Actions Taken

Action taken by a rule. There can be multiple actions per rule such as audit, audit-and-notify, or enforcement.

Data Classification Confidence (%)

Based on the algorithm implemented by Microsoft, this value shows, as a percentage, the confidence level of the data classification accuracy.

Data Classification Count

Shows the number of instances of sensitive information found in the message.

Data Classification ID

Shows the data classification ID that is associated with the data classification.

Data Classification Name

Identifies the sensitive information type that was detected.

Directionality

Shows if the message was originated or received.

Justification for Override

Justification is only logged when the end user insights an override.

Override

Displays whether an override was reported for the message, and the justification of the override if provided. The Override field is present when an end-user insights either an override or a false positive for a rule.

Policy ID

Shows the ID for the DLP policy. If there is no Policy ID then the rule that was matched does not belong to a DLP Policy.

Rule ID

Shows the ID for the rule associated with the DLP rule match.

Rule Last Modified Date

Shows the date when you last modified the rule.

Rule Mode

State of the rule when the message matched the rule (enforcement, audit, or audit-and-notify).

Why do totals sometimes vary on different insights for certain date ranges?

If I specify a specific date range and compare certain totals on different insights, sometimes the numbers vary. Why does that happen?

Answer

There are two different types of data stored in the Storage Engine, snapshot data which is collected once a day by data source collections such as Domain Controller and Exchange Configuration, and continuous data which is collected on an ongoing basis by data sources such as Exchange Tracking Logs and Exchange Mailbox Contents.

Some insights display data on a snapshot (a specific point in time) basis. These insights typically have the following text displayed in the date range selection section at the top of the view.

Some views in the insight show values only for a specific point in time. If you select a date range, the data shown (as on) is the most recent data as determined by the end date of the date range.

In these insights, UC Analytics occasionally runs metrics against continuous data which is data that is not stored once per day. In some situations, the numbers returned in the snapshot insight may not match the numbers in a non-snapshot (continuous data) type insight for the same date range, such as for a single day.

The reason for the discrepancy is because the selected date range for the continuous data actually spans across two daily snapshots. The records for each snapshot day are returned and aggregated into the total/count. A snapshot insight that shows continuous data will include the all continuous data in all the UTC days that are spanned (partially or fully) by the date range, instead of only the continuous data in the partial UTC days in the date range.

For example, if you select a date range of August 1 to August 2 (UTC -5). The snapshot insight should include the continuous data in the following UTC date range:

August 1 05:00:00Z ≤ t ≤ August 3 04:59:999Z

Instead, the continuous data includes:

August 1 00:00:00Z ≤ t ≤ August 3 23:59:59.999Z

So when you are looking at Total Peer-to-Peer sessions, there could be a discrepancy in numbers between a snapshot type of insight (such as the Skype for Business / Lync / Organizational Summaries / User Activity) and a continuous data type of insight (such as Skype for Business / Lync / Peer-to-Peer Sessions - Details) for the same date range.

To see which insights are snapshot type insights, see Appendix B: List of UC Analytics insights . A hash tag (#) beside the insight name identifies insights that display data on a snapshot (point in time) basis

Appendix B:List of UC Analytics insights

Appendix B:
List of UC Analytics insights
Cross Platform Insights and their required data sources
Active Directory Insights and their required data sources.
Exchange Insights and their required data sources
Skype for Business/Lync Insights and their required data sources.
MessageStats Insights (includes Active Directory, Exchange, and Skype for Business/Lync insights) and their required data sources
Cisco Insights and their required data sources.

Insights and the data sources that provide the data

The following table lists all the UC Analytics insights and shows the data sources that are collected to populate each insight.

An asterisk (*) identifies those insights that will also include mailbox and user data from Office 365 if you have also configured data sources to collect data from Exchange Online.

A hash tag (#) identifies insights that display data on a snapshot (point in time) basis.

About collecting user configuration data

Many insights include Exchange user configuration data. When you collect the user data, the required data sources depend on whether you are collecting from an on-premise Exchange environment, from an Exchange Online hybrid environment, or from an Exchange Online native environment.

In the required data sources column in the table that lists all the insights, it may say the following:

Domain Controller AND/OR Exchange Online Hybrid User Configuration OR Exchange Online Native User Configuration are required.

The required data source is different depending on the environment from which you are collecting.

 
Table 12. Data sources for collecting user configuration data in different environments.
Exchange environment
Data sources required

Exchange on-premise

Domain Controller

Exchange Online hybrid

Domain Controller AND Exchange Online Hybrid User Configuration

Exchange Online native

Exchange Online Native User Configuration

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating