eDiscovery - How it works

- 1.1 General
- 1.2 Notes
- 1.3 CasbAdapter ApplicationSettings.config
- 1.4 eDiscovery data fields
2 Proxy
- 2.1 Meeting and group chat
- 2.2 Sample of Meeting record
- 2.3 Video and Share screen
- 2.4 Sample of Screen Sharing record
3 API
- 3.1 Sample of meeting recording
- 3.2 Sample of meeting Chat
- 3.3 Sample of regular P2P chat
- 3.4 External Meetings
- 3.5 Identifying and handling meeting and recurring meetings
- 3.6 Cases inspection

General

eDiscovery receives info from 2 components:

API - Chat, Files, participants and recordings.
Proxy - Meeting info and activity of Audio, Video ,Desktop sharing and participants. This info is stored in Activity Auditing and is copied by the MNTS to the eDiscovery.

Notes

Audio Video means the activity that was done without the content. Chat and files include the content
If Audio/Video content is needed- you must deploy recording management
To get all type of content - both proxy and API are required

CasbAdapter ApplicationSettings.config

InitializeMessagingBL - true
EnableFetchingMessages - true
DataProcessingEnabled - true
EnableFetchingMemberships - true
GraphPaymentModel - A
PollingUsersMessages - false
pollingChatMessagesEnable - true
pollingChannelsMessagesEnable - false
EnableFetchingSharePointSites - true

eDiscovery data fields

Conversation Type - Message , File , Audio, Video , info (for auditing), Screen Sharing, unknown. Also Channel, Meeting for backwards computability

Conversation scope - Meeting, Channel, Chat, Group chat, Call, Space, Direct, Space Meeting.

Note: In Webex - Meeting refers to Schedule Meeting. Meeting started from a space refers to Space Meeting.

Data Source - All, Teams, Exchange, Skype for Business, OneDrive or SharePoint, OneDrive, SharePoint, Webex Teams, Webex Meeting, zoom, Slack, RingCentral, Audio Code. P2P, conference for backwards computability

Proxy

Meeting and group chat

Participants list includes link to Auditing. For a managed user the link is to the auditing records with the “From” value that match and for non managed users the link is to auditing records with the “To” value that match.

Managed participants are determined by Auditing record, if a user appears in “From” value and the activity type is Audio than the user is managed.

Sample of Meeting record

Video and Share screen

Video and screen sharing are being copied from Auditing to eDiscovery when allowed.

Participants list contains all the user in the meeting while screen sharing or video events occurred.

Sample of Screen Sharing record

API

Sample of meeting recording

Sample of meeting Chat

Sample of regular P2P chat

External Meetings

SphereShield eDiscovery can also capture communications from meetings that are hosted externally even if the domains are not federated.

Identifying and handling meeting and recurring meetings

Each meeting contains multiple calls.

A meeting is identified by meeting-ID

A call is identified by call-ID

Each session has meeting id and call id, so each call has a separate session in the eDiscovery DB

Recurring meetings are in fact the same meeting with multiple calls done every week.

Cases inspection

The whole flow is a part of messaging BL including getting data from DB and updating it.

The BL calls each application e.g. Webex to call its API and to fil the MESSAGING_QUEUE table.

After the application inserts to MESSAGING_QUEUE, the BL continues its processing including sending the email at the end

For more information:
eDiscovery Cases - How it works

https://agatsoftware.atlassian.net/wiki/spaces/SKYP/pages/3449061398