Results Group

The Results Group provides the ability to view additional information about a selected result, prevent selected rows from displaying or being stored in the database, and save results to a file or attach them to an email.

In this article Details Button Remove Button Export Button

Details Button

The Details button allows you to view additional detail about each result including where it was found, the history of each time that match was found, any actions performed on the location, workflow information, and a preview of the result in context.

To view the details, left-click a result and click the Details ribbon button, right-click a result and select Details, or double-click a result.

The Result Details dialog contains the following information:

Summary Information

The Summary Information section of the Results Details dialog provides a quick overview of the selected result with key information showing the endpoint on which the result was found, the type of file in which it was found, and the location of that file on the endpoint. It also provides you with the data type and whether or not an action was taken to protect that information. If action was taken it displays the action. If no action was taken, it reads "None." If an Agent was configured not to send certain information to the Console, "Not Sent" may display in place of that data.

Workflow

The Workflow section of the Result Details dialog provides information about the classification, status, matching rules, and assignments.

Classification: This section shows the classification applied to the result. If the result matched multiple rules and each of those rules has a different classification, only the highest classification displays. If a classification has not been assigned, it reads "No classification assigned." You may change, remove, or assign a classification by clicking the arrow to open the drop-down list and then left-click the classification of your choice. If you change the classification, the Classification column in the Results View updates with your new selection.

Status: This shows the status of the result.

• Unassigned: The result has not been assigned to any users.
• Assigned: The result has been assigned. The assignees are listed below in the Assignments area.
• In Progress: This status is manually set by the user to show that they are in the process of re-mediating the result.
• Pending Ignore: The selected result is scheduled to be ignored, but the action has not yet been performed by the endpoint.
• Pending Shred: The selected result is scheduled to be shredded, but the action has not yet been performed by the endpoint.
• Pending Quarantine: The selected result is scheduled to be quarantined, but the action has not yet been performed by the endpoint.
• Resolved: The selected result has an action of Ignore, Encrypt, Shred, Quarantine or Redact performed on it.

Rules: This section shows any workflow rules that matched the selected result. If the multiple rules matched the result, they are listed here. If the results did not match any rules, then it reads, "No matching rules."

Assignments: This section shows the user, role and/or endpoint owner to whom the selected result has been assigned. If the selected result has been assigned to multiple users, each user is listed here. If the result is not assigned to anyone, then it reads, "No assignments."

To remove an assignment, click the red x to the left of the assignee name.

To manually add an assignee, close the Results Details dialog and click the Assign button located in the Actions group of the ribbon. If a user synced from AD has been disabled, then it displays here in a gray italic font.

• Assignment Type: This value can be User, Role or Endpoint owner.
• Assignee: The name of the assignee.

Properties

The Propertiessection of the Result Details dialog provides additional information about a location that is not displayed in the Results Grid. Not all of the information is available for all location types and an N/A or blank displays if the information was not available at the time of the search. All of the property information is provided by the endpoint when the results are sent to the Console.

Some or all of the following properties will be displayed depending on the location type:

• Size (bytes): The file size in bytes.
• Create Date: The date and time the file was created.
• Modify Date: The date and time the file was last modified.
• Access Date: The date and time the file was last accessed.
• File Attributes: The attributes of the file. This item only applies to data from Windows clients. The file attributes are listed below and described in more detail at: http://msdn.microsoft.com/en-us/library/ee332330(v=VS.85).aspx
  • R: FILE_ATTRIBUTE_READONLY
  • H: FILE_ATTRIBUTE_HIDDEN
  • S: FILE_ATTRIBUTE_SYSTEM
  • A: FILE_ATTRIBUTE_ARCHIVE
  • C: FILE_ATTRIBUTE_COMPRESSED
  • E: FILE_ATTRIBUTE_ENCRYPTED
• File Owner: For data from Windows clients, the NTFS owner of the file. For data from Mac clients, the file system owner of the file.
• Search Time: The timestamp, local to the client, of the start of the search during which the result was found. By default, this will be the timestamp for the first time the identity match was found. The "Display the timestamp of the first time the identity match was found" checkbox in Personal Settings can be cleared to display the timestamp for the most recent search where the match was found.
• Search User: The user account context under which the search was executed. For User scheduled tasks, this will be the user name with which the user logged onto the system. For System scheduled tasks this will be SYSTEM for Windows and root for Mac OS and Linux.
• Source Endpoint: The display name of the endpoint which ran the search. When this value extends beyond the perimeter of the Properties box, hovering over the source endpoint with the mouse will reveal a tooltip that displays the entire source endpoint.
• Task Name: The name as entered in the Add New Task dialog in the Scheduled Tasks section of a policy, or "Search Now" for a task executed via the Search button on the ribbon or "User Initiated" for a search that was executed interactively on the client.

Access Control List

The Access Control List section of the Result Details dialog displays the permissions attached to a file and the users and system processes to which those permissions have been granted. This information is not sent by the endpoint unless enabled via policy in the following setting: Settings\Locations\Files\RetrieveFileACLDuringSearch.

Trustee: The individual user or group to which the access rights apply.

ACE Type:The ACE (Access Control Entry) Type. When this is "Allow", the authorizations specify rights that the trustee has. When this is "Deny", the authorizations specify rights that the trustee does not have.

Authorization: The specific rights granted to the trustee such as the ability to read, write or delete the file.

ACE Flags: (Windows Only) The inheritance type of the access control entry noting whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.

Each of the columns is resizable by clicking and dragging on the column separator in the column header.

Note: Access Control List information is available for Windows and Linux clients only.

Match and Action History

The Match and Action History section of the Result Details dialog displays information about when the result was found and what actions, if any, have been performed on that result.

• Date/Time: The date and time of the start of the search during which the result was found. All of the results from a particular search has the same time stamp. This time is the local time on the client that initiated the search.
• Action: An icon representing the action that was performed on the result. This action may have been initiated on the client or via the Console. If no action was taken, a gray circle with a line through it displays. The available actions Shred, Encrypt, Redact, Quarantine, Restrict Access, Recycle, Ignore, and No Longer Exists. Hovering over the icon with the mouse will reveal a tooltip that describes the icon. For detailed information, please refer to the Actions page.
• Action Time: The date and time, if any, that an action was performed on the result. If no action has been taken, this column is blank. This time is the local time on the client that performed the action.
  • If the action was performed on the endpoint in the first session where it was found, there is no entry in the Match and Action History. The action time displays in the summary section at the top of the window.
  • If the action was performed on the endpoint on saved results that were opened in the client after the search was complete and the client was closed and re-opened, there is an entry in the Match and Action History where the Date/Time indicates when the saved results were opened and the Action Time indicates when the action was performed.
  • If a result was found multiple times and an action was performed on the endpoint in the session during which it was most recently found, there will be an entry in the Match and Action History for each time the result was found, and the most recent entry includes the Action Time indicating when the action was performed.
  • If the action was performed from the Console, there is an entry in the Match and Action History where the Date/Time and the Action Time are the same. This is the time when the endpoint service performed the action on the endpoint.
• Result: The Result column may contain multiple icons:
  • The first icon , represents the result of an action that was scheduled via the Console or performed directly on the client. Hovering over the icon with the mouse reveals a tooltip that displays the result of the action or, if additional detail such as an Ignore reason was provided when performing the action, that detail displays. If the action has a red background, indicating failure, hovering over the icon with the mouse reveals a tooltip that describes the failure.
  • The second icon , if present, indicates any critical messages produced during the related search. Hovering over the icon with the mouse reveals a tooltip titled Endpoint Messages that displays the critical messages for that search. The messages can be any of the following:
    • User stopped search: The user stopped the search prior to its completion.
    • Outlook timed out: Outlook timed out while waiting for an Outlook operation to complete while the search was in progress.
    • Outlook closed: Outlook was closed normally while the search was in progress.
    • Outlook closed unexpectedly: Outlook was closed unexpectedly while the search was in progress.

The Date/Time, Action Time and Action columns can be sorted by clicking on the column header to toggle between ascending, descending and no sort. Any column which has sorting on it displays an up arrow or a down arrow in the center of the column header indicating ascending or descending, respectively. No arrow indicates that column is not sorted. When you click on a column header to set a sort it removes any previous sorting from all other columns. You can sort multiple columns at the same time by holding down the shift key while selecting a sort. The Result column is not sortable. Each of the columns is resizable by clicking and dragging on the column separator in the column header.

For versions 10.0.2 and earlier, if there has been only one search run for a location, the Match and Action History section isnot displayed because the information is available in other areas in the Results Details dialog. The action of "None" is available in the Result Summary Information section and the time that the result was found is in the Properties section.

Location Preview

The Location Preview section of the Result Dialog displays an unformatted version of the result you have selected. The main body of the Location Preview contains the full content where your result was located with all the Matches highlighted in yellow.

At the bottom of the Result Details dialog there are four buttons:

Prev: Clicking this button displays the result previous to the one that is currently displayed in the Result Details. This button is enabled only when viewing a child. It is disabled when viewing the parent.

Next: Clicking this button displays the result following the one that is currently displayed in the Result Details. This button is enabled only when viewing a child. It is disabled when viewing the parent.

View Parent or View Child: Clicking this button toggles the Result Details between the child view and the parent view.

Close: Closes the Result Details dialog and saves any changes that you have made to the Workflow section of the Result Details.

 

Remove Button

The Remove button allows you to permanently exclude or delete rows from the database.

Exclude Rows

The Exclude Rows button (formerly called Never Display Data or Never Display Results) provides the ability to prevent the Console from storing certain information that is provided by the endpoints after a search.

The endpoints continue to provide this information, but the Console ignores it when storing information in the database. This feature allows you to reduce the amount of information stored in the Console database (to maximize performance) without affecting the operation on the endpoint, such as what results the end user sees.

For example, if you are running searches as the locally logged on user (and therefore end users can interact with the endpoint UI), and are searching for Personal Addresses and you want the user to be able to see their home address in results in the endpoint (along with all other address results), but don't want to store their address in the database - you can use this function to tell the Console to exclude (essentially "ignore") those rows when updating the database. If you wanted to prevent all personal address results from being sent from the endpoint to the Console, you could use the policy setting Console\sendMatchTypes.

The dialog allow provides the option to remove any rows from the database that match the specified criteria. When Exclude Rows is selected, the information in the Exclude Rows dialog is pre-populated based on the selected row.

The Exclude Rows dialog notes that "You may exclude the current match or location from future endpoint data as well as all matching rows in the database. Additionally, you may use the asterisk (*) to find a partial match or location." meaning that you can prevent future matching rows from being added to the database as well as delete any matching rows that are already in the database.

To use this feature:

• Select the Match (the specific result) radio button to exclude data with a combination of the match text and location type.
• Select the Location radio button to exclude data with a combination of the location path and the data type. The "Use post-processed location" option specifies whether the location string provided should match on results before or after any processing occurs on that string. For remote locations, the Console modifies the location string to be more informative. For example, if an endpoint searches a remote machine and obtains the location \\servername\c$\foldername, the Console creates a new endpoint (if one does not exist) for servername and then add a result at location c:\foldername. This option controls whether the match on location string is performed before or after that processing.

By default, only future rows matching the specified criteria is excluded. To remove existing rows from the database, check the box Remove Existing Match Rows from the Database.

You can also manually exclude rows on the Excluded Rows settings page.

Delete Rows

If there are results in the database that are no longer useful, they can be deleted by selecting one or more rows and selecting Delete Rows. To select multiple rows, ctrl-click or shift-click the results. When unused or unnecessary information is included in the database, it can decrease overall performance.

The Delete Rows confirmation dialog ensures you want to delete the information from the database. This operation is permanent and cannot be undone. The dialog asks if you are sure that you want to "Remove the selected rows?"

You can also schedule a Purge Results service job to delete data that matches specific criteria. Service jobs can be run once or on a recurring schedule.

Delete Filtered Rows

If there are results in the database that are no longer useful, delete them by applying one or more filters to display the data to delete and select Delete Filtered Rows. All of the rows that match the filter are deleted. When unused or unnecessary information is included in the database, it can decrease overall performance.

This button is only enabled when a filter has been applied.

The Delete Filtered Rows confirmation dialog ensures that you want to delete the information from the database and indicates that the deletion/purging is scheduled. This operation shows up as a Service Job until it has been executed and, at which time it is deleted. The dialog asks you to "Confirm purging of the selected data. The purging is scheduled for processing."

You can also schedule a Purge Results service job to delete data that matches specific criteria. Service jobs can be run once or on a recurring schedule.

Export Button

The Export button allows you to save results to a file for offline viewing, distribution, or for importing and/or processing by another application.

When saved in CSV format or PDF format without a password, any sensitive information in the file is stored as clear text and the file itself should be treated as sensitive information.

The Export dialog has the following fields:

• Output Name: The name of the file (without the extension) in which to save the exported results. This is used as the name of the attachment if you choose to Send by email and it is also used as the email subject if you do not enter a value in the Subject field.
• Output Format: Choose CSV to save the data in a Comma-Separated Values text file or choose PDF to save the data in a Portable Document Format file. The CSV format is plain text and any sensitive information in the file is stored as clear text and the file itself should be treated as sensitive information. The PDF file format can be saved with or without a password; if a password is not used, any sensitive information in the file is stored as clear text and the file itself should be treated as sensitive information.
• Data Range:
  • All: Export all of the data in the data set including information that is available on a different grid page.
  • Filtered: Export all of the filtered data. Information that matches an existing filter, even if it is not displayed on the current grid, is exported. Information in columns that are not currently displayed is not exported.
  • Only Visible: Export only the visible data. Information that matches an existing filter (if any exists), but is not displayed on the current grid page isnot exported. Information in columns that are not currently displayed is not exported.
• Mask Matches: Enable this option to mask the Match column (if it exists) when it is saved to the exported file.
• PDF Password: Optionally enter a password to encrypt the PDF document and require the password to be entered when the PDF is opened. This option is only displayed if the selected Output Format is PDF.
• Include Match Preview: Verify the “Include Match Preview” check box is visible and unchecked by default.
• Send by email: Optionally enable this option to send the saved file via email. When enabled, enter the email addresses (separated by a semi-colon) for the Recipients and optionally enter the text for the Message Body of the email. Either this option or Store in server's folder must be selected if the export is to be scheduled. In order to email an export, you first need to configure SMTP settings in the CAT.
  • Users / Roles: When Users and Roles is selected, you can specify recipients by clicking the "..." button to the right of Users / Roles and clicking the Add User button or the Add Role button. When selecting by user, it uses the email that is associated to the selected user in the Users section of the Admin tab. When selecting by roles, it adds each user that is assigned to the selected role.
  • Recipients: Allows you to select the recipients of the email. You may enter multiple email addresses separated by a comma. If you leave select "Send by email" but do not enter any email recipients, when you click the Save button a message displays that reads, "The Recipients field is required."
  • Subject: This is the subject line of the email notification. If you leave the subject field blank, the value that was entered for the Output Name is used as the subject.
  • Body: This is the message body of the email. The body may contain plain text and/or HTML markup.
  • Send as Link: If you prefer not to send the output as an attachment to the email, click "Send as Link", and the email includes a link that the user can click on to view the report. The report is available as a link on the Console server for the number of days specified in the Application Settings tab under "Days to keep export links".
  • Send as Plain Text: If entering only text in the message body, then select this option to preserve the formatting of the message body so that it displays in the email just as you entered it. If you have entered any HTML in the message body, do not select option.
• Store in server's folder: The destination folder name in which to save the exported data. This folder must exist, or the Console reports "The folder does not exist." The account context under which the Console is running (by default NETWORK SERVICE) and the Users group must have write permissions or the Console reports "The Console has insufficient write permissions to the folder." Either this option or Store in server's folder must be selected if the export is to be scheduled.
• Schedule: To schedule the export to run on a periodic basis, click the "..." button to the right of Schedule to display the Edit Export Schedule dialog.