Data Classification Forensics
The Data Classification Forensics screen can be found by navigating to Forensics > Data Classification. It displays data classification results based on your active policies. Use filters to focus on specific data. You can sort the results by Match Count. The returned records are limited to 10,000 results.
The Data Classification Results table shows results of the data classification process running in Data Access Security, as well as any data classification results imported from an external source, using the Import Data Classification Results feature. This might lead to duplicate entries from the two sources.
Data Classification reports can be found in the report templates by using the Classified Data tag to locate relevant reports.
Using the Data Classification Forensics Table
Change one or more of the default columns by clicking Display Columns and selecting one or more from the dropdown menu. Currently, all columns display, including the following:
Application - Displays all the system applications.
Application Type - Displays all the system application types.
Last Updated - Timestamp of the last classification process in which the file was classified into the specified category.
Result Type - Source of the classification result (Content, Behavioral, or Imported Classification). Select a result type from the Result Type dropdown menu.
The default column headings from left to right, are: Resource Full Path, File Name, Policy Name, Rule Name, Categories, and Match Count. You can clear any selections made in the Policy, Rule, and Category search fields by clicking Clear Selection on the top right of each field.
All - All possible result types.
Behavioral - Only results from behavioral rules.
Composite Classification - Results from composite rules (combining the results of several classifications).
Content - Only results from content rules.
Imported - Results from a Data Loss Prevention (DLP) product that has already scanned the results to control what data end users can transfer, so there is no need to rescan those results.
- Type a number in both the Match Count (greater than) and the Match Count (less than) fields to restrict the number of Regular Expression (Regex, the general standard for textual search) results.
Users can see the resources according to the user scope they have.
A result record represents the classification of a certain file by either file, rule and policy. A single file can be classified into multiple rules/policies, resulting in a separate record in the result for each file-to-rule-to-policy relation.
The result record consists of default columns which can be changed, based on the users’ requirements:
Resource Full Path - The full path of the resource in which the file resides.
File Name - The name of the classified file.
Policy Name - The name of the policy by which the file is classified.
Rule Name - The name of the rule by which the file is classified.
Category - The classification category name used by the rule.
If the rule result is part of a policy with an active global rule, the global category will also be displayed along with the rule category, as long as it matches the global rule threshold.
Match Count - This is the maximum number of matches under any rules requirements contained in the file. This is not an aggregative figure and does not sum up the number of matches in each of the rule requirements for the file. Instead, it represents the highest match count yielded by any of the rule requirements and should be viewed as a sensitivity score attributed to the file, in accordance with the applicable policy rules.
For example, if a policy rule contains two rule requirements – one matching credit card number with ten occurrences of credit card numbers within the same file, and another matching telephone number with eight occurrences of telephone numbers within the same file, the Match Count value of the file for that category (assigned by the rule) would be 10 (rather than 18, or 8), since it represents the maximum number of occurrences matching any of the rule requirements within that policy rule.
When the result displays a regular expression search, this field is clickable and displays the masked matches of the regular expression.
The query retrieves the first 10,000 results. Narrow the search to obtain a better fit.
Viewing Critical Data
Impact Score is integrated into IdentityNow and is calculated by combining the perceived criticality of the data it grants access to with the number of instances of that data type. The Impact Score for an entitlement can be found on the Certifications page within the IdentityNow Entitlement tab. The Impact Score can be High, Medium, or Low.
View more information on Impact Score in the IdentityNow documentation.
Complete the following steps to filter data classification forensics:
- Select the Filters button at the top right of the screen.
- The filter screen displays.
The forensics results can be filtered by the following:
- Policy Name
- Result Type (All, Content, Behavior, Imported)
- Match Count (bigger than/smaller than)
- Filter by Scope
- Select a scope type (Application type, Application, or Resource) from the Scope Type dropdown menu.
- Select a corresponding resource from the Resources dropdown menu. You can clear a selection from this dropdown menu by selecting Clear Selection on the top right of the menu.
- Select Reset at the bottom left of the filtering screen to apply all the selected filters.