Veritas Data Insight User's Guide
- Section I. Introduction
- Section II. Data Insight Workspace
- Navigating the Workspace tab
- Analyzing data using the Workspace views
- Viewing access information for files and folders
- Viewing user activity on files or folders
- About visualizing collaboration on a share
- Viewing access information for users and user groups
- Section III. Data Insight reports
- Using Data Insight reports
- About Data Insight security reports
- Permissions reports
- Permissions Search report
- Creating a Permissions Query Template
- Permissions Query Template actions
- Ownership Reports
- About Data Insight storage reports
- About Data Insight custom reports
- Managing reports
- Viewing reports
- Using Data Insight reports
- Section IV. Remediation
- Configuring remediation workflows
- Managing workflow templates
- Creating a workflow using a template
- Managing workflows
- Using the Self-Service Portal
- About the Self-Service Portal
- Managing data
- About managing data using Enterprise Vault and custom scripts
- About adding tags to files, folders, and shares
- Managing permissions
- Configuring remediation workflows
- Appendix A. Command Line Reference
About audit logs
Veritas Data Insight collects and stores access events from file servers and SharePoint sites. These access events are used to analyze the user activity on various files, folders, and subfolders for a given time period. The audit logs provide detailed information about:
Users accessing the file or folder
The file type
The access types such as:
Read
Write
Create
Delete
Rename
Security Event - Logged when the access control entries of a file or folder are changed. This event helps to identify who changed the permissions.
Permission Change - This event captures the details of permission changes to a folder.
The access timestamp
The IP address of the machine that the user has generated the access activity from.
The details of the Permission Change event provide information about the following:
If a trustee (user or group) is allowed or denied permission on a path.
If a trustee's permissions are removed on a path.
If a trustee is given additional permission or denied certain permission on a path. For example, if a user 'X' has Read and Write permissions on a folder. If the user is also subsequently allowed Modify permission on the folder, Data Insight records an Permission Change event.
Note:
Currently, Data Insight fetches only the file system permission changes for CIFS paths only. It does not fetch Permission Change events for NFS or SharePoint paths. Permission changes at the share level are not reported.
You can use these access events for the following purposes:
Audit permission changes on a folder.
Understand who are the most active users of a file or folder in the event of a data leak.
Carry out forensic investigations that help you understand the specific access events on sensitive data. For example, in case of a data leak, the information security team would want to know who accessed a particular file and the most active users of that file.
Provide information about orphan data, that is data owned by users who have left the organization or moved to a different business unit.
Provide information about the stale data that is never or rarely accessed.
For the purpose of calculating the access count, Data Insight records a read event when a user opens a file, reads it at least once, and closes it. Similarly, when a user writes to a file between an open and a close event, Data Insight considers it a write event. If there are read and write events, then one event is counted for each read and write.
More Information