System filters

When you first enter the interface after installing the server, you can see the filters already created in the Filters tab that are configured in the filter tree. This tree of filters consists of three main sections: Efficiency, Security and Policies. The filters contained in each of these sections have their relevance in the display of data and the settings for the calculation of performance reports (for example, in Time tracking. These filters were created on the basis of average demand among users of DLP-systems to collect user data on a PC. Below there are descriptions of the purpose of each filter from the System filters tree by category

Efficiency

The Efficiency category contains pre-installed filters for displaying employee productivity. It consists of the following subcategories:

Reports and timesheets:

System Filter name Description
Generaal report on work time Contains statistics on productivity of all employees
Consolidated report on productivity Contains statistics on productivity of all employees
Lateness report Contains statistics on lateness of employees
Statistics for specified period Displays statistics for the entire period of work of employees with e-mail, instant messengers, printing events and intercepted files
Statistics by day Displays statistics for each day of work of employees with e-mail, Internet pagers, printing on printers and intercepted files
Printer usage sheet Displays the monthly printer usage statistics as a calendar
Timeheet Displays the statistics of the total hours worked per month as a calendar

Productivity

System Filter name Description
Productive activity Consists of a chain of filters displaying the statistics of top user data in a pie chart, a linear chart for users, statistics of user productivity in a pie chart on productive activities
Unproductive activity Consists of a chain of filters displaying statistics of top user data in a pie chart, a graphical graph for users, statistics of inefficient users in a pie chart for inefficient activities.

Security

The “Security” category contains filters to control the leakage of data in correspondence, to enter bank card numbers, copying files to external storages and mentioning unacceptable words in business communication.

Contains the following subcategories:

Events:

System Filter name Description
Screenshots Consists of a chain of filters displaying screenshots of the user’s desktop in the form of a table, list, tiles
Webcam snapshots Consists of a chain of filters displaying images from users’ webcams in the form of a table, list, tiles
Internet pagers The “Messages” section contains statistical reports on correspondence in the form of graphs of relations, incoming, outgoing messages in Internet pagers. In the “Attachments” section, there are statistical reports on intercepted files in correspondence in the form of graphs of relationships, incoming, outgoing messages, and a list of all files on documents and images intercepted in internet pagers
Mail In the “Mail” section, there are email filters of correspondence in e-mail clients (for example: Outlook), event filters, statistical in the form of pie charts and relationship graphs. In the “Attachments” section there are filters of intercepted files in mail correspondence, such as event filters, statistical filters in the form of pie charts and graphs of relationships. In section Web-mail there are filters of correspondence in browsers (for example: Google Chrome) event, statistical in the form of pie charts and graphs of interrelations.
Microphone recording Contains filters in the form of a Heatmap, which shows how many records were made for a certain time interval and in the form of an Event type in which you can download all records as a single archive
Clipboard Shows statistics of saving to the clipboard events in the form of a pie chart and in the form of an analytical table
External data storages Consists of a chain of filters displaying data on work with external storage devices in the form of an analytical table, heatmap, statistics in pie charts, and event filters.

Incidents:

System Filter name Description
Violation dynamic Displays changes of incident statistics in the form of histogram
Violators Displays the change of the statistics of incidents in the form of a histogram
Violators by department Displays the statistics of violators in departments by incident in the form of a pie chart
Violators by company position Displays stats of office violators by incidents in the form of a pie chart
Violations Consists of a chain of filters displaying statistics in the form of pie charts for such the reports “Credit Cards”, “Drug addict vocabulary” , “Curse words vocabulary”, “Prohibited web sites”.

Policies

In the properties of Policies “Policy is enabled”, “Apply to new events” or “Apply to all events” that starts recalculation of all the events on this policy.

Let’s consider in more details the subcategories of the “Policies” tree.

Productivity policies

System Filter name Description
Application categories Contains filters for applications in which users work. Each filter has different categories of productivity, depending on the thematic names of the filters. To set the productivity category, go to the filter settings - “Productivity”.
Web resource categories Contains filters for sites in which users work. Each filter has different categories of productivity, depending on the thematic names of the filters. To set the productivity category, go to the filter settings - “Productivity”.

Security policies:

System Filter name Description
Credit cards Collects statistics on entering credit card numbers. By default, the policy is excluded from the statistics. To make it active, you must put a “check box” on “Policy is enabled.” In the open list of values, you can see a description of the numbering of credit cards on the regular expressions of POSTFIX syntax.
Словарь ненормативнйо лексики Pre-defined dictionary of profanity. Events get into “Triggered filters -> Incident.”. For this to work, the policy must be enabled.
Messages to yourself It marks all events of sending mails to the very e-mail address it was sent from as incident. To disable it, unmark the checkbox “Policy is enabled”.
Screenshots (captured files) Collects captured screenshot files. Events get into the “Triggered Filters”. To disable it, you need to uncheck the “flag” on “Display and send notifications about new facts” in the filter settings.
Staffcop process search Collects statistics on the cases of search for the agent process. Events get into the “Triggered Filters”. To disable it, you need to uncheck the “flag” on “Display and send notifications about new facts” in the filter settings.
Files in encrypted archives Intercepts password-protected archives. Events get into the “Triggered Filters”. To disable it, you need to uncheck the “flag” on “Display and send notifications about new facts” in the filter settings.
Passwords from browsers Intercepts passwords entered in browser forms. Events get into the “Triggered Filters”. To disable it, you need to uncheck the “flag” on “Display and send notifications about new facts” in the filter settings.

System policies:

System Filter name Description
Auto cleanup This filter contains the auto-clean settings for the drive on the server. You can edit it only in the Filters and policies in the Admin menu. Method: - the choice of the action for the percentage threshold of disk filling. Hdd alarm percentage: - the threshold percentage of the disk from which the notification in the filter tree starts. The backup path: - here the path to the directory on which the disk is mounted for autosave of backups of the database is set when the Hdd hard percentage threshold is exceeded: if Method: move is stated. The default settings are: Method: - delete; Database alarm percentage: : This is the threshold percentage of the database that the alert in the filter tree starts to work with.
Content parser When searching for keywords in the form of the left panel Search - Keywords, the result is not only the events containing the keywords, but also events containing intercepted text format files, inside which are the keywords. The text content of such files is listed in the system policy Analyzing text content. You can add this system policy to the text content via the dimension panel in the File - Content type properties.
OCR This system policy is meant for recognizing text in PDF and image files. For this policy the embedded OCR is used by default, although you can use ABBYY OCR SDK <https://ocrsdk.com/> account. Enter you Cloud OCR AppID and password to use the policy.
Archives scanner This system policy starts automatic unpacking of all archives, each file can be downloaded from the interface
Report generator This system policy is meant for starting filter counting processes in report statistics which are marked by a “flag” in “Display and send notifications about new facts”:.
Contact parser This policy is used for associating mail and messengers accounts with the user account.
Syslog connector This policy is used for automatic export of chosen event types to Syslog of the server. It’s used for integration with SIEM system.

Dimension cards

Dimension card - a summary report displaying the characteristics of an object or set of objects and events associated with them in a view most convenient for a given type.

These filters allow you to tune acutely the output of the dimension cards.

System Filter name Description
Computer card Allows you to see consolidated information on events bound to a specific computer
Account card Allows you to see consolidated information on events bound to a specific account
Application card Allows you to see consolidated information on events bound to a specific application
Site card Allows you to see consolidated information on events bound to a specific site/domain
Network connection card Allows you to see information on events bound to a specific network activity
File card Allows you to see consolidated information on events bound to a specific file
Device card Allows you to see consolidated information on events bound to a specific device, device type, device ID, and so on.
Conversation card Allows you to see consolidated information on events bound to a specific dialog, direction, chat, sender domain or recipient domain.
Installation card Allows you to see consolidated information on events bound to application installation events