Setting Sensitive Content Manager End Points and Managing Scanning Preferences
ControlPoint Application Administrators use the ControlPoint Sensitive Content Manager Configuration dialog to set EndPoints to point to the server(s) on which Sensitive Content Manager is configured. Members of the Compliance Administrators group can also test the availability of each EndPoint and change default preferences for scanning content.
NOTE: ControlPoint Application Administrators can also configure EndPoints individually and update other configuration settings via ControlPoint Configuration Settings - Compliance settings.
To launch the ControlPoint Sensitive Content Manager Configuration dialog:
From the left navigation Manage tab, choose Compliance > Sensitive Content Configuration Maintenance.
Setting EndPoints
The Value of each Sensitive Content Manager EndPoint must be set to point to the server(s) on which Sensitive Content Manager is configured your environment. Use the information in the following table for guidance.
|
Endpoint |
Description |
Value |
|---|---|---|
|
Sensitive Content Manager Upload EndPoint |
The URL for the Sensitive Content Manager for sending files. This corresponds to the File Upload URL specified at the time Sensitive Content Manager was installed. |
http://<server.domain> (or if installed on multiple servers: |
|
Sensitive Content Manager Results EndPoint |
The URL for the Sensitive Content Manager service for retrieving files job results. This corresponds to the Results Service URL specified at the time Sensitive Content Manager was installed. |
http://<server.domain> (or if installed on multiple servers: |
|
Sensitive Content Manager Profile EndPoint |
The URL for the Sensitive Manager service for retrieving profiles. This corresponds to the Profile Service URL specified at the time Sensitive Content Manager was installed. |
http://<server.domain> (or if installed on multiple servers: |
|
Sensitive Content Manager Search Terms |
The URL for the Sensitive Content Manager service for retrieving rules used to identify a specific kind of sensitive content. This corresponds to the Subquestion Service URL specified at the time Sensitive Content Manager was installed. |
http://<server.domain> (or if installed on multiple servers: |
When you have finished setting EndPoints, click [Update].
Testing Availability of EndPoints, File Upload, and Results
From the EndPoint Testing tab, you can test the availability of each endpoint that you set, as well as whether files can be uploaded to/received from Metalogix Sensitive Content Manager.
If you click a [Test EndPoint] button and the status returns as Unavailable, make sure that the URL is correct and that the service is available on the Metalogix Sensitive Content Manager server side.
If you click [Test File Upload], ControlPoint will send a sample file to Metalogix Sensitive Content Manager, and will display a log of the action. If you then click [Test File Results], ControlPoint will log the progress of the file's return.
Managing Scanning Preferences
ControlPoint can create columns called Scan Results and/or Terms Detected. Each time a scan is performed, the Severity Level is populated for the scanned item.
ControlPoint Application Administrators can allow this column to be created/populated by changing the value(s) of Automatically add Scan File Results column and update with severity level in SharePoint Lists and/or Automatically Add Terms Detected column and update with severity level in SharePoint Lists from false to true.
Preparing Your Environment for Using ControlPoint Sentinel
If you want to use ControlPoint Sentinel for anomalous activity detention, you must prepare your environment so that data collection can begin.
A.SharePoint auditing must be enabled on all site collections for which Anomalous Activity detection will be performed.
B.Anomalous Activity Detection must be enabled to run:
§via the Windows AnomaloousActivityJob scheduled task
OR
§as part of the ControlPoint Scheduled Job Review.
Enabling SharePoint Auditing
ControlPoint Sentinel analyzes the following SharePoint audit log events for Anomalous Activity Detection:
·Editing items
·Deleting or restoring items
·Opening or downloading documents, viewing items in lists, or viewing item properties.
You can enable these settings for individual site collections from within SharePoint or, for a larger scope, using the ControlPoint Manage Audit Settings action.
Enabling the Anomalous Activity Detection Job
1Log into the server where ControlPoint Online is installed and open the Windows Task Scheduler.
2Navigate to Task Scheduler Library/Metalogix/ControlPoint Online.
3Right-click on AnomalousActivityJob and choose Enable.
By default, the job is scheduled to run daily, at 4:00 am (local server time). You may however, change the schedule to run more frequently. Note that, the more frequently the job is run, the sooner an alert may be generated when an Anomalous Activity Limit is reached.
Enabling Anomalous Activity Detection via the ControlPoint Scheduled Job Review
As an alternative to using the Anomalous Activity Detection Job, you can choose to have anomalous activity detection performed as part of the ControlPoint Scheduler Job. (which, by default, runs every 10 minutes). ControlPoint Application Administrators can enable this option by changing the ControlPoint Configuration Setting Enable Options That Require Anomalous Activity Detection from False to True.
Registering and Re-registering the ControlPoint Online App for Modern Authentication
As the last stage of the ControlPoint Online configuration process, the ControlPoint Online app must be registered in the Azure Active Directory to allow Modern Authentication.
The app can also be registered after the installation, as a separate action, if you launch ControlPoint Online Configuration. However, ControlPoint Online cannot be run until the app is registered.
If you do choose to perform this action at later time, you will be prompted to complete the SharePoint online account validation dialog and authenticate using the Office 365 account used at the time ControlPoint was installed (which must be a Global Administrator for the tenant).
NOTE: Once the ControlPoint Online app is registered, it is only necessary to re-register it to change the tenant administrator and/or SSL certificate. Re-registering essentially deletes the existing registration and replaces it with a new one.
To register the ControlPoint Online app in Azure Active Directory:
1.Select the SSL certificate that will allow ControlPoint users to authenticate with Microsoft, using one of the options described in the following table.
NOTE: To allow Microsoft Modern Authentication to be used by all users, the certificate must be located in the Trusted Root store. The Personal store of the ControlPoint installation account cannot be used. You can use the same certificate that you used for IIS Configuration, but a copy must be located in the Root store.
|
If you want to ... |
Then ... |
|---|---|
|
use an existing certificate |
·For the Store Name, make sure Root is selected from the drop-down. The Use Existing Certificate drop-down will be populated with available certificates in the selected store. ·Make sure Use Existing Certificate is selected, then select a certificate from the drop-down. NOTE: If the ControlPoint Installer cannot find a Certificate in the Store, this option will be disabled. |
|
create a new self-signed certificate (default option) |
Select Create new Self Signed Certificate, and enter a Certificate Name. The ControlPoint installer will create a .crt certificate file in the local machine Root store. IMPORTANT: Unlike a .pfx certificate file, which contains a private key, a .crt certificate file is less secure and will not be listed in the Certificate Manager in IIS. |
3Click [Register].
You will be prompted to accept Terms of Use, which grants ControlPoint Online permissions to access and operate on SharePoint Online data. When registration is complete, you can close the browser. The ControlPoint Installer will close automatically.
To re-register the ControlPoint Online app:
1.On the Azure AD Application Registration dialog, click [Registration].
2.Check the Re-Register Application box.
3.Specify a different tenant administrator and/or certificate as described in the procedure "To register the controlPoint Online app in Azure Active Directory."
Running ControlPoint Online Operations Using PowerShell
For any ControlPoint Online operation that includes the Save As option, which generates an xml file with instructions, you can run that operation using PowerShell.
NOTE: Currently, you can only run instructions for analyses using real-time (not cached) data.
Account Login Requirements
You can run ControlPoint Online actions in PowerShell from the server on which ControlPoint Online is installed. The account you use to log into the server machine must be a Site Collection Administrator for the site collections for the scope of the operation being performed.
Before You Begin: Update the App.config File
1Open the file App.config (by default, located in the folder \\Program Files\Metalogix\ControlPoint Online\Powershell).
2Locate the <endpoint address = line, and change http://SMALLTEMPLATE:2828 to the path to the ControlPoint Online application in your environment.
