eDiscovery - How it works

General

eDiscovery receives info from 2 components:

  1. API - Chat and Files

  2. Proxy - Meeting info and activity of Audio, Video ,Desktop sharing and participants. This info is stored in Activity Auditing and is copied by the MNTS to the eDiscovery.

Audio Video means the activity that was done without the content. Chat and files include the content.

If A/V content is needed- you must deploy recording management

To get all type of content - both proxy and API are required

 

A meeting session is considered and Audio / Video activity

 

CasbAdapter ApplicationSettings.config

<add key="EnableWebhook" value="true" />
<add key="EnableWebhookForChatMessages" value="true" />
<add key="EnableWebhookForChannelMessages" value="true" />
<add key="EnableWebhookForMemberSite" value="true" />
<add key="IntervalTimeForManagingWebhook" value="10" />
<add key="WebhookCertificateUrl" value="https://agatkeyvaultproduction.vault.azure.net/secrets/agatsaasagatsolutions" />

 

eDiscovery data fields

Conversation Type- Message , File , Audio, Video , info (for auditing), Screen Sharing, unknown. Also Channel, Meeting for backwards computability

Conversation scope: Meeting, Channel, Chat, Group chat, Call, Space, Direct, Space Meeting.

Note: In Webex - Meeting refers to Schedule Meeting. Meeting started from a space refers to Space Meeting.

Session Type- All, Teams, Exchange, Skype for Business, OneDrive or SharePoint, OneDrive, SharePoint, Webex Teams, Webex Meeting, zoom, Slack, RingCentral, Audio Code. P2P, conference for backwards computability

 

Contestation host scope- Whether the room/ Teams in hosted internal or external

 

Content type:

Content type is an internal value of eDiscovery messages as a field in the eDiscovery table.

In eDiscovery messages table, the field content type can have the following values:

Html , Plain, Text, Rtf , File, Meeting, Video, Audio , Screen Sharing.

For records indicating an audio / video call that has started- the relevant values are set and are used when filtering eDiscovery media records.

 

Messages Thread:

For each message there is Parent message ID.
When it is empty (NULL) - it is a root message and actually starts a new thread, and the thread ID is this message ID.
When it has value - it is a reply message to the thread started with the parent (root) message.

Meeting and group chat

Participants list includes link to Auditing. For a managed user the link is to the auditing records with the “From” value that match and for non managed users the link is to auditing records with the “To” value that match.

Managed participants are determined by Auditing record, if a user appears in “From” value and the activity type is Audio than the user is managed.

Sample of Meeting record

Video and Share screen

Video and screen sharing are being copied from Auditing to eDiscovery when allowed.

Participants list contains all the user in the meeting while screen sharing or video events occurred.

Sample of Screen Sharing record

External Meetings

SphereShield eDiscovery can also capture communications from meetings that are hosted externally even if the domains are not federated.

 

Identifying and handling meeting and recurring meetings

Each meeting contains multiple calls.

A meeting is identified by meeting-ID

A call is identified by call-ID

 

Each session has meeting id and call id, so each call has a separate session in the eDiscovery DB

 

Recurring meetings are in fact the same meeting with multiple calls done every week.