On This Page
Overview
The DryvIQ Persistent Label Classifier allows you to apply labels to files that become part of the file and persist with the file through version changes or even migration. The solution has two parts:
The DryvIQ Persistent Label Classifier application: This desktop application is a separate service that runs outside of your DryvIQ Platform. It allows you to manually assign classification labels to files on your Windows NTFS.
DryvIQ Govern Persistent Classifier Extension: This extension allows you to create Govern policies that set labels for files or that identifies files that have been labeled.
The labels can be detected by DryvIQ Discover and are accessible to other tools. For example, you can perform an Intelligent Migration of all files with a particular label, or you can use your existing Data Loss Prevention system (DLP) to restrict action on a file with a specific label.
Prerequisite
Before you begin installation for the DryvIQ Persistent Label Classifier, you must ensure you have .NET 7.0 SDK installed on the machine where you will be installing the Persistent Label Classifier application. If you do not have .NET 7.0 SDK installed, you will be prompted to download it when you attempt to use the DryvIQ Persistent Label Classifier Windows application. You can proceed with installing .NET 7.0 SDK once the download completes.
Installing the Persistent Classifier Extension
The Persistent Classifier extension adds the Persistent Label Classifier entity type and Persistent Label policy action to your DryvIQ Platform instance. This allows you to use the Persistent Label Classifier in your DryvIQ Govern Policies or Discover scans. You will need to ensure you have the latest extension. For new DryvIQ deployments, the extension can be added to your extensions.zip file with the other DryvIQ extensions that need to be installed. If needed, the extension can be added to an existing DryvIQ instance. Refer to the documentation page that pertains to your installation scenario.
DryvIQ will handle installing the extension to your DryvIQ instance if your instance is hosted in DryvIQ cloud or if your project is being managed by DryvIQ Professional Services.
Creating the Classifier Log Table
By default, the DryvIQ Persistent Label Classifier uses an Azure Storage Account table used to store logging for all label activity. You must create the table in your Azure storage account before installing the DryvIQ Persistent Label Classifier. Refer to Microsoft’s Create a table in the Azure portal documentation for instructions on how to create a table.
Generating the Log Table URL
Once you create the table, you need to generate a URL for the table by creating a Shared Access Signature (SAS). You will need this URL when installing the DryvIQ Persistent Label Classifier application. Use the information below to generate the SAS URL.
Go to the Azure Storage Account page where you created the logging table.
Click Security + networking.
Click Shared access signature.
Change the following settings:
Allowed services: Table
Allowed resource types: Object
Allowed permissions: Add
Start and Expiry times: Set to a sufficient expiration date; the URL will no longer work after this date.
Leave all other settings default.
Click Generate SAS and connection string.
Copy the Table service SAS URL and modify it so the logging table name is between the host and the query parameters. For example, a table named
mytable
in a storage account namedmystorageaccount
should have a URL that looks likehttps://mystorageaccount.table.core.windows.net/mytable?sv=2022-11-0...
Save the modified URL. You will need it during installation.
Understanding the Logging Table Columns
You will specify the SAS URL during DryvIQ Persistent Label Classifier installation. As part of the installation, DryvIQ will add the seven columns to the table. Refer to the list below for the column names and a brief description of the information that will be stored in each column.
file path: The absolute file path for the classified file.
classification level: The label (color) added to the file.
classified on: The timestamp for when the file was classified.
classified by: The user who added the label to the file.
classified on device: The hostname for the computer used to classify the file.
downgrade reason: The explanation added for why the file label was downgraded. (See Editing Labels below.)
message: Explanation of the operation performed on the file (such as “file classified”).
Installing the DryvIQ Persistent Label Classifier Application
The DryvIQ Persistent Label Classifier is a separate service that runs outside of your DryvIQ Platform. It allows you to manually assign classification labels to files on your Windows NTFS. Logging for all label activity is stored in the Azure storage account table you created. You will specify the URL for the table during installation. You need to install the application using the instructions below.
Verifying the Installer Properties
In some instances, Windows will flag an executable as "untrusted" and block it. If this happens with the installer, there will be issues with the installation. Therefore, before you begin, review the installer properties to verify the correct settings.
Right-click on the installer and click Properties.
Select Unblock.
Click Apply to apply the changes.
Click OK to close the modal.
Installing the Application
Right-click on the installer and select Run as administrator (or Install if you don’t have the Run as administrator option).
Click Next on the Welcome to the DryvIQ Persistent Label Classifier Wizard page.
You must accept the end-user license agreement to continue. Use the link provided to review the license agreement. Then, select the I accept the terms in the License Agreement box and click Next.
The Destination Folder page defaults to C:\Program Files\DryviqLabeler\ as the installation directory. Click Next to continue.
You are prompted for the log table URL. This is the URL for the Azure table you created in the Generating the Log Table URL section. Add the URL and click Next. (If you don’t have the URL, you can continue without entering the URL, but you will need to configure the log table URL before you can use the Persistent Label Classifier. See Configuring the Persistent Classifier Extension to add the log table URL after installation.)
Click Install on the Ready to Install DryvIQ Persistent Label Classifier page.
Click Yes if prompted to confirm you want to all the app to make changes to your device.
The installation begins.
You will see a Completed the DryvIQ Persistent Label Classifier Wizard page when the installation is complete. Click Finish to exit the installer.
Configuring the Persistent Classifier Extension
If you skipped adding the URL for the classifier table when you installed the application, you will need to configure the Persistent Classifier Extension to add the URL before you can use the feature. The URL identifies where the table used to store the labels is located. Yo cannot use the DryvIQ Persistent Label Classifier if you have not added the URL.
Click the Settings icon in the top-right corner of the DryvIQ menu bar.
Verify you are on the Extensions page.
Click the ellipses on the persistent-classifier tile.
Click Configure.
Enter the URL for the Azure Storage Account table you created. See Generating the Log Table URL for how to generate this URL.
Click Done to save the URL.
Manually Applying Labels
While the DryvIQ Persistent Label Classifier application can be used to label files, it cannot label folders or all files within a specific folder.
Right-click on the file or group of selected files you want to label.
Hover on Apply DryvIQ Label in the menu that displays.
Click the label you want to apply from the options that display.
Click OK to acknowledge the message that the label was successfully applied.
Reviewing File Labels
Right-click on the file.
Hover on Apply DryvIQ Label.
Click Show Info from the options that display.
DryvIQ displays the file name and path, label level, date and time stamp for when the label was applied, and the username for the user who applied the label.
Click OK to close.
Editing Labels
Right-click on the file or group of selected files you want to label.
Hover on Apply DryvIQ Label.
Click the label you want to apply from the options that display.
If you are downgrading a label, you are required to add a memo for the label change. This memo will be stored with the label information and can be pulled from the label table for reporting purposes as needed. Type the downgrade reason and click Proceed.
Click OK to acknowledge the message that the label was successfully applied.
Applying Labels Through Policy Actions
While desktop Persistent Label Classifier application only works on Windows, DryvIQ Govern can be used to apply labels to any Open XML file (.docx, .xlsx, and .pptx.) on other platforms (Box, Dropbox, etc.). Note that labeling a file through a Govern policy requires downloading and opening the file.
In DryvIQ Govern, create a policy and add the desired tracking groups.
Expand the Actions section for the tracking group.
Select DryvIQ Persistent Label.
Select the label you want to apply from the Label Level list. (Select the None option if you want to use the tracking group to remove existing labels from files that don’t need to be labeled.)
In Downgrade Reason, type the memo that should be added if the label on a file is downgraded through the action. Remember, this information is stored with the label data in the logging table.
Click Done to save the changes to the action configuration.
Click Apply changes to save the tracking group.
Reviewing Label Results
DryvIQ will log the label action in the Activity for the policy. You can review the action by viewing the file details on the Results page or by viewing the activity logged on the Activity page.
Finding Files with Labels
The DryvIQ Persistent Label Classifier entity Type will find files that have been labeled or that have a specific label. This allows you to locate labeled files so you can review them or have DryvIQ take action against them.
Using Third-Party Reporting Tools
Because the DryvIQ Persistent Label Classifier stores logging data in an Azure Storage Account table, you can use any existing reporting tools you own to create reporting on the labels. Simply point your reporting tools or a Data Loss Prevention system (DLP) to the logging table to generate any reports you need about your labeled content. Similarly, the DryvIQ label can be used by DLP products (for example, Microsoft Purview) to restrict actions on the file.