Using ControlPoint Sentinel to Detect Anomalous Activity
ControlPoint Sentinel functionality enables you to detect deviations in document views and downloads from individual users' "typical" daily usage patterns. ControlPoint Sentinel uses the following components in its anomalous activity determinations:
·Business Hours: Daily start and end time for each day of the work week.
·The following Anomalous Activity Limits:
§Default daily activity limits: The limits for each (measured in terms of document views and downloads) to apply to any user whose personal activity limits have not yet been characterized.
§Personal daily activity limits: The deviation from "typical" daily usage patterns characterized for each individual user on a given day of the week.
ControlPoint Sentinel relies on SharePoint Audit Log events. Therefore, for this functionality to be effective, the auditing of Delete, Edit, and View/Download must be enabled for every site collection for which you want to collect activity data.
NOTE: Before ControlPoint Sentilel can be used, the ControlPoint Application Administrator must prepare the envronment. Refer to the ControlPoint for Microsoft 365 Administration Guide for details.
How Personal Daily Activity is Determined
Anomalous activity limits are set based on the statistical analysis of how often each user views and downloads documents. The personal daily activity limits used by ControlPoint Sentinel are defined in terms of standard deviations above the mean or average observed over a period of time (currently, 12 days worth of observations for each day of the week).
Standard deviation is a statistical measure of the variation within a set of data values. Two users may have the same average of document views and downloads per day, but their standard deviation or the variation in the number of documents they view and download in any given day can be very different. If a user consistently views and downloads roughly the same number of documents every day, then their standard deviation will be low. If a user is more erratic in the number of documents they view or download in a day (for example, sometimes viewing or downloading no documents, sometimes one or two, sometimes 30 or 40) then their standard deviation will be high. By using an individual users standard deviation to define the limits for anomalous activity the limits are tailored to each users usage pattern.
Using the users standard deviation we can determine how likely it is that a user would view or download a particular number of documents in a day. When looking for anomalous activity we are looking at activity that is not very likely, that should happen much less than 1% of the time. For highly anomalous activity we are looking for activity that should happen a very small fraction of a percentage of the time.
Defining Business Hours for Anomalous Activity Detection
The first step in Sentinel Setup is to define Business Hours, so that Anomalous Activity Limits can be defined differently for both business and non-business hours. For example, you may want to specify a lower limit for non-business hours, when typical activity is expected to be lower.
Note that Business Hours reflect the local time of the server on which SharePoint is installed.
To define business and non-business hours for anomalous activity detection:
1From the Manage ControlPoint tree choose ControlPoint Sentinel > Sentinel Setup.
2On the Sentinel Setup page, make sure the Business Hours tab is selected.
3For each day that you want activity data to be collected, select the start and end time that represent the standard work hours for that particular day, and make sure the Work Day box is checked.
4For each non-work day, uncheck the Work Day box.
NOTE: When the Work Day box is unchecked, activity data will not be collected for that day. Start and end times are irrelevant and will be cleared when you save the setup.
5When you have finished defining business and non-business hours, click [Save Setup].
Defining Base Line Rules for Anomalous Activity Detection
You can define two types of anomalous activity limits:
·Default daily activities, which are used for all users until personal user limits have been characterized.
·Personal daily activities, which are used as soon as a user's personal activity limits have been characterized.
NOTE: For each day of the week, personal user limits replace default daily limits after 12 days worth of observations by the Anomalous Activity Detection Job.
To access the Anomalous Activity Limits page:
From the Sentinel Setup page, select the Anomalous Activity Limits tab.
Defining Default Daily Activity Limits
Default Daily Activity Limits are expressed in terms of the number of "typical" views and downloads. Because they apply to all users until personal user limits have been characterized, it is recommended that you enter limits that would be considered typical and anomalous for any SharePoint user in your organization. For example, 100 document views and downloads per day may take into account "typical" daily activity for your most active users without being an alarmingly high number for less active users. Double that number may be considered moderately anomalous, while triple that number may be considered highly anomalous.
NOTE: If you do not want ControlPoint Sentinel to track Default Daily Activity Limits, leave the limit fields set to 0.
Defining Personal Daily Activity Limits
The following table shows the percentage of values that fall around or above the mean in terms of the standard deviation.
|
Standard Deviations (σ) Above the Mean |
Percentage (%) of Values Above the Standard Deviations from the Mean |
|
1σ |
15.86553% |
|
2σ |
2.275013% |
|
3σ |
0.13499% |
|
4σ |
0.003167% |
|
5σ |
0.000028665% |
|
6σ |
0.00000009865% |
|
7σ |
0.000000000128% |
It is recommended that you:
·Set the Typical daily activity limit to 3 standard deviations above the mean.
A user could exceed this limit once every two years. This is not cause for concern but if it happens more frequently than that it may warrant investigation.
·Set the Moderately anomalous activity limit to 5 standard deviations above the mean.
A user could exceed this limit once in about 10,000 years. This is an indication of anomalous activity that should be investigated immediately.
·Set the Highly anomalous activity limit to 7 standard deviations above the mean.
This level of activity is very very unlikely and should be acted upon immediately.
