Reclassifying Items Returned as Unable to Classify
If an item is returned from Metalogix Sensitive Content Manager with a Classification of 'Unable to Classify,' it means that the service detected "probable" sensitive content but was unable to classify it definitively as sensitive content. You can, however, review the file and apply a classification manually before applying a Compliance Action to the scan job.
If you want an action to be taken on any items that were returned by Metalogix Sensitive Content Manager as 'Unable to Classify,' you must reclassify them before applying Compliance Actions to the scan job.
To reclassify items returned as 'Unable to Classify':
1From the Detailed Security Classification Analysis page, select the Unable to Classify tab.
2Select the item(s) to which you want to apply a a particular classification.
NOTE: If you want to review the contents of an item before assigning a classification, click the URL link to open the item.
3Select a classification from the drop-down, then click [Reclassify].
You will be prompted to confirm the action before continuing.
CAUTION: Once you reclassify an item, the drop-down becomes disabled and the item cannot be reclassified again. If Compliance Actions have already been applied to the scan job containing the item(s), the Reclassify option will no longer appear on the page.
Once an item has been reclassified:
·it will be moved to the appropriate tab for the classification
AND
·the classification change(s) will be reflected on the Compliance Summary page.
Managing Quarantined Items
If you are a member of the ControlPoint Quarantine Administrators group, you can manage items that have been quarantined as a result of a Compliance Action. When an item is quarantined, it remains in the same location in the SharePoint list, but all permissionsexcept those of ControlPoint Quarantine Administratorsare removed.
Currently, members of the Quarantine Administators group must
§be a Site Collection Administrator for each site collection containing quarantined content (in order to invoke the Manage Quarantine Documents page from the SharePoint Hierarchy)
OR
§also be a member of the Compliance Administrators Group.
To manage quarantined items:
1Use the information in the following table to determine the appropriate action to take.
|
If you are starting from ... |
Then ... |
|---|---|
|
the SharePoint Hierarchy |
a)Select the object(s) containing the quarantined items you want to manage. b)Choose Compliance > Manage Quarantined Documents. |
|
a)Make sure the Compliance Action jobs radio button is selected. b)Select the Scan job containing the quarantined items you want to manage. c)Click [Manage Quarantined Items]. |
2Select the quarantined item(s) you want to act on.
3If you want to review the content of a quarantined item before taking an action, click the Document link in the View column.
Now you can either:
·remove the item from quarantine
NOTE: When you remove an item from quarantine, it is restored in its original location with the same permissions it had before it was quarantined.
OR
·permanently delete the file(s).
Analyzing Scanned Files
The Scanned Files by Search Term and Scanned Files by Scope analyses let you view all of the files that have been analyzed by SCM for sensitive content over a specified date range.
To generate a Scanned Files analysis:
1Select the object(s) you want to include in your analysis.
2Select the appropriate option, based on how you would like to have results grouped:
§Compliance > Scanned files by Scope
OR
§Compliance >Scanned files by Search terms.
3Specify the parameters for your analysis.
|
IMPORTANT: §Currently, you can only Filter by Search Terms if you enter enter one complete search term (that is, you cannot filter by multiple or partial search terms). If you leave the Filter by Search Terms field blank, all search terms within the scope of your analysis will be included. §If the Use cached data box is checked, results will include only files within the scope of your analysis that have been scanned. If this box is not checked (that is, the analysis is run on real-time data), results will also include items within the scope of your analysis that have not been scanned. |
|---|
Now you can either:
·run the operation immediately (by clicking the [Run Now] button)
OR
·schedule the operation to run at a later time or on a recurring basis.
OR
·save the operation as XML Instructions that can be executed at a later time.
If you chose to run the analysis on cached data, all of the files that have been scanned by Sensitive Content Manager within the specified date range are listed, grouped either by scope or search term (depending on the analysis selected).
If you ran the analysis on real-time data, results will also include items within the scope of your analysis that were Not Scanned.
Using ControlPoint Sentinel to Detect Anomalous Activity
ControlPoint Sentinel functionality enables you to detect deviations in document views and downloads from individual users' "typical" daily usage patterns. ControlPoint Sentinel uses the following components in its anomalous activity determinations:
·Business Hours: Daily start and end time for each day of the work week.
·The following Anomalous Activity Limits:
§Default daily activity limits: The limits for each (measured in terms of document views and downloads) to apply to any user whose personal activity limits have not yet been characterized.
§Personal daily activity limits: The deviation from "typical" daily usage patterns characterized for each individual user on a given day of the week.
ControlPoint Sentinel relies on SharePoint Audit Log events. Therefore, for this functionality to be effective, the auditing of Delete, Edit, and View/Download must be enabled for every site collection for which you want to collect activity data.