Chat now with support
Chat with Support

Metalogix ControlPoint 8.1 - for Office 365 User Guide

Getting Started with ControlPoint Searching for SharePoint Sites Managing SharePoint Objects Managing Metadata Managing SharePoint User Permissions Data Analysis and Reporting Scheduling a ControlPoint Operation Saving, Modifying and Executing Instructions for a ControlPoint Operation Provisioning SharePoint Site Collections and Sites Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity About Us

Preparing Your Environment for Using ControlPoint Sentinel

Before ControlPoint Sentinel can begin collecting data for Anomalous Activity Detection:

A.SharePoint auditing must be enabled on all site collections for which Anomalous Activity detection will be performed.

B.Anomalous Activity Detection must be enabled to run:

§via the ControlPoint Anomalous Activity Detection job


§as part of the ControlPoint Scheduler Job..

Enabling SharePoint Auditing

ControlPoint Sentinel analyzes the following SharePoint audit log events for Anomalous Activity Detection:

·Editing items

·Deleting or restoring items

·Opening or downloading documents, viewing items in lists, or viewing item properties.

You can enable these settings for individual site collections from within SharePoint.

Enabling the Anomalous Activity Detection Job

1From the Manage ControlPoint tree choose Schedule Management and Logging > Schedule Monitor.

2Choose Switch Monitor Views > Windows Jobs.

3Click the Edit icon (Edit icon 2) to the left of the AnomalousActivityDetectionJob.

Enable Anomalous Activity Job O365

4Check the Active box.

Enable Anomalousus Activity Job O365 2

By default, the job is scheduled to run daily, at 4:00 am (local server time).  You may however, change the schedule to run more frequently.  Note that, the more frequently the job is run, the sooner an alert may be generated when an Anomalous Activity Limit is reached.

Enabling Anomalous Activity Detection via the ControlPoint Scheduled Job Review

As an alternative to using the Anomalous Activity Detection Job, you can choose to have anomalous activity detection performed as part of the ControlPoint Scheduler Job. (which, by default, runs every 10 minutes).  ControlPoint Application Administrators can enable this option by changing the ControlPoint Configuration Setting Enable Options That Require Anomalous Activity Detection from False to True.


Refer to the ControlPoint Administration Guide for more detail on modifying ControlPoint Configuration Settings.

Reporting Anomalous Activity

The ControlPoint Sentinel Report lets you view anomalous activity events for which an Alert has been specified on the Sentinel Setup - Anomalous Activity Rules page.  You can also filter results by user and/or date range.

To report anomalous activity:

1From the Manage ControlPoint tree choose ControlPoint Sentinel > Sentinel Report.

2If you want to narrow your results, enter one or more user(s) in the People Picker and/or enter a date range.

NOTE:  If you leave the From and To Dates blank, all available results will be returned.

Sentinel Report

The tiles at the top of the report highlight the following statistics:

·The Total Number of Anomalous Activities Detected

·The number of High Risk Events as characterized by ControlPoint Sentinel

·The Number of Users with anomalous activity

·The Security Risk Score (which is derived by the Severity of each activity within the date range covered by the report)

For each anomalous event detected, report detail displays:

·the Event Time (that is, the date and the time when the ControlPoint Anomalous Activity Detection Job captured the event)

·the User whose activity triggered the anomalous activity detection alert

·the Event Severity (as defined on the Sentinel Setup - Anomalous Activity Limits page)

·the Triggering Activity Level that resulted in the anomalous activity detection alert:

§for Default daily activity, activity above the specified limit for the Event Severity

§for Personal daily activity, the amount of activity for the Event Severity to which the specified deviations above from the user's "typical" usage pattern have been applied.

·the Expected Activity Level:

§for Default daily activity, the specified limit for the Event Severity

§for Personal daily activity, "typical" usage pattern as calculated by ControlPoint Sentinel

·the Delta Activity Level (that is, the difference between Triggering Activity Level and the Expected Activity Level).

To view detailed audit log data for a user:

Click the User link to generate a ControlPoint Audit Log analysis.

About Us

We are more than just a name

We are on a quest to make your information technology work harder for you. That is why we build community-driven software solutions that help you spend less time on IT administration and more time on business innovation. We help you modernize your data center, get you to the cloud quicker and provide the expertise, security and accessibility you need to grow your data-driven business. Combined with Quest’s invitation to the global community to be a part of its innovation, and our firm commitment to ensuring customer satisfaction, we continue to deliver solutions that have a real impact on our customers today and leave a legacy we are proud of. We are challenging the status quo by transforming into a new software company. And as your partner, we work tirelessly to make sure your information technology is designed for you and by you. This is our mission, and we are in this together. Welcome to a new Quest. You are invited to Join the Innovation™.

Our brand, our vision. Together.

Our  logo reflects our story: innovation, community and support. An important part of this story begins with the letter Q. It is a perfect circle, representing our commitment to technological precision and strength.   The space in the Q itself symbolizes our need to add the missing piece — you — to the community, to the new Quest.

Contacting Quest

For sales or other inquiries, visit

Related Documents