Chat now with support
Chat with Support

Metalogix ControlPoint 8.1 - for Office 365 User Guide

Getting Started with ControlPoint Searching for SharePoint Sites Managing SharePoint Objects Managing Metadata Managing SharePoint User Permissions Data Analysis and Reporting Scheduling a ControlPoint Operation Saving, Modifying and Executing Instructions for a ControlPoint Operation Provisioning SharePoint Site Collections and Sites Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity About Us

Reclassifying Items Returned as Unable to Classify

If an item is returned from Metalogix Sensitive Content Manager with a Classification of 'Unable to Classify,' it means that the service detected "probable" sensitive content but was unable to classify it definitively as sensitive content. You can, however, review the file and apply a classification manually before applying a Compliance Action to the scan job.

If you want an action to be taken on any items that were returned by Metalogix Sensitive Content Manager as 'Unable to Classify,' you must reclassify them before applying Compliance Actions to the scan job.

To reclassify items returned as 'Unable to Classify':

1From the Detailed Security Classification Analysis page, select the Unable to Classify tab.

2Select the item(s) to which you want to apply a a particular classification.

PII Unable to Classify SELECTION

NOTE:  If you want to review the contents of an item before assigning a classification, click the URL link to open the item.

3Select a classification from the drop-down, then click [Reclassify].

Unable to Classify RECLASSIFY

You will be prompted to confirm the action before continuing.

CAUTION:  Once you reclassify an item, the drop-down becomes disabled and the item cannot be reclassified again.  If Compliance Actions have already been applied to the scan job containing the item(s), the Reclassify option will no longer appear on the page.

Once an item has been reclassified:

·it will be moved to the appropriate tab for the classification


·the classification change(s) will be reflected on the Compliance Summary page.

Managing Quarantined Items

If you are a member of the ControlPoint Quarantine Administrators group, you can manage items that have been quarantined as a result of a Compliance Action.  When an item is quarantined, it remains in the same location in the SharePoint list, but all permissions—except those of ControlPoint Quarantine Administrators—are removed.

Currently, members of the Quarantine Administators group must

§be a Site Collection Administrator for each site collection containing quarantined content (in order to invoke the Manage Quarantine Documents page from the SharePoint Hierarchy)


§also be a member of the Compliance Administrators Group.

To manage quarantined items:

1Use the information in the following table to determine the appropriate action to take.

If you are starting from ...

Then ...

the SharePoint Hierarchy

a)Select the object(s) containing the quarantined items you want to manage.

b)Choose Compliance > Manage Quarantined Documents.

the Compliance Summary page

a)Make sure the Compliance Action jobs radio button is selected.

b)Select the Scan job containing the quarantined items you want to manage.

c)Click [Manage Quarantined Items].

Manage Quarantined Items

2Select the quarantined item(s) you want to act on.

Manage Quarantined Document

3If you want to review the content of a quarantined item before taking an action, click the Document link in the View column.

Now you can either:

·remove the item from quarantine

NOTE:  When you remove an item from quarantine, it is restored in its original location with the same permissions it had before it was quarantined.


·permanently delete the file(s).

Analyzing Scanned Files

The Scanned Files by Search Term and Scanned Files by Scope analyses let you view all of the files that have been analyzed by SCM for sensitive content over a specified date range.

To generate a Scanned Files analysis:

1Select the object(s) you want to include in your analysis.

2Select the appropriate option, based on how you would like to have results grouped:

§Compliance > Scanned files by Scope


§Compliance >Scanned files by Search terms.

3Specify the parameters for your analysis.


§Currently, you can only Filter by Search Terms if you enter enter one complete search term (that is, you cannot filter by multiple or partial search terms).

Filter by Search Term

If you leave the Filter by Search Terms field blank, all search terms within the scope of your analysis will be included.

§If the Use cached data box is checked, results will include only files within the scope of your analysis that have been scanned.  If this box is not checked (that is, the analysis is run on real-time data), results will also include items within the scope of your analysis that have not been scanned.

Now you can either:

·run the operation immediately (by clicking the [Run Now] button)


·schedule the operation to run at a later time or on a recurring basis.


·save the operation as XML Instructions that can be executed at a later time.

If you chose to run the analysis on cached data, all of the files that have been scanned by Sensitive Content Manager within the specified date range are listed, grouped either by scope or search term (depending on the analysis selected).

Scanned Files by Search Term CACHED

Scanned Files by Scope CACHED

If you ran the analysis on real-time data, results will also include items within the scope of your analysis that were Not Scanned.

Scanned Files by Search Term NOT SCANNED

Scanned Files by Scope NOT SCANNED

Using ControlPoint Sentinel to Detect Anomalous Activity

ControlPoint Sentinel functionality enables you to detect deviations in document views and downloads from individual users' "typical" daily usage patterns.  ControlPoint Sentinel uses the following components in its anomalous activity determinations:

·Business Hours: Daily start and end time for each day of the work week.  

·The following Anomalous Activity Limits:

§Default daily activity limits: The limits for each (measured in terms of document views and downloads) to apply to any user whose personal activity limits have not yet been characterized.

§Personal daily activity limits:  The deviation from "typical" daily usage patterns characterized for each individual user on a given day of the week.

ControlPoint Sentinel relies on SharePoint Audit Log events.  Therefore, for this functionality to be effective, the auditing of Delete, Edit, and View/Download must be enabled for every site collection for which you want to collect activity data.

Related Documents