Veritas Data Insight User's Guide

Last Published:
Product(s): Data Insight (6.1.2)
  1. Section I. Introduction
    1. Introducing Veritas Data Insight
      1.  
        About Veritas Data Insight
      2.  
        About data custodian
      3.  
        About permissions
      4.  
        About SharePoint permissions
      5.  
        About Box permissions
      6.  
        About audit logs
      7.  
        About migrated domains
      8.  
        Applications for Symantec Data Loss Prevention
      9.  
        Content classification using Veritas Information Classifier
    2. Using the Veritas Data Insight Management Console
      1. About the Veritas Data Insight Management Console
        1.  
          Header
        2.  
          Tabs
        3.  
          Navigation pane
        4.  
          Content pane
      2.  
        Operation icons on the Management Console
      3.  
        Logging in to the Data Insight Management Console
      4.  
        Logging out of the Data Insight Management Console
      5.  
        Accessing online Help
  2. Section II. Data Insight Workspace
    1. Navigating the Workspace tab
      1.  
        About the Data Insight Workspace
      2.  
        Using the Workspace filters
      3.  
        Managing the Workspace
      4.  
        Searching the storage device hierarchy
      5.  
        Searching for users and user groups
    2. Analyzing data using the Workspace views
      1.  
        About information risk
      2.  
        Viewing summary of data sources
      3. Viewing shares summary
        1.  
          About control points
      4.  
        About the risk score for users
      5. About the Risk Dossier
        1.  
          Assessing risky users - an example scenario
      6.  
        Viewing user summary
      7.  
        Viewing details of Watchlist users
      8.  
        Viewing details of alert notifications
    3. Viewing access information for files and folders
      1.  
        About viewing file or folder summary
      2.  
        Viewing the overview of a data source
      3.  
        Managing data custodian for paths
      4.  
        Viewing the summary of user activity on a file or folder
      5. Viewing user activity on files or folders
        1.  
          Assigning an inferred data owner as custodian
        2.  
          Assigning an active user as custodian
        3.  
          Assigning a custodian from the Permissions tab
      6.  
        Viewing file and folder activity
      7.  
        Viewing CIFS permissions on folders
      8.  
        Viewing NFS permissions on folders
      9.  
        Viewing SharePoint permissions for folders
      10.  
        Viewing Box permissions on folders
      11.  
        Viewing audit logs for files and folders
      12. About visualizing collaboration on a share
        1.  
          Analyzing activity on collaborative shares
    4. Viewing access information for users and user groups
      1.  
        Viewing the overview of a user
      2.  
        Viewing the overview of a group
      3.  
        Managing custodian assignments for users
      4.  
        Viewing folder activity by users
      5.  
        Viewing CIFS permissions for users
      6.  
        Viewing CIFS permissions for user groups
      7.  
        Viewing NFS permissions for users and user groups
      8.  
        Viewing SharePoint permissions for users and user groups
      9.  
        Viewing Box permissions for users and user groups
      10.  
        Viewing audit logs for users
  3. Section III. Data Insight reports
    1. Using Data Insight reports
      1.  
        About Data Insight reports
      2.  
        How Data Insight reporting works
      3.  
        Creating a report
      4. About Data Insight security reports
        1.  
          Activity Details report
        2. Permissions reports
          1.  
            Inactive Users
          2.  
            Path Permissions
          3. Permissions Search report
            1.  
              Create Permissions Search report
          4.  
            About Permissions Query templates
          5. Creating a Permissions Query Template
            1.  
              Using the match-type criteria
          6.  
            Creating custom rules
          7. Permissions Query Template actions
            1.  
              Editing or deleting a Permissions Query Template
            2.  
              Copying a Permissions Query Template
            3.  
              About sharing a Permissions Query Template
          8.  
            Using Permissions Search report output to remediate permissions
          9.  
            Entitlement Review
          10.  
            User/Group Permissions
          11.  
            Group Change Impact Analysis
        3. Ownership Reports
          1.  
            Data Custodian Summary
          2.  
            Inferred Owner
          3.  
            Data Inventory Report
      5.  
        Create/Edit security report options
      6.  
        Data Insight limitations for Box permissions
      7. About Data Insight storage reports
        1.  
          Activity Summary reports
        2. Capacity reports
          1.  
            Filer Utilization
          2.  
            Filer Growth Trend
        3. Data Lifecycle reports
          1.  
            Inactive Data by File Group
          2.  
            Inactive Data by Owner
          3.  
            Data Aging
          4.  
            Inactive Folders
        4. Consumption Reports
          1.  
            Potential Duplicate Files
          2.  
            Consumption by Folders
          3.  
            Consumption by Department
          4.  
            Consumption by File Group
          5.  
            Consumption by Owner
          6.  
            Consumption by File Group and Owner
      8.  
        Create/Edit storage report options
      9. About Data Insight custom reports
        1.  
          About DQL query templates
        2.  
          Creating custom templates for DQL queries
        3.  
          Create/Edit DQL report options
      10.  
        Considerations for importing paths using a CSV file
    2. Managing reports
      1.  
        About managing Data Insight reports
      2. Viewing reports
        1.  
          About stale information in reports
      3.  
        Filtering a report
      4.  
        Editing a report
      5.  
        About sharing reports
      6.  
        Copying a report
      7.  
        Running a report
      8.  
        Viewing the progress of a report
      9.  
        Customizing a report output
      10.  
        Configuring a report to generate a truncated output
      11.  
        Sending a report by email
      12.  
        Automatically archiving reports
      13.  
        Canceling a report run
      14.  
        Deleting a report
      15.  
        Considerations for viewing reports
      16.  
        Organizing reports using labels
  4. Section IV. Remediation
    1. Configuring remediation workflows
      1.  
        About remediation workflows
      2.  
        Prerequisites for configuring remediation workflows
      3.  
        Configuring Self-Service Portal settings
      4.  
        About workflow templates
      5. Managing workflow templates
        1.  
          Create/Edit Entitlement Review workflow template
        2.  
          Create/Edit DLP Incident Remediation workflow template
        3.  
          Create/Edit Ownership Confirmation workflow template
        4.  
          Create/Edit Records Classification workflow template
      6. Creating a workflow using a template
        1. Create Entitlement Review workflow options
          1.  
            Customizing Entitlement Review report output
        2.  
          Create DLP Incident Remediation workflow options
        3.  
          Create Ownership Confirmation workflow options
        4.  
          Create Records Classification workflow options
      7. Managing workflows
        1.  
          Viewing details of submitted workflows
        2.  
          Extending the deadline of a workflow
        3.  
          Copying a workflow
        4.  
          Managing submitted workflows
        5.  
          Canceling or deleting a workflow
      8.  
        Auditing workflow paths
      9.  
        Monitoring the progress of a workflow
      10.  
        Remediating workflow paths
    2. Using the Self-Service Portal
      1. About the Self-Service Portal
        1.  
          About Entitlement Review
      2.  
        Logging in to the Self-Service Portal
      3.  
        Using the Self-Service Portal to review user entitlements
      4.  
        Using the Self-Service Portal to manage Data Loss Prevention (DLP) incidents
      5.  
        Using the Self-Service Portal to confirm ownership of resources
      6.  
        Using the Self-Service Portal to classify sensitive data
    3. Managing data
      1. About managing data using Enterprise Vault and custom scripts
        1.  
          About Retention categories
        2.  
          About post-processing actions
      2.  
        Managing data from the Shares list view
      3.  
        Managing inactive data from the Folder Activity tab
      4.  
        Managing inactive data by using a report
      5.  
        Archiving workflow paths using Enterprise Vault
      6.  
        Using custom scripts to manage data
      7.  
        Pushing classification tags while archiving files into Enterprise Vault
      8. About adding tags to files, folders, and shares
        1.  
          Using the metadata framework for classification and remediation
    4. Managing permissions
      1.  
        About permission visibility
      2.  
        About recommending permission changes
      3. About recommending permissions changes for inactive users
        1.  
          Reviewing permission recommendations
        2.  
          Analyzing permission recommendations and applying changes
      4.  
        Making permission changes directly from Workspace
      5.  
        Removing permissions for Entitlement Review workflow paths
  5. Appendix A. Command Line Reference
    1.  
      mxcustodian

About DQL query templates

Data Insight provides you with built-in queries to help you write complex queries. At the time of creating a DQL report, you can select any of the built-in queries, and modify the content to suit your particular reporting needs. Additionally, you can create your own queries and save them to be used later as templates.

See Creating custom templates for DQL queries.

See Creating a report .

Data Insight provides the following default query templates:

Table: Data Insight Query Language templates

Category

Name

Description

Data Management

Folder creation details

The query fetches the details about the creator and the date of creation for every first-level folder in the environment.

Data Management

All files with a specific extension

The query fetches details of files with specific extensions in your storage environment. You can use this query to find, for example, all media files. The query helps you find data that does not comply with your organization's policy, and reclaim storage on your device.

Modify the template to add other extensions to get results that suit your needs.

Data Management

Capacity by extensions

The query and the provided advanced SQL queries help in identifying the storage capacity used by specific file extensions.

Data Management

Files in a confidential folder

The query lists all the files under a specified folder in a share. In this example, the folder has the word "confidential" as part of its name.

Modify share name and folder name search criterion to get results that suit your needs.

Data Management

Files with undefined file groups

The query lists all the file extensions under a specified share that are not defined in Data Insight file groups. You can analyze these files and update the file groups for better reporting of consumption patterns.

Use the advanced query to narrow down the results to specific extensions.

Data Management

Folder summary by file type

The query fetches the folder level summary of counts and size used by different file-types in a share. Only the files which are direct member of a folder will be used for computation. Only those file-types that are part of Data Insight file groups will be listed. For all other file types, it will be combined under empty "" file type.

Modify the share name to get results that suit your needs.

Data Management

Stale file list

The query lists the files that have not been accessed for the past one year. You can use this report to make better archiving decisions.

Modify the duration and the share name to get the results that suit your needs.

Data Management

Storage usage by user attribute

The query lists the consumption of storage on NAS devices based on the user attribute, department. The consumption is determined by calculating the owner of the file and mapping the owner to the corresponding department.

Modify the filer name and user attribute to get the results that suit your needs. Additionally, you can modify the owner calculation by specifying access dates and order of the policy for computing the data owner.

Data Management

Duplicate Files in Share

This query along with the advanced SQL queries help in identifying duplicate files within a share by name, by size of files, and by modified time.

Additionally, you can specify conditions to match copy string in file name to further tune the advanced SQL. These options are part of commented portion in Advanced SQL query in template.

Data Management

Stub Files

This query lists all stub files assuming that stub size equals 4 kb.

Data Management

Archived Files

The query lists all such archived files with the specified attributes. The attribute metadata is stored by the file system and can be used to find out the amount of reclaimable storage and take decisions about removal or archiving.

Risk Analysis

Sensitive files on a filer

The query lists all files which are marked sensitive by the Symantec Data Loss Prevention (DLP). These files can be further analyzed and acted upon as per organization's security measures. If DLP is configured and incidents are reported against a configured report ID, this report lists the sensitive files automatically. Alternatively, you can import sensitive file information to Data Insight using a CSV file.

Modify the device name with valid filer name in your environment to get the results that suit your needs.

Risk Analysis

Sensitive files that are active

The query lists all the active sensitive files that violate a certain DLP Policy. In addition to file details, it also provides you the information on the number of active users on the files.

Modify the activity period and policy to get the output that is valid for your environment.

Risk Analysis

Sensitive files with violated policies

The query lists all the sensitive files in a share and the associated DLP policy that are violated.

Modify the share name to get the output that is valid for your environment.

Risk Analysis

Department-wise summary of risky behavior

The query fetches the summary of the users belonging to other departments who have assessed sensitive files owned by a specific department. For example, you may want to know the users belonging to any non-HR department accessing files owned by the HR department.

This query computes the potentially risky behavior on a specific share during a specific time range. The files are classified as being sensitive by DLP policies. Note that sometimes the report may flag legitimate accesses as risky behavior. Use your discretion to eliminate such false alarms.

Modify the share name, time range, DLP policy string, user department attribute, and department name in the query to get valid results in your environment.

Risk Analysis

Recent suspicious activity

This query fetches the details of the inactive sensitive files that were accessed recently. For example, it can get the list of sensitive files that were inactive for last year but were accessed in last 5 days. It also provides you information about the person who accessed the file most recently. The sensitive file information is fetched from DLP. Alternatively, you can import sensitive file information to Data Insight using a CSV file.

Modify the recent access time range and inactivity time range in your environment to get results that suit your needs.

Risk Analysis

Last Accessed - Time Range

The query lists all files that are accessed between 1 year and 3 years.

Risk Analysis

Groups contributing to high risk

The query finds out common groups across users who have risk score > 90 and who are contributing to the high level of permissions.

Use the query to analyse whether the users should be part of the group or the excessive permissions to the group should be reconsidered.

Risk Analysis

Risky Users Outlier

The query gives the count of high-risk users based on their custom attributes. The users are listed in the ascending order of their risk score.

Use the query to find any unusual user with a risk score > 90. Typically, the high-risk users may include service or administrator accounts due to the high level of permissions assigned to these accounts.

Forensics

Share access details

This query provides the audit details on a share for a specified time range.

Modify the time range and share name to get results specific to your environment.

Forensics

User access details

The query provides the details of accesses by a specified person on a share during a specified time range.

Modify the person name, time range, and share name to get the results to suit your needs.

Forensics

Top users of sensitive files

The query lists top ten users who have accessed sensitive files in your storage environment within a specified time-range.

Modify the time range to get valid result in your environment.

Forensics

Folders with maximum access counts

The query fetches the list of top ten folders that are accessed in a share during a specific time range.

Modify the share name and time-range to get valid result in your environment.

Forensics

Users with maximum access counts

The query fetches the list of top ten users who have accessed a share during a specific time range.

Modify the share name and time-range to get valid result in your environment.

User / Group Management

Group membership details

The query provides the details about a specified security group, its member groups, and users in the group.

Modify the group name and domain name to get the results that are valid for your environment.

User / Group Management

Deleted or disabled groups

The query lists all the disabled or deleted security groups in the environment.

User / Group Management

Deleted or disabled users

The query lists all the disabled or deleted users in the environment.

User / Group Management

Groups with disabled users

The query lists all the groups with disabled users in the environment.

User / Group Management

Empty groups

The query provides a comma-separated list of security groups, their details and SIDs of its member users.

To list the empty groups for clean-up, execute following query on the output:

SELECT * FROM groups WHERE memberusers_sid = "

User / Group Management

Circular groups

The query lists any security groups in the environment which are members of each other forming group loopings.

Data Protection

Open shares

The query lists all paths in your environment that have excessive permissions along with the reasons for their openess.

Data Protection

Shares with permissions to Everyone group

The query lists shares in the environment that have permissions to the "Everyone" group.

Permission Management

Paths with direct permissions to disabled users

The query provides the details about the paths that have explicit access to disabled users.

Permission Management

Box folders owned by a given user

The query lists all box folders owned by a given user. It excludes all shared folders.

Classification

Files to send for classification

Creates a report of all files that are accessible to more than 1000 users. Use the DQL report to send file paths in the output for classification.

Classification

Classified files with a specific extension

Creates a report of all files with a specific extension (for example, PST) and a specific tag name (for example, US-PII). You can either use the query to identify tags associated with specific files or to push these files to Enterprise Vault for archiving.

Classification

All PII files

Creates a report of all files that are tagged as Personally Identifiable Information (PII). These are files that may contain sensitive information such as Social Security, credit card, and drivers' license numbers.

Classification

Classify active users files

Creates a report listing all files that have been accessed by users identified as active by Data Insight. You can then use this report to submit these files for classification.

Classification

Classified files summary

Creates a report that summarizes all files that have already been classified.

Ransomware

WriteRename sensor

The query lists all the write and rename activities performed in the data source within 24 hours.

An SQL query is used to fetch the per user activity (write) count performed on the file before it was renamed. If the activity count is higher than the configured threshold, only then a notification is sent to the users configured on Reports > Edit > Notifications.

See About Data Insight custom reports. for information about how to configure the threshold value.

Note:

Do not modify the query or table names in the query as it might interfere with the notification process.

Ransomware

Activity by rename extensions

The query fetches the count of files that are renamed by per user, and have unique file extensions. For example, the query extracts the number of files that are renamed, and which have the extension as docx, pdf, xlsx.

Ransomware

Rename count for parent folders

The query fetches the top-level directories in the share, site collection, or equivalent, and the number of write and rename activities performed in each of these repositories by per user. Use this report to detect malicious activities performed on the parent folder in a share or equivalent.

Ransomware

Activity by create extensions

The query lists all the files that are created in the last 24 hours by per user. Use this query to identify files created by an infected or risky user.

Ransomware

List file patterns

This query lists the files that contain a specific string in the file name. For example, ransomware appends a unique extension to the encrypted files. With this query, you can fetch all the files that contain the specified extension.

Ransomware

Trace malicious executable

The query lists the duplicates of the ransomware executables residing on your system.