Chat now with support
Chat with Support

Unified Communications Analytics 8.7 - User Guide

Introducing Quest UC Analytics Viewing UC Analytics insights Modifying UC Analytics insights Exporting and importing UC Analytics insights Automatically exporting and sending insights (subscriptions) Appendix A:Questions and Answers for UC Analytics insights Appendix B:List of UC Analytics insights

What information is shown in the DLP insights?

If we implement Data Loss Prevention (DLP) policies in our Exchange environment, what information is shown in the DLP insights?

Data Loss Prevention (DLP) policies are packages containing sets of conditions which are made up of transport rules, actions, and exceptions. You create DLP policies in the Exchange Administration Center (EAC) and activate them to filter email messages and attachments.

DLP information gets written to the Exchange message tracking logs. These logs contain data from the Agents that are involved in processing mail flow content. For DLP, the Transport Rule Agent [TRA] is used to scan message content and to apply the policies defined as part of the Exchange Transport Rules [ETRs].

The DLP Matches - Activity insight shows a summary of the DLP matches in your organization. You can see the number of Exchange DLP matches generated and the top senders associated with the DLP matches.

The DLP Matches - Details insight provides information about the email messages that have matched the defined DLP rules including the name of the rule that was matched, the DLP Policy in which the rule resides, and the actions that were taken on the message because of the rule. The insight also shows the sender, receiver, and subject of the message that triggered the rule match.

Match Date

The sent date of the message that triggered the DLP rule match event.

Sender

The email address or display name for the sender of the message that triggered the DLP rule match event.

Recipients

The email addresses or display names of the recipients of the message that triggered the DLP rule match event.

Subject

Data found in the subject field of the message that triggered the DLP rule match event.

Policy Name

Name of the DLP policy for which the rule match was made.

Rule Name

Name of the DLP rule that the message violated.

Severity

Audit severity of the rule hit; displays the highest severity if multiple rules were hit. Severity can be low, medium, or high.

Actions Taken

Action taken by a rule. There can be multiple actions per rule such as audit, audit-and-notify, or enforcement.

Data Classification Confidence (%)

Based on the algorithm implemented by Microsoft, this value shows, as a percentage, the confidence level of the data classification accuracy.

Data Classification Count

Shows the number of instances of sensitive information found in the message.

Data Classification ID

Shows the data classification ID that is associated with the data classification.

Data Classification Name

Identifies the sensitive information type that was detected.

Directionality

Shows if the message was originated or received.

Justification for Override

Justification is only logged when the end user insights an override.

Override

Displays whether an override was reported for the message, and the justification of the override if provided. The Override field is present when an end-user insights either an override or a false positive for a rule.

Policy ID

Shows the ID for the DLP policy. If there is no Policy ID then the rule that was matched does not belong to a DLP Policy.

Rule ID

Shows the ID for the rule associated with the DLP rule match.

Rule Last Modified Date

Shows the date when you last modified the rule.

Rule Mode

State of the rule when the message matched the rule (enforcement, audit, or audit-and-notify).

Why do totals sometimes vary on different insights for certain date ranges?

If I specify a specific date range and compare certain totals on different insights, sometimes the numbers vary. Why does that happen?

There are two different types of data stored in the Storage Engine, snapshot data which is collected once a day by data source collections such as Domain Controller and Exchange Configuration, and continuous data which is collected on an ongoing basis by data sources such as Exchange Tracking Logs and Exchange Mailbox Contents.

Some insights display data on a snapshot (a specific point in time) basis. These insights typically have the following text displayed in the date range selection section at the top of the view.

In these insights, UC Analytics occasionally runs metrics against continuous data which is data that is not stored once per day. In some situations, the numbers returned in the snapshot insight may not match the numbers in a non-snapshot (continuous data) type insight for the same date range, such as for a single day.

The reason for the discrepancy is because the selected date range for the continuous data actually spans across two daily snapshots. The records for each snapshot day are returned and aggregated into the total/count. A snapshot insight that shows continuous data will include the all continuous data in all the UTC days that are spanned (partially or fully) by the date range, instead of only the continuous data in the partial UTC days in the date range.

For example, if you select a date range of August 1 to August 2 (UTC -5). The snapshot insight should include the continuous data in the following UTC date range:

Instead, the continuous data includes:

So when you are looking at Total Peer-to-Peer sessions, there could be a discrepancy in numbers between a snapshot type of insight (such as the Skype for Business / Lync / Organizational Summaries / User Activity) and a continuous data type of insight (such as Skype for Business / Lync / Peer-to-Peer Sessions - Details) for the same date range.

To see which insights are snapshot type insights, see Appendix B: List of UC Analytics insights . A hash tag (#) beside the insight name identifies insights that display data on a snapshot (point in time) basis

How is a logical Exchange message different from a unique (physical) message?

How is the Email - Logical Message Activity insight different from other UC Analytics insights in the way it counts Exchange messages?

With the exception of the Email - Logical Message Activity insight, the UC Analytics Exchange insights show unique (physical) message counts. Physical messages provide message counts in a manner similar to how Exchange handles messages. When a user opens Outlook, creates a message with five recipients and clicks Send, there is one physical message that Exchange delivers to each recipient.

Exchange can create copies of the message so that each recipient can receive the message. This process is called bifurcation and is performed when different recipients receive copies of the same message. A logical message is a message in which each recipient is counted as a separate message. For example, if a mail message is created in Outlook and is sent to nine recipients, that would count that as one physical sent message and nine logical sent messages.

The Email - Logical Message Activity insight lets you view logical message activity for individual message recipients and shows a summary of logical email activity in your organization including the top senders and effective recipients.

Appendix B:List of UC Analytics insights

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating