Scans Settings

 

• Overview

• Access Scan Settings

• Manage Scan Settings

• Manage Agents Settings

• Manage Remediation Settings

• Manage Updates Settings

• Manage Notifications Settings

• Manage a Custom Notification

  • Create a New Template

• Manage Data Retention Settings

 

Overview

Scans Settings is where you manage your settings for:

• Scan Item Number and Load

• Target Preferences

• Remediation Settings

• Policy and Application Updates

• Notifications and Custom Notifications

• Data Retention

  Note: Changes to Scans Settings take effect the moment data is entered into any field.
  If you wish to retain a copy of the original settings when making updates if you need to revert back to the previous settings.

 

Access Scan Settings

To access the Scan Settings screen, use the following steps:

 

1. From the left menu, click Settings.
   
   
   

2. Click Application Settings.
   
   

3. To view sections in Scans Settings:

   1. Click a down arrow to expand a section.
      
      

   2. Click an up arrow to collapse a section.
      
      

 

Manage Scan Settings

To manage Scan Settings, use the following steps:

1. Click the down arrow to expand the section.
   
   

2. Fill in the following settings - note that only some of these settings apply to greyhound agents (v13.0 and later):

   • Minimum Load When Using Distributed Scanning (MB): When using Discovery Teams to search a target, this is the minimum amount of data, in megabytes, that is assigned to each Discovery team member.

     • Amount of data from all targets is calculated and split into data sets, with no data set being less than the value of the minimum load unless the size of a data set is less than the value in the minimum load - it cannot be grouped with any other data sets, in which case a team member is assigned a data set smaller than the minimum load.

     • This setting is used only when load balancing is enabled.

     • These limits apply only to Sensitive Data Manager (SDM) agents (versions 12.6.1 and earlier), NOT greyhound agents (versions 13.0+)

     • Valid values: 0-999,998

     • Value of 0 disables this setting

     • Default: 2

   • Minimum Number of Items When Using Distributed Scanning: When using the minimum number of items while using distributed searching, this is the minimum amount of items that can be assigned.

     • These limits apply only to Sensitive Data Manager (SDM) agents (versions 12.6.1 and earlier), NOT greyhound agents (versions 13.0+)

     • Valid values: 0-999,999

     • Default: 20,000
       

   • Maximum Load When Using Distributed Scanning (MB): When using Discovery Teams to search a target, this is the maximum amount of data, (in megabytes), that a team member searches.

     • The amount of data from all targets is calculated and split into data sets, with no data set exceeding the value of the maximum load - unless a single folder exceeds the value of the maximum load in which case that folder is not divided and is searched by a single team member.

     • These limits apply only to Sensitive Data Manager (SDM) agents (versions 12.6.1 and earlier), NOT greyhound agents (versions 13.0+)

     • Valid values: 1-999,999

     • Default: 5

   • Maximum Number of Items When Using Distributed Scanning: When using the maximum number of items while using distributed searching, this is the maximum number of items that can be assigned.

     • These limits apply only to Sensitive Data Manager (SDM) agents (versions 12.6.1 and earlier), NOT greyhound agents (versions 13.0+)

     • Valid values: 0-999,999,999

     • Default value: 100,000

   • Results Streaming Chunk Size: The size of the data chunks the agent sends to RabbitMQ as it is scanning, up to the max value set.

     • Default: 300000 (bytes)

     • Applies only to greyhound agents (versions 13.0+)

   • Delayed policy confirm: When this setting is disabled (not checked), which is the default setting, policies are processed, made available to the agent, and then applied by the agent.

     • The agent then reports the policy state to the Console and the agent can then request additional policies.

     • Policy confirmation is a resource intensive process and may lock agents or other service tasks, causing a negative performance impact.

     • If that happens, this setting should be enabled and the confirmation is executed by the Update Policy States service task at a later time instead of when an agent reports it.

     • Enabling this setting lowers the pressure on resources, but it does not prevent agents from checking for new policies.

     • If this setting is enabled, policies are still processed, made available to the endpoint and then applied by the endpoint.

     • However, there is no confirmation that the policy has been applied by the endpoint.

     • The Policies State on the Status tab shows as 'Pending Confirm'.

     • The Update Policy State service job needs to be executed to update this state.

     • When Delayed Policy Confirm is enabled, the Pending Confirm state is set for an agent after the agent confirms it policies.

     • The state clears after the service job has executed.

     • The setting should be enabled if the Console is experiencing problems with deadlocks or timeouts.

   • Apply multiple rows locations actions during import: If an action (shred, redact, quarantine, Restrict Access, ignore), has been applied to a location on the agent, when the action is reported to the Console during import the Console searches for all previously imported search results of this location and applies the same action to those search results.

     • In normal operations Spirion recommends this setting remain enabled (default).

     • If you find imports are taking an excessively long time to complete or there are timeouts occurring in the ServerService log, including ApplyMultiRowLocationActions in the text of the exception details, then you may disable this setting.

     • Disabling this setting accelerates results being imported into the Console database by applying the action only to the currently imported results and not to any previously imported results.

     • Default: Enabled.

     Note: If a distributed scan is not completing when run against a very large data set, set the thresholds to a minimum of 5 MB and a maximum of 10 MB and run the scan again.
     
     Contact your Customer Success Manager if you have any questions.

Manage Agents Settings

To manage Agents settings:

1. Click the down arrow to expand the section.
   
   
   
   
2. Complete the following settings:

• Agent search progress update intervals:

  1. Enter an interval (in seconds) for Agents to send search progress updates to the console.
  2. Minimum value: 60 (seconds)
  3. If a value less than 60 is entered, the value is automatically changed to 60 the moment you click elsewhere on the page or select another page
  4. Enabled by default
  5. Default value: 300 (seconds)

• Automatically update agent names:

  1. When enabled, the Console automatically updates the agent display name and host name when an agent's computer name changes.

  2. Disabled by default

  3. Computer name is communicated to the Console during initial agent registration and when search results are sent to the Console.

  4. When the Console processes the results for an agent, if the name provided with the agent GUID is different than the name stored in the database, the agent name is updated to the new name, (if this setting is enabled).

• Keep Agent Activity State History:

  1. When enabled, the Console records the various agents' states.

  2. The maximum states to keep determines how many states are recorded per agent.

  3. Agent states are statuses, such as when the agent is opened or closed, or when a search was started, paused, canceled or completed interactively.

     1. Agent statuses do not include states related to tasks which are initiated from the Console, or via a scheduled task policy.

• Automatically merge agents based on:

  1. When enabled, the Console automatically merges agents that have any or all of the specified criteria in common
  2. By default, all radio buttons are cleared and automatic agent merging is disabled
  3. Of the following options, select all that are applicable:
     1. Disable - Disables automatic agent merging
     2. Hostname - The hostname is generally the computer name assigned by the OS to an agent
     3. Mac Address - The Console tracks all MAC addresses for agents. As with IP addresses this also includes MAC addresses from all physical and virtual network adapters
     4. IP Address - The Console tracks all IPv4 addresses for agents. This includes all physical and virtual network adapters
     5. All - Includes Hostname, Mac Address, and IP Address

• Inherit permissions on targets from filter/IP tags:

  1. When enabled, if you create a role that has only permissions to a filtered/IP tag, that role also has permissions to the Targets within that filtered/IP tag.

  2. Enabled by default.

  3. When this setting is disabled and you create a role that only has permissions to a filtered/IP tag, the role does not have permissions to the Targets within that filtered/IP tag.

  4. To enable the role to have permissions to the Targets within the filtered/IP tag when the setting is disabled, you must also grant permissions for the role to a simple tag that contains the same endpoint within the filtered/IP tag or grant permission to the endpoint explicitly.

Manage Remediation Settings

• Overview

• Linux Quarantine File Path

• Mac Quarantine File Path

• Windows Quarantine File Path

• Leave Behind Warning Text Content

• Amazon S3 Quarantine File Path

• Box Quarantine File Path

• Dropbox Quarantine File Path

• Microsoft OneDrive Quarantine File Path

• Google Drive Quarantine File Path

• SharePoint Quarantine File Path

• Bitbucket Quarantine File Path

• Microsoft Information Protection

 

Overview

Global quarantine configurations for cloud locations are mostly done with the admin accounts.

Note: Global configurations can be overridden by Playbook quarantine locations.

To manage Remediation settings, use the following steps:

1. Click the down arrow to expand the section.
2. Synchronize Classification Changes With Targets: Select, if applicable.
   
   
3. Classification Overlay Shape: Select an option from the drop-down list.
   
   
4. Use This Algorithm When Creating File Hashes: Select an option from the drop-down list.

 

Linux Quarantine File Path

Enter the Linux location to quarantine the files.

• Local Agent machine, all files: <path>/<Quarantine_Folder>

  • Example: /home/AdminBob/Quarantine

  • This entry quarantines all files to the specified Linux folder on the local Agent machine

• Mounted machine, all files: mnt/Quarantine

  • This entry quarantines all files to the specified quarantine folder on the specified mounted machine

• Remote machine, all files: \\<IP_address>\<drive_letter>$\<Quarantine_Folder>

  • Example: \\10.0.2.163\c$\Quarantine

  • This entry quarantines all files to the specified path on the specified remote Windows machine

Note: The file path syntax for Linux and Mac is different from that of Windows. The '\' character in Windows is represented as '/' in Linux/Mac.

 

Mac Quarantine File Path

Enter the Mac location to quarantine the files.

• Local Agent machine, all files: <path>/<Quarantine_Folder>
  • Example: /Users/Admin/Quarantine
  • This entry quarantines all files to the specified Mac quarantine folder on the local Agent machine
• Remote machine, all files: \\<IP_address>\<drive_letter>$\<Quarantine_Folder>
  • Example: \\10.0.2.163\c$\Quarantine
  • This entry quarantines all files to the specified path on the specified remote Windows machine

 

Windows Quarantine File Path

Enter the local or remote Microsoft Windows location to quarantine the files.

• Local Agent machine, all files: <Drive_Letter>:\<Quarantine_Folder>
  • Example: C:\ScanData\Quarantine
  • This entry quarantines all files to the specified Windows drive (C:) and folder on the local Agent machine
• Remote machine, all files: \\<IP_address>\<drive_letter>$\<Quarantine_Folder>
  • Example: \\10.0.2.163\c$\Quarantine
  • This entry quarantines all files to the specified path on the specified remote Windows machine

Leave Behind Warning Text Content

• Enter a text message that displays on files specifying the reason of quarantine.

Redact Character Replacement

• Enter the character you want to use in place of the text you are redacting.

Redact all but Last 4

• Select, if applicable.
  
  

  Note: Global quarantine configurations for cloud locations are mostly done with the admin accounts.
  Also, global configurations can be overridden by Playbook quarantine locations.

 

Amazon S3 Quarantine File Path

Specify the default folder to use for quarantining files discovered in an Amazon S3 cloud location.

• This setting can be a single location or a list of locations, entered one per line.

• Each item in the list must be specifically formatted to include the <path>, <user> (optional), and/or <admin> (admin account optional)

• <user> is a specified S3 user account to the specified S3 location

• <admin account> (optional) is an administrative account on S3 defined in the cloud storage configuration.

  • If the admin account is not included, the path applies to all administrative accounts defined in the configuration.

• Supported Paths

  • Only cloud storage paths (as they appear in results without a file name)

Examples

Examples of quarantine paths for local and cloud destinations, in valid formats, are listed below:

• Amazon S3, all files: Amazon S3: user/Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified Amazon S3 quarantine folder

• Amazon S3, admin user files only: Amazon S3: user/Quarantine_Folder,admin@domain.com

  • This entry quarantines only files in the specified admin account on this cloud provider to the specified Amazon S3 quarantine folder
    
    

 

Box Quarantine File Path

Specify the default folder to use for quarantining files discovered in a Box cloud location.

• This setting can be a single location or a list of locations, entered one per line.

• Each item in the list must be specifically formatted to include the <path>, <user> (optional), and/or <admin> (admin account optional)

• <path> is any valid path

• <user> is a specified Box user account to the specified Box location

• <admin account> (optional) is an administrative account on Box Sync defined in the cloud storage configuration.

  • If the admin account is not included, the path applies to all administrative accounts defined in the configuration.

• Supported Paths

  • Only cloud storage paths (as they appear in results without a file name)

  • Standard file system paths

Examples

Examples of quarantine paths for local and cloud destinations, in valid formats, are listed below:

• Local Agent machine, all files: E:\Quarantine_Folder

  • This entry quarantines all files on this cloud provider to this local folder (E:\Quarantine_Folder) on the local agent

• Local Agent machine, admin user files only: E:\Quarantine_Folder,admin@domain.com

  • This entry quarantines only files in the specified admin account on this cloud provider to this folder (E:\Quarantine_Folder) on the local agent

• Box, all files: Box Sync: user@domain.com/Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified Box Sync folder

• Box, admin user files only: Box Sync Admin: user@domain.com/Quarantine_Folder,admin@domain.com

  • This entry quarantines only files in the specified admin account on this cloud provider to the specified Box Sync folder
    
    

 

Dropbox Quarantine File Path

Specify the default folder to use for quarantining files discovered in a Dropbox cloud location.

• This setting can be a single location or a list of locations, entered one per line.

• Each item in the list must be specifically formatted to include the <path>, <user> (optional), and/or <admin> (admin account optional)

• <path> is any valid path

• <user> is a specified Dropbox user account to the specified Dropbox location

• <admin account> (optional) is an administrative account on Dropbox Sync defined in the cloud storage configuration.

  • If admin account is not included, the path applies to all administrative accounts defined in the configuration.

• Supported Paths

  • Only cloud storage paths (as they appear in results without a file name)

  • Standard file system paths

Examples

Examples of quarantine paths for local and cloud destinations, in valid formats, are listed below:

• Local Agent machine, all files: E:\Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified drive and folder (E:\Quarantine_Folder) on the local agent

• Local Agent machine, admin user files only: E:\Quarantine_Folder,admin@domain.com

  • This entry quarantines only files in the specified admin account on this cloud provider to the specified drive and folder (E:\Quarantine_Folder) on the local agent

• Dropbox, all files: Dropbox Sync: user@domain.com/Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified Dropbox Sync folder

• Dropbox, admin user files only: Dropbox Sync: user@domain.com/Quarantine_Folder,admin@domain.com

  • This entry quarantines only files in the specified admin account on this cloud provider to the specified Dropbox Sync folder
    
    

 

Microsoft OneDrive Quarantine File Path

Specify the default folder to use to quarantine files discovered in a Microsoft OneDrive cloud location.

• This setting can be a single location or a list of locations, entered one per line.

• Each item in the list must be specifically formatted to include the <path>, <user> (optional), and/or <admin> (admin account optional)

  • <path> is any valid path to the files to be quarantined

  • <user> is a specified OneDrive user account to the specified OneDrive location

  • <admin account> is an administrative account on OneDrive defined in the cloud storage configuration.

    • If the admin account is missing, the path applies to all administrative accounts defined in the configuration.

• Supported Paths

  • Cloud storage paths (as they appear in results without a file name)

  • Standard file system path

Examples

Examples of quarantine paths for local and cloud destinations, in valid formats, are listed below:

• Local Agent machine, all files: E:\Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified drive and folder (E:\Quarantine_Folder) on the local agent

• Local Agent machine, admin user files only: E:\Quarantine_Folder,admin@domain.com

  • This entry quarantines only those files in the specified admin account on this cloud provider to the specified drive and folder (E:\Quarantine_Folder) on the local agent

• OneDrive, all files: OneDrive For Business: user@domain.com/Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified Microsoft OneDrive for Business quarantine folder

• OneDrive, admin user files only: OneDrive For Business: user@domain.com/Quarantine_Folder,admin@domain.com

  • This entry quarantines only files in the specified admin account on this cloud provider to the specified Microsoft OneDrive for Business quarantine folder
    
    

  Note: To quarantine files to Microsoft OneDrive, the entire location file path must be written in lowercase.

 

Google Drive Quarantine File Path

Specify the default folder to use to quarantine files discovered in a Google Drive cloud location.

• This setting can be a single location or a list of locations, entered one per line.

• Each item in the list must be specifically formatted to include the <path>, <user> (optional), and/or <admin> (admin account optional)

• <path> is any valid path

• <user> is a specified Google user account to the specified Google location

• <admin account> is an administrative account on Google Drive defined in the cloud storage configuration.

  • If the admin account is missing, the path applies to all administrative accounts defined in the configuration.

• Supported Paths

  • Cloud storage paths (as they appear in results without a file name)

  • Standard file system path

Examples

Examples of quarantine paths for local and cloud destinations, in valid formats, are listed below:

• Local Agent machine, all files: E:\Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified drive and folder (E:\Quarantine_Folder) on the local agent

• Local Agent machine, admin user files: E:\Quarantine_Folder,admin@domain.com

  • This entry quarantines only those files in the specified admin account on this cloud provider to the specified drive and folder (E:\Quarantine_Folder) on the local agent

• Google Drive, all files: Google Drive: user@domain.com/Quarantine_Folder

  • This entry quarantines all files on this cloud provider to the specified Google Drive quarantine folder

• Google Drive, admin user files only: Google Drive: user@domain.com/Quarantine_Folder,admin@domain.com

  • This entry quarantines only those files in the specified admin account on this cloud provider to the specified Google Drive quarantine folder
    
    

 

SharePoint Quarantine File Path

Enter the SharePoint location to quarantine the files.

Note: Quarantining SharePoint files to a remote file server is not supported at present.

• Local Agent machine: <Drive_Letter>:\Quarantine_Folder
  • Example: C:\SharePointQuarantine
  • This entry quarantines all files to the specified drive (C:) and quarantine folder on the local Agent machine
• SharePoint site: https://<SharePoint_site>/QuarantineSite
  • Example: https://acmedev.sharepoint.com/sites/QuarantineSite
  • This entry quarantines all files to the specified SharePoint site quarantine folder on the specified remote SharePoint quarantine site
    
    

 

Bitbucket Quarantine File Path

Bitbucket is not currently supported.

 

Microsoft Information Protection

Procedure:

1. Next to Manage Protection (Authenticated), click Manage.

2. The Manage Protection window opens.
   
   
   

In the Manage Protection window, enter these settings:

• Admin User Account Name: Enter your admin user account name and click Authenticate.

• Authentication Code: Enter your authentication code provided from the authentication above in the box.

• Client ID: (Optional) Enter your unique client ID to be used for authentication.

• Client Secret: (Optional) Enter your unique client secret to be used for authentication.

• Tenant ID: (Optional) Enter your tenant ID to be used by the authenticating server.

3. Click Save to save or Cancel to discard.

   Note: If you enter value in any of the optional fields, it is mandatory to add values in the other optional fields as well.

In the Manage Label (Authenticated) section, do the following:

4. Click Manage.
   
   

In the Manage Label pop-up window, fill in the following:

• Admin User Account Name: Enter your admin user account name (user@domain.com) and click Authenticate.

• Authentication Code: Enter your authentication code provided from the authentication above in the box.

• Client ID: Enter your unique client ID to be used for authentication.

• Client Secret: Enter your unique client secret to be used for authentication.

• Tenant ID: Enter your tenant ID to be used by the authenticating server.
  
  

5. Click Save to save or Cancel to discard.
   
   

Manage Updates Settings

Use the following steps to manage your Updates settings:

1. Click the down arrow to expand the section.

2. Check This URL for Policy Definitions Updates: Enter the URL that hosts your Policy Definitions.

3. Automatically Check for Updates When Resources Page is Loaded for the First Time: Select, if applicable.
   

4. Check This URL for Application Updates: Enter the URL that hosts your Application Updates.
   
   

Manage Notifications Settings

To manage Notifications Settings:

1. On the left of the Notifications row, click the down arrow to expand the section.
   
   
2. In the Purge Notifications section, select an option from the "Purge Dismissed Notification After" drop-down list.
   
   
   
   
3. In the Custom Notification section, you can manage existing custom notifications or create new ones.

Manage a Custom Notification

To manage custom notifications, use the following steps:

1. Locate a template in the list.
2. Use the toggle to change the deployed status.
   
   
3. To manage a template, click the more options menu.
   
   
4. Click Manage.
   
   
5. In the Manage Custom Notification pop-up window, make needed changes.
   
   
6. Click Update to save updates, Cancel to discard updates, or Delete to delete the template.

   Note: If you click the Delete button, it immediately deletes the template. There is no undo feature.

Create a New Template

Procedure:

1. In the Custom Notifications section, click New Template.
   
   
2. In the Create Custom Notification pop-up window, fill in the following:
   1. Name: Enter the template name.
   2. Subject: Enter a description of the template subject.
   3. Active: Use the toggle to change the Active status.
      
      
3. Body: Use the text editor to compose the body of the template.
   1. Use the toolbar to format the text and paragraphs, and to insert code and variables as needed.
      
      
4. Click Save to save the template or Cancel to discard.

Manage Data Retention Settings

To manage your Data Retention settings, fill in the following fields:

• Audit Data Retention:
  • Set the number of years to retain data.
  • A minimum of 5 years is required.
• Event History - Watcher:
  • Set the number months to retain Watcher Event history, if applicable.
• Gather data:
  • Set the number of days to gather data.
  • This number must be between 1 and 30 days.
• Scan results:
  • Set the number of months of scan results to retain.
  • This number must be between 1 and 12 months.
• Activity History:
  • Set the number of months of Incident history to retain.
  • A minimum of 12 months is required.
• Search History
  • Set the number of months of scanned location history to retain when using Differential Scanning.
    • Also see What is Differential Scanning?
  • After this set number of months, search history data is purged (deleted).
  • This number must be between 1 and 12 months.