Work in LIVE EDA Case

1. Navigate to the OPEN DISCOVERY Home page and select LIVE EDA.

2. From the EDA Cases overview, search for and select the LIVE EDA case that you would like to open. Click Enter Case.

   

3. In the LIVE EDA Search interface, navigate to the left panel.

   

   In the Location View, you can see all live locations and custodians included in the LIVE EDA case.

   

   If a blue checkbox with check mark is displayed, the location and all of its user accounts are included. If a checkbox with a dash is displayed, specific custodians from this location are included. An empty checkbox indicates that the location, its custodians, and all its data, is not included.

   

   Click on the triangle icon next to a location to expand. This reveals all custodians and subfolders, including the mail folders within a mailbox and root folders.

   

4. (Optional) To search for a specific custodian, navigate to the top of the Location View and click Search Custodians.

   

   The Search Custodians overview will open.

   

   From the left panel, you can select the specific locations to search for the custodian(s). In the Filter field, you can enter the name of the custodian(s) and press enter to search. You can search for and select multiple custodians. Select the custodian(s) from the search results and click Apply new selection.

   
   

The data of the selected custodian(s) will be displayed in the Document View.

You can manipulate the Document View of the LIVE EDA Search interface to suit your viewing preferences.

The column fields that are displayed by default, indicate the type, Name, Owner, Date, Size, and Document ID of each item/document. If the item(s)/document(s) are promoted to a LIVE EDA Review case, this metadata will be included.

The definitions of the default column fields are listed in the following table.

1. To adjust the Document View layout, navigate to the top right corner and click the Preferences menu icon . Make the desired changes from the Prefences drop-down menu. For more information about each available setting, see Setting Preferences.
   

2. To adjust the column width, place the mouse pointer on the column boundary and drag the column boundary to the left or right.

3. To add columns, hover on any of the column field headings and click on the inverted triangle icon. Add a column by selecting the relevant checkbox in the Columns menu.

4. To change the sort order of a column, hover on any of the column field headings and click on the inverted triangle icon . Sort by Ascending is the default sort order, but you can opt to Sort by Descending.

5. To change the organization of the items/documents displayed in the Document View, click on a column field heading and drag it across. By default, all items/documents displayed in the Document View are ordered by Date.

   Note: When the column field heading is clicked for the first time, it sorts in Ascending order. When the same column field heading is clicked a second time, it sorts in Descending order.

Create and perform searches on the live data made available in the LIVE EDA Search interface. By searching the live locations first, you can select items/documents for collection and promote only the relevant data. LIVE EDA Search allows you to perform multiple searches in the same LIVE EDA case.

The following steps describe the criteria you can add to modify the scope of the initiated search.

1. Define an appropriate name for your Search. Right-click the Search tab to rename it.

   

2. From the Location View, you can select and deselect the live location(s) and custodian(s) to include in or exclude from your search. Simply check or un-check the box next to the live location(s) or custodian(s).

   

   Note: By default, when a location is selected, all its custodians are included.

3. Search Automatically is enabled by default. To prevent LIVE EDA Search from initiating a search every time you add a search criteria, clear the checkbox.

   

3. To search for a specific term or phrase, navigate to the top right corner of the interface, type the expression into the Quick Search bar, and press Enter. The expression will then be added as a search criterion. A search will return a list of all items/documents matching the search criteria. For more information, see Quick Searches.

   

4. To perform more complex searches, navigate to the Search menu in the top right corner of the LIVE EDA Search interface and select the appropriate option from the drop-down menu. To learn more about each available search option, see About Searching, Message Searches, IM Search, File Searches, and Federated Searches.

   

5. For more information about how to perform an Advanced Search, review the following topics in the relevant user guides. Start with Advanced Search, then consult About Groups, About Collections, and About Rules. To learn more about the two key Boolean operators, review About All Of, Any Of.

6. To quickly refine your search results, filter by item/document type or by live location. Navigate to the bottom-left corner of the Document View and select the relevant icon.
   

7. To refine your search results in more detail, apply a filter. Navigate back to the Location View and scroll to the bottom of the view.

   

   Expand the Filter View to apply a wide variety of parameters that make it easy to locate specific data. For more information, see Filter View and Using Search Filters.

   
   

8. To monitor the total number of search results, navigate to the bottom-right corner of the Document View. You can (1) wait until the search results are refreshed or (2) manually refresh the search results.

   

9. To erase a search and start a new search in the same Search tab, navigate to the Search menu and select (clear search) from the drop-down menu.

10. To launch a new search in the same LIVE EDA case, create a new Search tab, select the appropriate live locations and custodians from the Location View, and repeat the steps previously listed in this procedure.

    Note: The LIVE EDA Search interface is stateless. All open Search tabs are saved automatically.

With Classification enabled, you can automate the classification of specific LIVE EDA case data. The Classification feature recognizes keywords, labels, and patterns associated with PCI, PHI and PII. By enabling Classification, you can ensure adherence to compliance regulations. For more information, see About Classification.

You can choose from the three available Classification Models:

• PCI: Payment Card Information

• PHI: Protected Health Information

• PII: Personally Identifiable Information

You will select the Classification Model(s) appropriate to your compliance requirements. Keep in mind that you can select multiple models.

Once the Classification task has run on the LIVE EDA case data, Classification Scores become visible. The Classification Score applied to an item/document indicates the level of probability that this data contains PCI, PHI, or PII.

Take the following steps to enable Classification in the LIVE EDA case.

1. Navigate to the top left corner of the interface and select Classification.

   

2. To run a new Classification Task, select New Task.

   

3. Specify the Search tab(s) to include in the classification. Click the corresponding check box(es). Click Next.

   

4. Select the Classification Model(s) to apply: PCI, PHI, or PII. For more information, see Classification Models.

   

5. Choose the Classification mode:

   • Select Full Classification mode if you are classifying data for the first time.

     Note: Full Classification mode is most often used in conjunction with the One time only schedule frequency option. It is suggested that you run a full classification before creating an incremental Classification Task scheduled on a regular basis.

   • Select Incremental mode to classify data on an ongoing basis. This classifies only new data or data that has not been classified since the last time a Classification Task was run.

     Note: Incremental mode is most often used in conjunction with the Continuous schedule frequency option. This allows you to classify new data, on an ongoing basis, as soon as it is detected in any of the locations and repositories selected in the classification.

6. Set the Schedule:

   • Select One time only to run the Classification Task only once.

     Note: The One time only option is most often used in conjunction with Full Classification mode, as shown above.

   • Select Every X minutes/days to specify a classification schedule best suited to your needs.

   • Select Continuous to classify data on an ongoing basis, as soon as it is detected in any of the locations and repositories included in the classification.

     Note: The Continuous option is most often used in conjunction with Incremental mode, as shown above.

7. Click Next.

8. Specify the Classification Task details.

   • Enter a Task Name.

   • To receive a report when the Classification Task is completed, check the box. Enter the email address of the person who should receive the report. By default, the email address of the Classification Task creator is used.

     

9. Click Create. The Classification Task can now run.

10. The Task Management overview will open. Here you can view the Classification Task progress and review the Classification Task settings.

    Progress is indicated by the percentage displayed under Status.

    

    Note: To open the Task Management overview, navigate to the top left corner of the interface and select Classification > Task Management.

11. (Optional) Double-click on the Classification Task to view the Task Details.

    

12. (Optional) Open the Executions Report tab to view the details of executed Classification Tasks.

    

13. When the Classification Task has run, Classification Scores are applied to the data in your LIVE EDA case.

    To view the Classification Scores:

    • Add the relevant Classification Model column to the Document Overview. Right-click on any of the available column headings and select PCI.

      

    • Click on the inverted triangle to (re)order the results by ascending or descending.

      

14. (Optional) Perform filtered searches on the classified data.

    • Navigate to the Search menu and select a Search type.

    • Open the Tags tab. From the drop-down menu, select the Model Name.

    • Set the Confidence Score Range. A low range will cast the widest net.

      

      Note: Remember that with a range that starts too low, you’ll get higher false positives, and with a range that starts too high, you'll risk missing results. For more information about how to fine-tune the Confidence Score Range, see Confidence Score Range.

You can save the search criteria in a Search tab as template. This allows you to easily replicate the search in another tab, or in another LIVE EDA case. You can also make your search template accessible for others to use in their own LIVE EDA case searches.

Take the following steps to save the search criteria as template.

1. Right-click on the first Search tab of the LIVE EDA case and select Save As Template.

   

2. Give the template a meaningful name.
   

3. You can save the LIVE EDA case criteria As Template or As File.

   • As Template: Save the template for use within your LIVE EDA installation. The template is saved in a folder with the LIVE EDA case name, created in the Management Device.

     

   • As File: Save the template for use outside of your LIVE EDA installation. For example, you can send the template externally to be used by an Audit Manager with credentials in another instance of LIVE EDA Search. The template is saved to the download folder of your local machine.

     

4. (Optional) Select Template for All if you would like the template to be made available to other users and in other LIVE EDA Cases.

   

5. Click Save.

Take the following steps to load the search criteria saved as template.

1. (Optional) Re-name the Search tab in which you will load the template. It is a best practice to give the Search tab a name similar to the name of the search template you are intending to use.

2. Right-click on the first Search tab in which you would like to Load As Template.

   

3. Select a previously saved Search Template — this is either one that you have created or one that has been made available to you.

   • From Template: Select one of the available Search Templates from the drop-down menu.

     

   • From File: Select Choose File to load a saved Search Template.

     

4. Click Apply. This applies the search criteria to the selected locations and populates the results in the Search tab.

When you have created a Search tab and performed the search, you can preview the search results. All LIVE EDA case users can view and work on all Search tabs and search results.

The actions outlined in the following steps can also be performed on multiple search results. You can select more than one from the list in Document View, or navigate to the Selections menu in the top left corner of the Document View and opt to Select All.

1. Double-click any item/document to open the Preview. For more information about how to preview individual search results, see Previewing Documents.

2. By default, the Properties tab displays first. Here, you can view the metadata of the item/document previewed. For more information, see Properties Tab.
   

3. Open the Preview tab to view the body or content of the item/document previewed. The content immediately displayed in the Preview tab differs according to item/document type. For attachments, the first two pages are displayed. You can click the link to view all. For emails, the message directly corresponding to the search criteria is displayed first. You can scroll down to read the thread. For Instant Messages, the message directly corresponding to the search criteria is displayed.

   

4. If you are previewing an Instant Message and would like to view it in context of the full conversation, open the Conversation tab. This tab displays the complete chat history accompanying the search result.

   

5. If you are previewing an Archived item/document and would like to view all audit actions performed on the item/document in question, open the Audit tab. This tab displays when the Archived item/document was first Created by the Archive agent, if it has been Exported by an ILM/Export job, and/or if it has been Viewed or Printed by an OPEN DISCOVERY user.

   
   

6. To see whether any tags or comments have already been applied to the item/document, open the Tags tab.
   

In LIVE EDA Search, tags can be used to quickly identify items/documents deemed pertinent to the case. All applied tags are searchable. LIVE EDA cases include predefined tags, but you can add custom tags. Tags are case specific; they exist only in the case in which they were created. For more information, see Tagging and Commenting Documents.

The actions outlined in the following steps can also be performed on multiple search results. You can select more than one from the list in Document View, or navigate to the Selections menu in the top left corner of the Document View and opt to Select All.

1. The tags Promote Candidate and Privileged are available by default. To add a custom tag to the LIVE EDA case, complete the following steps:

   1. Navigate to Manage Tags in the Case Overview toolbar.

   2. In Manage Tags, select Add New Tag. Enter the new tag name and click Save. The tag can then be applied to a selected item/document.

2. To remove a custom tag from the LIVE EDA case, complete the following steps:

   1. Navigate to Manage Tags in the Case Overview toolbar.

   2. Select the tag from the list of available tags and click Remove selected Tag(s).

3. To apply an existing tag to an item/document, complete the following steps:

1. If still in Preview mode, close the Preview. In Document View, select the check box of the item/document to which you would like to apply a tag.

2. Navigate to the bottom-right panel of the Documentation View. Click an available tag to apply it to the selected item/document.
   

4. To remove a tag previously applied to an item/document, complete the following steps:

1. If still in Preview mode, close the Preview. In Document View, select the check box of the item/document from which you would like to delete the applied tag.

2. Navigate to the bottom-right panel of the Documentation View. Click Remove Tag.
   
   

5. To see which tags have been applied to an item/document, double-click the item/document in question to Preview, and navigate to the Tags tab.
   

6. To run a report on all items/documents tagged in the LIVE EDA case, click Tag Report in the Case Overview toolbar. Select your date range, and click OK to run the report. You can also Download the report.

   

In LIVE EDA Search, you can add comments to all items/documents. All added comments are searchable. Comments can be used to share notes, leave instructions for further investigations, or pose questions to fellow reviewers. Comments are case specific; they exist only in the case in which they were created. For more information, see Tagging and Commenting Documents.

The actions outlined in the following steps can also be performed on multiple search results. You can select more than one from the list in Document View, or navigate to the Selections menu in the top left corner of the Document View and opt to Select All.

To add a comment to an item/document, complete the following steps:

1. Select the item/document from the Document View.

2. Navigate to the Comment field in the bottom-left corner of the Document View.

3. Type in the comment and press Enter or click on the Add Comment icon to commit.

   

4. The applied comment will remain available in the Comment field. If you want to add this same comment to another item/document, simply select the relevant item/document and click the Add Comment icon to commit.

5. Comments cannot be deleted, but you can apply multiple comments to the same item/document by repeating the steps outlined.

6. To see what comments have been applied to an item/document, double-click the item/document in question to Preview and navigate to the Tags tab.
   

You can apply a Legal Hold to a LIVE EDA case. The Legal Hold feature prevents the data in question from being deleted. When a LIVE EDA case is placed on Legal Hold, the case content cannot be deleted by anybody - regardless of what case they are working in, and whether or not they know that certain data has been placed on Legal Hold.

It is a best practice to create a LIVE EDA case dedicated specifically to the Legal Hold. This is a way to control the confidential aspects surrounding Legal Holds. Due to the sensitive nature of the legal proceedings that precipitate Legal Holds, you might not want a wide internal audience to know whose mail, messages, and files are being preserved this way.

Take the following steps to enable a Legal Hold for Live Content.

1. Create a LIVE EDA case dedicated to the Legal Hold, with a meaningful name relevant to the data being placed under Legal Hold. For more information on how to create a LIVE EDA case, see Create LIVE EDA Case.

   As part of this step, ensure that you have selected at least one live location (i.e., Gmail, MS Teams, SharePoint, or Slack).

2. Perform a Federated Search to set the scope that you want the Legal Hold to cover. All items/documents meeting any of the Federated Search criteria set, will be placed under Legal Hold. For more information, see Federated Searches.

   Note: If you would like to limit the scope of your Legal Hold by date, you must do so by selecting the relevant dates in your Federated Search. If your Federated Search does not include a date filter, all live content in the selected location(s) will be placed on Legal Hold.

3. Navigate to the top left corner of the interface and select Legal Hold.

   

4. Select Enable Legal Hold for Live Content.

   

5. Set the Scope of the Legal Hold. Select the relevant Search tab from the drop-down menu. The scope of the Legal Hold will be limited to the parameters of the Federated Search performed in the Search tab.

6. Select the Location where the LIVE EDA case content will be placed on Legal Hold. Choose from the options available in the drop-down menu.

7. Click Save. Clicking Save will prompt a notification detailing the implications of applying the Legal Hold.

8. Click OK. You can view the progress of the Legal Hold.

   When you see a Completed status, the Live Legal Hold has been placed.

9. The Live Legal Hold is applied to your LIVE EDA case. Your LIVE EDA Legal Hold case will be locked. You cannot make edits unless the Legal Hold is disabled.

   Warning: It is not recommended that you disable Legal Hold. If you do decide to disable the Live Legal Hold, uncheck the Enable Legal Hold for Live Content option. You can then make changes to the Legal Hold scope. Edit the criteria entered in your Federated Search and re-apply the Live Legal Hold.

Case Administrators can enable the Case Scope function to ensure that visibility is limited to search results of a specific search. With Case Scope enabled, only the search result items/documents are available to those working in the LIVE EDA case.

Take the following steps to enable Case Scope in the LIVE EDA case.

1. Right-click on the first Search tab and select Set Case Scope.

   

2. The Case Scope banner will display.

   The Search tab(s) to which you applied Case Scope will be renamed Case Scope. If you applied Case Scope in a Legal Hold case, the Search tab(s) will be renamed LegalHold Scope.