Veritas Data Insight Administrator's Guide
- Section I. Getting started
- Introduction to Veritas Data Insight administration
- Configuring Data Insight global settings
- Overview of Data Insight licensing
- About scanning and event monitoring
- About filtering certain accounts, IP addresses, and paths
- About archiving data
- About Data Insight integration with Symantec Data Loss Prevention (DLP)
- Configuring advanced analytics
- About open shares
- About bulk assignment of custodians
- Section II. Configuring Data Insight
- Configuring Data Insight product users
- Configuring Data Insight product servers
- About node templates
- About automated alerts for patches and upgrades
- Configuring saved credentials
- Configuring directory service domains
- Configuring containers
- Section III. Configuring native file systems in Data Insight
- Configuring NetApp file server monitoring
- Configuring clustered NetApp file server monitoring
- About configuring secure communication between Data Insight and cluster-mode NetApp devices
- Configuring EMC Celerra or VNX monitoring
- Configuring EMC Isilon monitoring
- Configuring EMC Unity VSA file servers
- Configuring Hitachi NAS file server monitoring
- Configuring Windows File Server monitoring
- Configuring Veritas File System (VxFS) file server monitoring
- Configuring monitoring of a generic device
- Managing file servers
- Adding filers
- Adding shares
- Renaming storage devices
- Configuring NetApp file server monitoring
- Section IV. Configuring SharePoint data sources
- Configuring monitoring of SharePoint web applications
- About the Data Insight web service for SharePoint
- Adding web applications
- Adding site collections
- Configuring monitoring of SharePoint Online accounts
- About SharePoint Online account monitoring
- Adding SharePoint Online accounts
- Adding site collections to SharePoint Online accounts
- Configuring monitoring of SharePoint web applications
- Section V. Configuring cloud data sources
- Section VI. Configuring ECM data sources
- Section VII. Health and monitoring
- Section VIII. Alerts and policies
- Section IX. Remediation
- Section X. Reference
- Appendix A. Backing up and restoring data
- Appendix B. Data Insight health checks
- Appendix C. Command File Reference
- Appendix D. Data Insight jobs
- Appendix E. Troubleshooting
- Troubleshooting FPolicy issues on NetApp devices
About Data Insight policies
A policy is a set of conditions that you configure to monitor access events on files and folders stored on various repositories. Veritas Data Insight policies help you detect the sources of threat, access patterns on sensitive data, and anomalous user behavior. Data Insight classifies files as sensitive based on information received from Symantec Data Loss Protection (DLP) and based on the content analytics from Veritas Information Classifier. You can also import sensitive file information in to Data Insight using a CSV file.
See Configuring Symantec Data Loss Prevention settings.
For information about classifying data using Veritas Information Classifier, see the Veritas Data Insight Classification Guide.
Data Insight policies must include at least one condition that is configured to detect abnormal access patterns or user behavior. Data Insight generates an alert whenever it detects any violation of a condition in a configured policy. Additionally, you can also configure Data Insight to send email alerts to a select group of recipients whenever any policy violation is reported. The Real-time Sensitive Data Activity Policy, Real-time Data Activity User Whitelist-based policy, and Real-time Data Activity User Blacklist-based policy are evaluated instantaneously whenever there is a violation. All other (data activity trigger and user activity deviation ) policies are evaluated by default at 12:00 A.M. every night.
Policies can be configured with three severities, namely, high, medium, and low. You can assign the severity level to a policy based on your organizational needs. For example, the Information Security team can define policies to monitor accesses on the share \Finance
. For this purpose, they can configure a policy with a medium severity to monitor accesses on folders containing Finance policies and guidelines files. Whereas, they can configure a policy with a high severity to monitor accesses on files containing payroll information. When an alert is generated for a policy violation, the severity of the policy is associated with the alert.
Data Insight comes packaged with the following out-of-the-box policies that you can configure according to your needs:
Data Activity Trigger policy
Use this policy to define the maximum cumulative count of the meta operations on the selected paths. For example, if you have defined the maximum accesses per day as 500 on the share
\\netapp1\finshare
, and the total access count by the active set of users exceeds 500, then Data Insight generates an alert.User Activity Deviation policy
Use this policy to define the threshold of deviation from the baseline activity. The baseline activity on a file or folder is the average number of accesses that are considered normal based on past access counts. If the activity, by the selected users, on the selected data exceeds the specified threshold of the baseline (for example, three standard deviations above the baseline activity), and the maximum accesses allowed per day, Data Insight generates an alert.
You can configure how many standard deviations a user is allowed to deviate from the defined baseline.
Note:
User Activity Deviation policy is designed at share or filer level and not the folder or file level.
Real-time Data Activity User Whitelist-based policy
Use this policy to define a whitelist of users based on the Active Directory custom attributes, who can access selected shares or paths. Also, you can create such a policy with multiple conditions with multiple values for the same custom attributes.
Whenever the events that violate Real-time Data Activity User Whitelist-based policy are processed by an Indexer node, Data Insight generates alerts and an email is sent to a configured list of recipients in real-time.
Real-time Data Activity User Blacklist-based policy
Use this policy to define a blacklist of users based on the Active Directory custom attributes, who should not be accessing selected shares or paths. Also, you can create such a policy with multiple conditions with multiple values for the same custom attributes.
Whenever the events that violate Real-time Data Activity User Blacklist-based policy are processed by an Indexer node, Data Insight generates alerts and an email is sent to a configured list of recipients in real-time.
Real-time Sensitive Data Activity Policy
Use this policy to trigger real-time alerts when a selected set of users perform any access events on the paths that violate configured DLP policies. Whenever the events that violate Real-time Sensitive Data Activity Policy are processed by a Collector node, alerts are generated and an email is sent to a configured list of recipients.
The policy violations are also published in the Windows Applications and Services Logs as DataInsightAlerts events.
You can not configure policies for Documentum paths, because Data Insight does not fetch access event information for Documentum paths.