Enterprise Recon 2.5.0

Investigate

This section covers the following:

Overview

The Investigate page provides a one-stop view of match locations across all Targets to help users easily review, export and remediate match results.

Investigate page.

Users can get to the Investigate page from the navigation menu or Targets page. See Navigation for more information.

Within the Investigate page, users can sort the list of match locations across all Targets, or filter the results set according to specific criteria. These filters can also be used when exporting CSV match reports from the Investigate page. See Export for more information.

Users can navigate from the Investigate or Targets page to view the list of inaccessible locations for each Target. See Inaccessible Locations for more information.

Navigation

There are several ways to access the Investigate page.

  1. Navigation Menu
    1. Log in to the ER2 Web Console.
    2. Go to Investigate. The Investigate page displays the complete list of match locations across all Targets on the Master Server.
  2. Targets Page
    1. Log in to the ER2 Web Console.
    2. Go to Targets.
    3. To go to the Investigate page, click on the:

      Navigating to Investigate page from the Targets page.

      Item Description
      (A) Target Group Investigate page displays match locations for all Targets in the associated Target Group.
      (B) Target Investigate page displays match locations for the selected Target.
      (C) Target Location Investigate page displays match locations for the selected Target location.

Components

The following table is a list of components found in the Investigate page:
Components in the Investigate page.

Component Description
Results Grid

Displays the match results across all Targets. Target Group tags indicate the Target Group that the Target belongs to, and filter tags describe the filters that are applied to the match results set in the results grid.

Clicking on the arrow to the left of the Target name expands to show all match locations within a Target. Match results should then be reviewed and remediated where necessary.

Sort Target Locations Display match results within a Target by the selected sort order (e.g. Location, Owner, Status, Sign-Off, Matches). See Sort Target Locations for more information.
Filter Locations By Display specific Targets or match locations according to the filter criteria. See Filter Targets and Locations for more information.
Columns Add, remove, and prioritze columns to display in the Results Grid. See Results Grid Column Chooser for more information.
Match Inspector Displays detailed information for a match location. See Match Inspector for more information.
Remediate Perform remedial actions on selected Targets and match locations. See Remediation for more information.
This feature is only available to users with Remediate or Global Admin permissions.
Control Access PRO Perform access control actions on selected Targets and match locations. See Data Access Management for more information.
Classify PRO Manually classify or remove the MIP sensitivity labels for selected Targets and match locations. See Data Classification with MIP for more information.
This feature is only available to users with Classification or Global Admin permissions.
Trash Remove scan results for specific locations or data types from a Target. See Trash for more information.
Export Export a CSV report of the Targets and match locations that are selected in the results grid. See Export for more information.
Target Options Target options dropdown menu to access Target reports, inaccessible locations, remediation logs and more. Dropdown menu to Edit Target, access Target Reports, Inaccessible Locations, Operation Log, Scan History and Scan Trace Logs.

Filter Targets and Locations

Select one or more filters in the Filter Locations By panel to show specific Targets and match locations in the results grid. Clicking on Apply Filter updates the results grid to display only the match locations that fulfill all the selected filter criteria.

Filters Description
Path Keywords

Only show match locations that contain a given keyword in the path or file name. Partial string matching is supported.

Risk Profiles PRO Only show match locations that are mapped to specific risk profiles, or classified as specific risk levels.

  • <risk_profile_label>: Show all locations that are mapped to the selected risk profile, regardless of priority.
  • <risk_profile_label> (Prioritised): Show only locations where the selected risk profile is mapped as the highest priority profile.

See Risk Scoring and Labeling for more information.

Targets

Only show results for the selected Target Groups or Targets.

Target Types Only show results for the selected Target types.
File Formats Only show results for the selected file formats or content types.
Metadata Only show match locations that contain specific metadata information. Available metadata filters include:
  • Document - Owner, Created, Modified
  • Email - Sender Email Address, Date Sent. Partial string matching is supported.
  • Filesystem - Owner, Created, Modified
Access PRO Only show match locations that are accessible by specific groups, users, or user classes. Use the following format to filter by domain groups or user: <domain>\<group or username>.

See Data Access Management for more information.

The Access filter will only apply to locations scanned or rescanned with ER 2.2 and above.
Classification PRO

Only show match locations with the selected

  • Classification type (e.g. "Discovered", "Classified" etc), or
  • MIP sensitivity label(s). Selecting the "Deleted labels" option will show match locations that were last classified with MIP labels that are no longer active or valid.

See Data Classification with MIP for more information.

The Classification filter will only apply to locations scanned or rescanned with ER 2.2 and above.
Data Types Only show match locations that contain the selected data types.
Operation Status Only show match locations with the selected remediation, access control or classification status.
Advanced Filters Only show match locations that fulfil the conditions defined in the selected Advanced Filters.

Filters that are applied to the match results set will be displayed in the filter tags pane above the results grid.

  • Click See More or See Less to expand or collapse the filter tags view.
  • Click Clear All to reset all filters.

Filter tags pane in the Investigate page.

Results Grid Column Chooser

You can customize the Results Grid view by adding, removing or rearranging the columns with the Column Chooser.

Add, delete and rearrange columns with the Column Chooser.

  1. In the Investigate page, click the Columns Columns chooser button in the Investigate page. button.
  2. In the Edit Columns dialog box:
    • Add a column to the Results Grid by dragging the <Column> tile from the Available Columns panel, to the Selected Columns panel.
    • Remove a column from the Results Grid by dragging the <Column> tile from the Selected Columns panel, to the Available Columns panel.
    • Rearrange the column sequence in the Results Grid by dragging a <Column> tile up or down in the Selected Columns panel.
  3. Click Ok to save the column configuration.
  4. (Optional) To adjust the column width, hover over the column boundary until the resizing cursor Column resizing cursor. appears, then hold and drag the column boundary to resize the width.

The column and column width settings are saved only for the logged in user account, and will be displayed for subsequent logins to the Web Console until further changes are made.

Sort Target Locations

Match locations within a Target can be sorted in the results grid using the ˄ and ˅ arrow at each column header.

Column Headers Toggle Function
  • Location (default)
  • Owner
  • Status
  • Sign-off
  • Access Control PRO [1]
  • MIP Label PRO
  • Classification Status PRO
  • ˄ sorts locations alphabetically from A to Z
  • ˅ sorts locations alphabetically from Z to A
  • Matches
  • Access PRO [1]
  • ˄ sorts locations from the highest to lowest number
  • ˅ sorts locations from the lowest to highest number
  • Risk PRO
  • ˄ sorts locations from the highest to lowest risk level
  • ˅ sorts locations from the lowest to highest risk level

[1] This feature is only available when Data Access Management is enabled.

Match Inspector

The Match Inspector window allows you to review the list of matches for a specific match location and evaluate the remediation options.

  1. Go to the Investigate page.
  2. Click on the arrow to the left of the Target name to expand and show all match locations within a Target.
  3. (Optional) Sort the list of match locations by:
    • Location - Full path of the match location,
    • Owner - User with Owner permissions,
    • Status - Remediation, access control or classification status(es) for the match location,
    • Matches - Match count and match severity (e.g. prohibited, match, test),

    • Access PRO [2] - Number of unique users with any form of access permissions to the location, or
    • Access Control PRO [2] - Access control actions taken on a given location.
    • Risk PRO - Highest priority risk level mapped to a given location.
    • MIP Label PRO - MIP sensitivity label applied to a given location.
    • Classification Status PRO - Classification status of the MIP sensitivity label (e.g. Discovered, Classified, Policy-based) applied to a given location.
  4. Click on the match location to bring up the Match Inspector.

    Match Inspector window.

    Component Description
    Data type matches Displays the list of matches detected in the match location, sorted by data type.
    Match details Displays samples and contextual data for the match. Click on View all info to see the metadata and a breakdown of data type matches for the match location.
    Match sample encoding Select the encoding format to use for displaying contextual data for the match.
    Encoding options: Plain text (ASCII), EBCDIC (used in IBM mainframes), Hexadecimal.
    Contextual data

    Contextual data is the data surrounding the matches found in a match location. Reviewing contextual data may be helpful in determining if the match itself is genuine, since matches are always masked dynamically when presented on the Web Console.

    To display contextual data around matches, make sure this option is selected when you schedule a scan.

    Scanning EBCDIC-based systems can be enabled in Data Type Profiles.

[2] This feature is only available when Data Access Management is enabled.

See Remediation for more information.

Trash

You can use the Trash function to remove scan results for Targets or selected match locations by applying the location filters.

Using the Trash button to remove scan results does not delete the actual match data on the Target. If no remedial action was taken, the scan results that were trashed would be detected as match locations if a scan is executed again on the Target.

To delete scan results:

  1. (Optional) In the Investigate page, select one or more filters in the Filter Locations by panel and click Apply Filter to display specific Targets and match locations in the results grid.
  2. In the results grid, select the Targets or match locations.
  3. Click the Trash button Trash button to remove scan results for selected match locations or data types. to remove scan results for the selected Targets or match locations.
  4. Enter a name in the Confirm Removal of Data Type field.
  5. Click Confirm.

Export

You can generate a CSV report of the match results and locations that are selected in the results grid of the Investigate page. See Match Report for more information.

Inaccessible Locations

When ER2 encounters any error when accessing files, folders and drives on a Target during a scan, they are logged as Inaccessible Locations. The log of inaccessible locations should be reviewed to ensure there are no issues in the scan setup, such as scanning a Target using credentials with insufficient permissions.

To view the log of inaccessible locations for a Target:

  1. Log in to the ER2 Web Console.
  2. Go to the Investigate page.
  3. Hover over the Target and click on the gear Enterprise Recon 2.1 options gear icon. icon.
  4. Select Inaccessible Locations from the drop-down menu.

You can also view the list of inaccessible locations from the Targets page.

Investigate Permissions

Resource permissions that are assigned to a user grants access to specific components in the Investigate page.

Components Resource Permissions
Navigation
  • Menu > Investigate
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO
  • Menu > Targets > Target Group / Target > Investigate
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO
  • Notifications > Target > Investigate
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO
Results Grid
  • View Target in results grid
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO
  • View location in results grid
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO
Remediate
  • Remediate button
Target / Target Group: Remediate
  • Mark location for compliance report
Target / Target Group: Remediate - Mark Location for Report
  • Act directly on selected locations
Target / Target Group: Remediate - Act Directly on Location
  • Trash match results
N/A [3]
Control Access
  • Control Access button PRO
Target / Target Group: Access Control PRO
Classification
  • Classify button PRO
Target / Target Group: Classification PRO
Export
  • Download match reports
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO
Filter Locations By
  • View Target Group / Target / Target type in filter pane.
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO
  • Search match locations in filter panel
Target / Target Group: Report - Detailed Reporting, Remediate, Access Control PRO, or Classification PRO

[3] This feature is only available to users with Global Admin permissions.

For more information about resource permissions in ER2, see Resource Permissions.