Veritas™ Surveillance User Guide

To create and run an application-level search

1. In the left navigation pane, click Application.
2. In the Searches tab, click New Search.

   The Create New Search dialog box appears. If the sections in this dialog box are in the collapsed state, expand them to view the corresponding fields.

3. In the Search Type section, specify the relevant information in the following fields.

   The New Search dialog box appears. This section identifies the search and specifies when it runs.

   Search In	Displays the departments in which the search will run. In the case of an application-wide search, by default this value is <All Departments>.
   Based on search	Select an existing search as the basis on which you can set the criteria for the new search.
   Search Type	Select the type of search as needed. Select the Immediate option to run the search immediately upon creation. Select the Scheduled option to specify a period during which the search is to run. Specify the schedule run start date and end date. Select the Guaranteed Sample option to run the search at the selected sampling time, which is 1:00 A.M. by default. Select the Enabled check box to enable the search.
   Name	Type a name for the search.
   Include items already in review	Select this check box to specify whether the search results can include the items you previously captured and added to this department's review set. This option does not apply to the items you previously included in the review sets for other departments. For an immediate search or scheduled search, you can select this box to ensure that the results include the items that may already be in review from other searches.
   Search Schedule	Select a required search schedule based on which the search runs at set times or set intervals.
   Schedule run start date	Select a date on which the search needs to run.
   Schedule run end date	Select a date on which the search needs to stop running.

4. In the Sampling section, specify the relevant information in the following fields.

   This section lets you sample the search results and add a random selection of items to the review set.

   Sampling percentage	Specify the percentage of search results to include in the review set. You can specify fractions, as in 10.25. You cannot change the sampling percentage if the owner of the department has locked this setting in the department properties.
   Set minimum items per author	Specify the minimum number of items per author to include in the review set. If there are no items for an author in the search results, none can be included in the sample. Note: As the authors can be from outside the selected department, searches may return more results.
   Set absolute item limit	Specify an upper limit on the total number of search results to add to the review set. This option takes precedence over any values that you set in the Sampling percentage field.

5. In the Date range section, specify the relevant information in the respective fields.

   This section lets you search for items according to when they were sent or received.

   Specific date range	Specify the date and time duration to search items that were sent or received during the selected period.
   Today / Yesterday / Last 7 days / Last 14 days / Last 28 days	The date ranges are relative to when the search runs, which is today in the case of an immediate search. You may find these options useful when creating a scheduled, recurrent search that runs once every day, week, two weeks, or four weeks. For example, if the search runs once a week, select Last 7 days to limit the range to the days since the search last ran.
   Since search last ran	For a scheduled search only, lets you search the new items that have arrived since the last time you ran the search. This option is similar to options such as Today and Yesterday. However, it lets you set an explicit start date for the first run of the search. By default, this option searches from the date of the last run (or the start date for the first search) to the current day minus 1 (that is, up to yesterday).

6. In the Authors and recipients section, specify the relevant information in the following fields.

   This section targets the departments for the search and the direction of the items to search. Any departments that you have organized into partitions can only search items to and from departments in the same partition.

   Message Route	Specify the departments you wish to search as well as the direction of the items you wish to search. Search for the items that are to or from the selected departments, and for the items that have traveled between the selected departments and other departments. You can search for the items that follow the following message route: Between "the specified department" and custom addresses / domains any department within the organization department outside the organization department internal AND/OR External to organization TO "the specified department" from custom addresses / domains any department within the organization department outside the organization department internal AND/OR External to organization FROM "the specified department" to custom addresses / domains any department within the organization department outside the organization department internal AND/OR External to organization
   Any of / All of	To search within department tags, select a department. To search within the To/From fields, only select the employees. You can expand the department tag to select monitored employees. If there are a large number of employees in the department, you can click the search icon in front of the department tag, which opens a new window where you can search and select monitored employees.
   Use inheritance, automatically include new departments	Specify whether to apply the search to the subdepartments of the selected departments. By default, any new departments that are subdepartments of others automatically inherit any active, recurring searches that are applied to those departments. This is also true of any existing departments that you move under departments that have recurring searches.
   Department tree	Specify the departments you want to include in the search. Click the arrows to the left of the department names to expand them and view the nested departments.
   Freeform email addresses / domains	This field is available for all possible message routes. Type one or more email addresses and domains. Type each address or domain on a line of its own to search for the items where the From, To, CC, or BCC fields contains any of the addresses or domains. Type all the addresses and domains on a single line to search for items in which they are all present. Place the minus sign (-) in front of an address or domain to exclude it from the search. To exclude multiple addresses or domains, type them all on a single line. Note: You can use Freeform email addresses / domains to search for email addresses associated with the user accounts but now use the discontinued domain. To search for previously monitored employees, you should use department internal AND/OR External to organization message route, and then use the Freeform email addresses / domains option to provide email addresses or domains.

7. In the Search terms section, specify the relevant information in the following fields.

   This section specifies the words or phrases for which the application should search in the subject lines of items and their bodies. By default, when you search for words in both the subject of an item and its content, the application finds those items that meet one or both criteria. However, it is possible to set up the application so that only those items that meet both criteria are found.

   Subject

   Type the keywords or phrases to be searched in the review items either in their subject lines or in the file names of their attachments. Press Enter to separate keywords and phrases from each other. Alternatively, click Hotwords to select hotword sets and keywords. Note: Use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character. A wildcard search always finds items that match your search criteria and that were archived in Veritas Surveillance. Use a minus sign (-) to indicate you want to exclude from the search results any items that contain the following word or phrase. For example, the search to find the items that contain either of the words Agent and Agency, but do not contain the word Cost. ("(Agent AND NOT Cost) OR (Agency AND NOT Cost)"): Any of: Agent -Cost Agency - Cost A search term cannot comprise an excluded word or phrase only. When you specify such words or phrases, you must also specify a positive word or phrase you want to appear in the search results. A search term cannot start with any of the following characters on any line: = + - @. For example, "Agent -Cost" is a valid search term but "-Cost Agent" is not. Veritas Surveillance ignores any non-alphanumeric characters in the search term, except for those that have special significance, such as the plus sign, minus sign, and question mark. For example, a search for the term US@100 may find instances not only of US@100 but also of US 100 and US$100. Including non-alphanumeric characters in the search term may therefore return more results than you expect.

   Content

   Specify the keywords or phrases to be searched in the content of review items. Alternatively, click Hotwords to select hotword sets and keywords.

8. In the Attachments section, specify the relevant information in the respective fields.

   This section lets you search for items of a certain size and type or that have the specified retention category.

   Number

   Specify the required number of attachments. You can search the items with specific number and type of attachments. The default option, Does not matter, means that the item can have zero or more attachments. All following other options require you to type one or two values that specify the required number of attachments: Equals: requires a specific number of attachments. Between: requires the number of attachments messages must have to a value between those to be specified. Less than: requires a number of attachments below the number specified. Greater than: requires any number of attachments greater than the number specified.

   File extensions

   Specify the file name extensions of particular types of attachments for which to search. Separate the extensions with space characters. For example, type the following to search for items with HTML or Microsoft Excel file attachments:.htm .xls. This search option evaluates attachments by their file names only; it does not check their file type. For example, suppose that a user changes the file name extension of a .zip file to .zap and then sends the renamed file as an email attachment. An Veritas Surveillance search for items that have attachments with a .zip extension does not find the email with the renamed attachment. The contents of some attachments may not be searchable because Enterprise Vault has not indexed them. In particular, file formats such as Fax and Voice do not have any indexable content. Some Enterprise Vault registry entries prevent it from indexing the contents of selected file types.

9. In the Miscellaneous section, specify the relevant information in the respective fields.

   This section lets you search for items of a certain size and type or that have the specified retention category.

   Message size

   Specify the size in kilobytes of each item for which to search, as reported by the message store (Exchange, Domino, and so on). The item size includes the size of any attachments. The following options are available: Does not matter: any number from 0 upward can be attached. Equals: requires a specific number of attachments. Between: requires the number of attachments messages must have to a value between those to be specified. Less than: requires a number of attachments below the number specified. Greater than: requires any number of attachments greater than the number specified.

   Message type

   Displays a list of configured and enabled content sources for the customer. Select the All content sources check box to consider messages from all types of content sources simultaneously. When this option is selected, other options remain disabled. To select specific message type, clear the All content sources check box, and select one or more required options from the content sources available in the list.

10. In the Tags section, specify the relevant information in the respective fields.

    This section lets you search for items according to the tags with which any additional policy management software has classified them.

    Filter

    Select any of the following options to search for the items that match certain classification policies. There are several types of policies: Inclusions only: Select this option to include items that your policy management software has classified for inclusion in the review set that may contain the most serious offenses, such as swearing, racism, or insider trading. Ignore inclusions: Select this option to ignore items that Veritas Information Classifier has classified for inclusion in the review set that may contain the most serious offenses, such as swearing, racism, or insider trading. Exclusions only: Select this option to include spam items and newsletters that your policy management software may classify for exclusion from the review set. Ignore exclusions: Select this option to ignore spam items and newsletters that your policy management software may classify for exclusion from the review set. Categories only: Select this option to include categorized items that exhibit certain characteristics, such as containing Spanish text. This type of policy provides no information on whether an item should be included in or excluded from the review set. Ignore inclusions and exclusions: Select this option to ignore inclusion and exclusion items. Custom: Select this option and type the names of one or more policies. Separate multiple tag names with commas, like this: CustomTag1,CustomTag2 All: Select this option to include all tags. Note: Veritas Information Classifier (VIC) is required to classify items based on their content and metadata. Implementing VIC requires additional charges.

    Name

    Select tag names. Separate multiple tag names with commas, like this: CustomTag1,CustomTag2

11. In the Custom attributes section, enter the appropriate values in the respective fields.

    The Custom attributes section lets you search for the items that have the specified attributes. When Enterprise Vault processes an item, it populates a number of the item's attributes with information and stores this information with the archived item. Some third-party software may also attach additional attribute information to items. If you know the name of an attribute that interests you, you can enter its details here as a custom attribute.

    The options are as follows:

    Include operator	If you enter the details of both the attributes, use the options in the Include operator drop-down list to determine whether the search results should match any of the attributes or all of them.
    Free form attribute	Set the appropriate values in the Attribute, Type, Operator, and Value fields.
    Attribute	Specify the attribute name you want to search for. The attribute name is case-sensitive. Attribute name is a searchable system or the custom index properties such as subj for subject, crct for current retention category, natc for number of attachments, and so on. To search for attribute information that a third-party software has added to the X-Headers of SMTP items, add the prefix EVXHDR to the name of the required attribute. For example: EVXHDR.X-CompanyID
    Type	Select the attribute type. The application supports the following three attribute types: string number date
    Operator	Based on attribute type, the application has the following Operators: For String type - Any, All, Exact and Phrase For number type - Equals and Between For date type - No operator. It only supports range (from and to).
    Value	Specify the terms you want to search. The attribute value is case-sensitive. Note: Do not enclose attribute values in quotation marks if you want to indicate that they are phrases. Instead, select Phrase as the operator for these attributes, if you have a choice. Alternatively, you can indicate that an attribute value is a phrase by replacing all the spaces with periods, as follows: sample.attribute.value This technique lets you specify multiple phrase values for the same custom attribute. For example, consider the following attribute value: Enterprise.Vault.Service.Account system VAS.Administrator This value matches "Enterprise Vault Service Account", "system", and "VAS Administrator".

12. In the Intelligent Review section, choose options for the learning engine in Veritas Surveillance.

    This engine allows Veritas Surveillance to search for items intelligently, based on the actions that reviewers have taken on earlier items. For example, after a reviewer has marked a spam message or out-of-office reply as irrelevant then, when Veritas Surveillance detects other items that have similar characteristics, it can handle them in the same way.

    Note:

    Searches that use the intelligent review feature may take slightly longer to complete than those that do not use this feature.

    Searches, by default, consider metadata and content of items to determine the relevance. However, if search results contain items that are older than 30 days, only metadata is considered to determine the relevance.

    The options for Learning behavior are as follows:

    None	Veritas Surveillance searches for items in the normal way, without implementing Intelligent Review. This is the default option.
    Search and prioritize	Veritas Surveillance searches for both relevant items and irrelevant items without favoring one over the other. So, if your chosen Sampling percentage value requires that you capture and review 10% of items, Veritas Surveillance captures 10% - but a substantial number of the items may be irrelevant. With this option, however, Veritas Surveillance does give the items a status of either Unreviewed (Irrelevant) or Unreviewed (Relevant) as it adds them to the review set. When you later review the items in the Review pane, you can filter them by their Unreviewed status to distinguish between the relevant and irrelevant items.
    Search and then sample ONLY relevant content	Veritas Surveillance searches across all the items and captures the relevant ones only, until it has captured the required percentage. So, if your chosen Sampling percentage value requires that you capture and review 10% of items, Veritas Surveillance captures 10% - all of them considered to be relevant. If there are too few relevant items to fulfil the chosen sampling percentage, Veritas Surveillance does not supplement them with irrelevant items. This is an important difference between this option and the equivalent option, Sample exact percentage of ONLY relevant content, in the Department Properties pane.

13. Click Save.