Symantec Enterprise Vault: filtering features. Theory.

Today I would like to talk about filtering features which available for us with Symantec Enterprise Vault. Usually we are happy with default configuration on Enterprise Vault: we configure Exchange Journaling task on EV, target it to some specific journaling mailbox and this task ingests all journal reports from there (to be fair task ingested even standard email, not a journal report). But sometimes, in some specific cases we need to do archiving process more granular. Symantec propose 4 features to help us meet our business, regulatory and any other requirements:

  • Selecritve Journaling
  • Group Journaling
  • Custom Filtering
  • Custom Properties

I am going to concentrate you attention on the last 2 features as the one of most interesting and effective. It isn’t really big deal to figure out itself with Selective and Group journaling, but it requires some time to understand what we can do with Custom Filtering and Custom Properties.

Diagram below explain briefly each of these features.

 4features

I said that usually we are happy with default EV configuration ,but in some cases we need to do more granular archiving. Which cases I was mentioning? Let’s see which cases Symantec proposes. This list isn’t limited only with the cases below, it might be much much bigger.

So, you would like to configure specific Custom Filtering (“custom rule” for better understanding) which:

Example Rule 1: This rule will exclude any email from archiving if it originates from someone in the Employee Benefits distribution

Example Rule 2: This rule will exclude any email from archiving if it is sent to someone in the Employee Benefits distribution list.

Example Rule 3: (Available for Exchange Server archiving only) This rule will move email to the wastebasket if it comes from any of the sources listed, and is about any of the subjects listed

As you can see rule might contain one or more attribute filters.

Example Rule 4: Delete mail from known junk-mail sources, (and others), if it contains certain common spam subjects

Example Rule 5: Take default action (ARCHIVE_ITEM) if the subject matches the composite rule: Must start with “MEMO”, contain “INTERNAL” and end in “OurCompany” e.g. “MEMO : Contains information internal to OurCompany” would match, but “MEMO : do not distribute” would not match. Also allocates the message to a content category “Memoranda”

Example Rule 6: Take default action (ARCHIVE_ITEM) on any email from management members included here. Email from management will be categorized under “ManagementMail” and retained as “Important”

Example Rule 7: Take default action (ARCHIVE_ITEM) if an email is addressed to any of the managers AND NO ONE ELSE The message will be archived in a special archive reserved only for this kind of email – specified by the ARCHIVEID

Example Rule 8: Do not archive mail that was sent to someone outside OurCompany

Example Rule 9: Archive and give the existing Retention Category, Internal, to any email that was sent only to employees in OurCompany.

Example Rule 10: Use a special retention category for mail addressed to any members of the specified DL.

Example Rule 11: (Available for Exchange Server archiving only) Delete MP3 attachments before archiving

Example Rule 12: (This example is specific to Exchange Server archiving, but filtering on document properties is also available for Domino Server archiving). Match against named MAPI properties defined in Custom Properties.xml

Example Rule 13: This rule will exclude any email from archiving if 3-rd party attribute “X-S\MIME-Available” has value “True”.

Etc, etc, etc…

The Rule 13 is a specific case, because Custom Filtering should be “aware” about your 3-rd party attribute. It means that EV must index this attribute to manipulate (use in comparison function) with it. Your 3-rd party application, or Exchange server (with transport rules) might add a lot of extra attributes in email properties.

E.g.

ExchangeTransportRule

But if Custom Properties isn’t configured then EV will never index these attribute. It means that you can’t do query in Discovery Accelerator e.g. to fetch only messages with specific value in your custom attribute. EV does know nothing about custom attributes\properties until Custom Properties is configured.

Custom Filtering it is XML file which contains CONDITIONS and ACTION. For example in rule#10 above:

  • CONDITION(s): mail addressed to any members of the specified DL.
  • ACTION: use a special retention category

If you want to use in Custom Filtering in conditions values of custom attributes then you have to configured Custom Properties as well.

How to configure it and which challenges we have here I propose to discuss next time.