Arctera™ Insight Surveillance User Guide
- Introducing Arctera Insight Surveillance
- Getting started
- Working with dashboard widgets
- Managing employee groups
- Managing departments
- Managing department users
- Managing department-level searches
- Managing department-specific hotword sets
- Managing department-specific labels
- Managing department-specific trash rules
- Managing department-specific allowlist rules
- Managing department-specific review comments
- Viewing employees associated with departments
- Managing users, roles, and permissions
- Managing application-level searches
- Managing application-specific hotword sets
- Managing application-specific labels
- Managing application-specific trash rules
- Managing application-specific allowlist rules
- Managing application-specific review comments
- Managing data requests
- Managing search schedules
- Managing export operations
- Managing reviews
- Working with reports
- Enhanced reporting
- Departments API
- Users API
- UserRoles API
- Roles API
- Classification Tags API
- Labels API
- Searches API
- ItemMetrics API
- ReviewerMapping API
- MonitoredEmployees API
- Evidence of Review API
- Item Classification Metrics API
- Item Label Metrics API
- Item Archived Metrics API
- Managing Power BI templates for reporting APIs
- Managing Audit Settings
- Working with Audit viewer
Creating and running department-level searches
To run a one-time search, create an immediate search. To run a recurring search or one that runs on a specific time, create a search schedule and then create a scheduled search.
You must have the Manage GSS and Scheduled searches and Search Capture permissions to create or edit searches. By default, users that have the Rule Admin, the User Admin, and the Exception Reviewer roles have this permission.
To create and run a department-level search
- In the left navigation pane, click Departments.
- Search for and select the department for which you want to create and run a search.
Insight Surveillance lists all departments. You can use the filtering options to search the required department. Options include filtering by department name, exception employees, and reviewers associated with the department.
- In the Searches tab, click New Search.
The New Search dialog box appears.
- In the Search Type section, specify the relevant information in the following fields.
This section identifies the search and specifies when it runs.
Search In
Displays the name of the department.
Search Type
Choose Immediate to create one-time search that runs immediately.
Choose Scheduled to specify a period during which the search is to run.
Choose Guaranteed Sample to run a search at the selected sampling time by default. If the search returns fewer results than your monitoring policy requires, Insight Surveillance adds randomly-sampled items to the review set to make up the shortfall. This feature allows you to assemble more focused review sets that are weighted towards search-specific results instead of purely randomly-sampled items.
Select the check box to enable scheduled searches and guaranteed sample searches. When a search is not enabled, it does not run.
Type a name for the search.
Automatically accept search results
Select this check box to specify whether to add the search results to the review set automatically. This option is useful for verified searches that you intend to run on a regular basis.
This option is enabled only if the Accept searches permission is assigned to the user who is creating the search.
If you select this check box, you cannot reject the results and change the search criteria.
Insight Surveillance recommends that you clear Automatically accept search results until you have tested that the search returns the expected results. A search that returns an error from any archive is not automatically accepted, regardless of this setting.
Include items already in review
Select this check box to specify whether the search results can include the items you previously captured and added to this department's review set. This option does not apply to the items you previously included in the review sets for other departments.
For an immediate search or scheduled search, you can select this box to ensure that the results include the items that may already be in review from other searches.
- In the Sampling section, specify the relevant information in the following fields.
This section lets you sample the search results and add a random selection of items to the review set. Insight Surveillance does not deduplicate randomly-sampled items.
Sampling percentage
Specify the percentage of search results to include in the review set. You can specify fractions, as in 10.25.
You cannot change the sampling percentage if the owner of the department has locked this setting in the department properties.
Set minimum items per author
Specify the minimum number of items per author to include in the review set. If there are no items for an author in the search results, none can be included in the sample.
As the authors can be from outside the selected department, searches may return more results.
Set absolute item limit
Specify an upper limit on the total number of search results to add to the review set. This option takes precedence over any values that you set in the Sampling percentage field.
- In the Date range section, specify the relevant information in the following fields.
This section lets you search for items according to when they were sent or received.
Specific date range
Specify the date and time duration to search items that were sent or received during the selected period.
Today / Yesterday / Last 7 days / Last 14 days / Last 28 days
The date ranges are relative to when the search runs, which is today in the case of an immediate search.
You may find these options useful when creating a scheduled, recurrent search that runs once every day, week, two weeks, or four weeks. For example, if the search runs once a week, select Last 7 days to limit the range to the days since the search last ran.
Since search last ran
For a scheduled search only, lets you search the new items that have arrived since the last time you ran the search. This option is similar to options such as Today and Yesterday. However, it lets you set an explicit start date for the first run of the search. By default, this option searches from the date of the last run (or the start date for the first search) to the current day minus 1 (that is, up to yesterday).
- In the Authors and recipients section, specify the relevant information in the following fields.
This section targets the departments for the search and the direction of the items to search. Any departments that you have organized into partitions can only search items to and from departments in the same partition.
Message Route
Specify the departments you wish to search as well as the direction of the items you wish to search. Search for the items that are to or from the selected departments, and for the items that have traveled between the selected departments and other departments.
You can search for the items that follow the following message route:
Between "the specified department" and
other searchable departments
any department within the organization
department outside the organization
department internal AND/OR External to organization
TO "the specified department" from
other searchable departments
any department within the organization
department outside the organization
department internal AND/OR External to organization
FROM "the specified department" to
other searchable departments
any department within the organization
department outside the organization
department internal AND/OR External to organization
Any of / All of
To search within department tags, select a department. To search within the To/From fields, only select the employees.
You can expand the department tag to select monitored employees. If there are a large number of employees in the department, you can click the search icon in front of the department tag, which opens a new window where you can search and select monitored employees.
This field does not show the Employee Group names assigned to the departments. Instead, it displays the list of all the members from the employee groups individually.
Freeform email addresses / domains
This field is available for all possible message routes. Type one or more email addresses and domains.
Type each address or domain on a line of its own to search for the items where the From, To, CC, or BCC fields contains any of the addresses or domains. Type all the addresses and domains on a single line to search for items in which they are all present.
Place the minus sign (-) in front of an address or domain to exclude it from the search. To exclude multiple addresses or domains, type them all on a single line.
You must exclude wildcard characters when entering email addresses or domains. Specify inputs without wildcard characters, such as,,, etc.
You can use Freeform email addresses / domains to search for email addresses associated with the user accounts but now use the discontinued domain.
To search for previously monitored employees, you should use department internal AND/OR External to organization message route, and then use the Freeform email addresses / domains option to provide email addresses or domains.
Department tree
Specify the departments and employees you want to include in the search. Click the arrows to the left of the department names to expand them and view the nested departments and exception employees.
When you select a department, you do not automatically include any exception employees in the department. To search exception employees, you must select each one explicitly.
- In the Search terms section, specify the relevant information in the following fields.
This section specifies the words or phrases for which Insight Surveillance should search in the subject lines of items and their bodies. By default, when you search for words in both the subject of an item and its content, Insight Surveillance finds those items that meet one or both criteria. However, it is possible to set up Insight Surveillance so that only those items that meet both criteria are found.
Type the keywords or phrases to be searched in the review items either in their subject lines or in the file names of their attachments. Press Enter to separate keywords and phrases from each other.
Alternatively, click Hotwords to select hotword sets and keywords.
If the department has a parent department, you can select hotwords/hotword sets from the current department and its parent department and global hotwords/hotword sets. Hotwords/hotword sets from any of the closed parent departments will not be available for selection. The application searches hotwords/hotword sets from both departments and its parent department and global hotwords/hotword sets.
Use an asterisk (*) wildcard to represent zero or more characters in your search. However, an asterisk between the characters of a word is not supported.
For example, the search terms such as mismanag*, paint* the tape, can * switch to, and ring * * blink, are supported and the search terms such as Ga*s or In*a are not supported.
Use a question mark (?) wildcard to represent any single character. A wildcard search always finds items that match your search criteria and that were archived in Insight Surveillance.
For example, the search terms such as saniti?ed, "massive favo?r", and Indi? are supported.
Use a minus sign (-) to indicate you want to exclude from the search results any items that contain the following word or phrase.
For example, the search to find the items that contain either of the words Agent and Agency, but do not contain the word Cost. ("(Agent AND NOT Cost) OR (Agency AND NOT Cost)"):
Any of: Agent -Cost
Agency - Cost
A search term cannot comprise an excluded word or phrase only. When you specify such words or phrases, you must also specify a positive word or phrase you want to appear in the search results.
A search term cannot start with any of the following characters on any line: = + - @. For example, "Agent -Cost" is a valid search term but "-Cost Agent" is not.
Insight Surveillance does not allow any non-alphanumeric characters in the search term, except asterisk (*), question mark (?), and minus sign (-) as these characters have a special significance.
Specify the keywords or phrases to be searched in the content of review items.
Alternatively, click Hotwords to select hotword sets and keywords.
Use an asterisk (*) wildcard to represent zero or more characters in your search. However, an asterisk between the characters of a word is not supported.
For example, the search terms such as mismanag*, paint* the tape, can * switch to, and ring * * blink, are supported and the search terms such as Ga*s or In*a are not supported.
Use a question mark (?) wildcard to represent any single character. A wildcard search always finds items that match your search criteria and that were archived in Insight Surveillance.
For example, the search terms such as saniti?ed, "massive favo?r", and Indi? are supported.
Use a minus sign (-) to indicate you want to exclude from the search results any items that contain the following word or phrase.
For example, the search to find the items that contain either of the words Agent and Agency, but do not contain the word Cost. ("(Agent AND NOT Cost) OR (Agency AND NOT Cost)"):
Any of: Agent -Cost
Agency - Cost
A search term cannot comprise an excluded word or phrase only. When you specify such words or phrases, you must also specify a positive word or phrase you want to appear in the search results.
A search term cannot start with any of the following characters on any line: = + - @. For example, "Agent -Cost" is a valid search term but "-Cost Agent" is not.
Insight Surveillance does not allow any non-alphanumeric characters in the search term, except asterisk (*), question mark (?), and minus sign (-) as these characters have a special significance.
- In the Attachments section, specify the relevant information in the following fields.
This section lets you search for items of a certain size and type or that have the specified retention category.
Specify the required number of attachments.
You can search the items with specific number and type of attachments. The default option, Does not matter, means that the item can have zero or more attachments.
All following other options require you to type one or two values that specify the required number of attachments:
Equals: requires a specific number of attachments.
Between: requires the number of attachments messages must have to a value between those to be specified.
Less than: requires a number of attachments below the number specified.
Greater than: requires any number of attachments greater than the number specified.
File extensions
Specify the file name extensions of particular types of attachments for which to search. Separate the extensions with space characters.
For example, type the following to search for items with HTML or Microsoft Excel file attachments:.htm .xls.
- In the Miscellaneous section, specify the relevant information in the following fields.
This section lets you search for items of a certain size and type or that have the specified retention category.
Message size
Specify the size in kilobytes of each item of configured and enabled content sources. The item size includes the size of attachments as well.
The following options are available:
Does not matter: any number from 0 upward can be attached.
Equals: requires a specific number of attachments.
Between: requires the number of attachments messages must have to a value between those to be specified.
Less than: requires a number of attachments below the number specified.
Greater than: requires any number of attachments greater than the number specified.
Message type
Displays a list of configured and enabled content sources for the customer.
See Sampling support for content sources.
Select the All content sources check box to consider messages from all types of content sources simultaneously. When this option is selected, other options remain disabled.
To select specific message type, clear the All content sources check box, and select one or more required options from the content sources available in the list.
Trash option
Select the appropriate option to search for items in trash:
Ignore trash - does not search for items in the trash.
Include trash - searches for items in other specified options along with the items in trash.
Trash only - only searches for items in trash.
- In the Tags section, specify the relevant information in the following fields.
This section lets you search for items according to the tags with which any additional policy management software has classified them.
Select any of the following options to search for the items that match certain classification policies. There are several types of policies:
Inclusions only: Select this option to include items that your policy management software has classified for inclusion in the review set that may contain the most serious offenses, such as swearing, racism, or insider trading.
Ignore inclusions: Select this option to ignore items that Arctera Insight Classification has classified for inclusion in the review set that may contain the most serious offenses, such as swearing, racism, or insider trading.
Exclusions only: Select this option to include spam items and newsletters that your policy management software may classify for exclusion from the review set.
Ignore exclusions: Select this option to ignore spam items and newsletters that your policy management software may classify for exclusion from the review set.
Categories only: Select this option to include categorized items that exhibit certain characteristics, such as containing Spanish text. This type of policy provides no information on whether an item should be included in or excluded from the review set.
Ignore inclusions and exclusions: Select this option to ignore inclusion and exclusion items.
Custom: Select this option and type the names of one or more policies. Separate multiple tag names with commas, like this:
All: Select this option to include all tags.
Arctera Insight Classification is required to classify items based on their content and metadata. Implementing Arctera Insight Classification requires additional charges.
Select tag names. Separate multiple tag names with commas, like this:
Filter by current department
Select this check box to skip the unused policies in the current department.
- In the Intelligent Review section, choose options for the learning engine in Insight Surveillance. This engine allows Insight Surveillance to search for items intelligently, based on the actions that reviewers have taken on earlier items.
For example, after a reviewer has marked a spam message or out-of-office reply as irrelevant then, when Insight Surveillance detects other items that have similar characteristics, it can handle them in the same way.
Searches that use the intelligent review feature may take slightly longer to complete than those that do not use this feature.
Searches, by default, consider metadata and content of items to determine the relevance. However, if search results contain items that are older than 30 days, only metadata is considered to determine the relevance.
The options for Learning behavior are as follows:
Insight Surveillance searches for items in the normal way, without implementing Intelligent Review. This is the default option.
Search and prioritize
Insight Surveillance searches for both relevant items and irrelevant items without favoring one over the other. So, if your chosen Sampling percentage value requires that you capture and review 10% of items, Insight Surveillance captures 10% - but a substantial number of the items may be irrelevant.
With this option, however, Insight Surveillance does give the items a status of either Unreviewed (Irrelevant) or Unreviewed (Relevant) as it adds them to the review set. When you later review the items in the Review pane, you can filter them by their Unreviewed status to distinguish between the relevant and irrelevant items.
Search and then sample ONLY relevant content
Insight Surveillance searches across all the items and captures the relevant ones only, until it has captured the required percentage. So, if your chosen Sampling percentage value requires that you capture and review 10% of items, Insight Surveillance captures 10% - all of them considered to be relevant.
If there are too few relevant items to fulfil the chosen sampling percentage, Insight Surveillance does not supplement them with irrelevant items. This is an important difference between this option and the equivalent option, Sample exact percentage of ONLY relevant content, in the Department Properties pane.
- Click Save.