eG Monitoring
 

Measures reported by Exc2013ClasScaTest

Data loss prevention (DLP) is an important issue for enterprise message systems because of the extensive use of email for business critical communication that includes sensitive data. In order to enforce compliance requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP features make managing sensitive data easier than ever before.

DLP policies are simple packages that contain sets of conditions, which are made up of transport rules, actions, and exceptions that you create in the Exchange Administration Center (EAC) and then activate to filter email messages. One important feature of transport rules is a new approach to classifying sensitive information that can be incorporated into mail flow processing. This new DLP feature involves a Classification Engine that performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies.

The Classification engine is also in charge of handling importing of new classification rules packages. These new classification rules packages allow administrators and independent service vendors to create packages to manage specific content. These customer packages are XML files that can be imported via the Exchange command shell. These packages will need to be encrypted to be imported into Exchange 2013. The Microsoft Classification Engine is in charge of decrypting the packages.

Errors in the operations and delays in the loading/content processing of the classification engine can severely hamper the execution of transport rules and the detection of sensitive content in emails. If these problems are allowed to persist, classified information may reach the wrong hands, resulting in organizational mayhem. To avert this, you need to run the Exc2013ClasScaTest test at periodic intervals, check for errors in the engine's operations, track the time taken by the engine to load and to scan the content, and capture errors and slow downs proactively.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Engine_err Indicates the number of Classification engine errors in the last minute. Number Ideally, the value of this measure should be 0. A non-zero value is indicative of engine errors and will warrant immediate investigation.
Engine_load_tim Indicates the average time taken by the engine to load. Secs A low value is desired for this measure. A consistent rise in this value is indicative of a bottleneck when loading.
Item_pro_sec Indicates the rate at which the content was scanned for DLP policy violations. Processed/Sec A steady drop in the value of this measure is indicative of a processing bottleneck on the engine.
Item_cla_det Indicates the number of items that have been detected as classified. Number  
Scan_tim_item Indicates the time taken by the engine to scan the content and detect classified items. Secs A steady increase in the value of this measure is indicative of a processing bottleneck on the engine.