By default, unless one or more users are specified in the People Picker, all SharePoint users are included in the ControlPoint Audit Log analysis.
ControlPoint Application Administrators can, however, exclude certain users from these analyses by entering the user account name(s) as the Value for the ControlPoint Configuration Setting Users to Exclude from Audit Log Analyses (ExcludedUsersAudit). Enter multiple account names as a comma-separated list.
You may, for example, want to exclude common system accounts such as SharePoint\System.
NOTE: You must exclude users based on full account names (sometimes known as pre-Windows 2000 account names in Active Directory), not display names. For example, you cannot exclude system accounts by entering the display name System Account.
Note that you can still run Audit Log analyses on excluded users if you enter them in the People Picker.
NOTE: Users can be excluded from permissions and activity analyses via the ControlPoint Configuration Setting Users to Exclude from Reports (EXCLUDEDUSERS).
By default, ControlPoint Audit Log analysis results include name of the Site on which audited activity occurred. The process required for ControlPoint to collect this information is time-consuming and may affect performance, especially if the scope of the analysis is large.
ControlPoint Application Administrators can, however, prevent this process from being carried out by changing the ControlPoint Configuration Setting PROCESSAUDITNAMES from True to False.
Note that, if PROCESSAUDITNAMES is set to false, you can use the url to identify the site where audited activity occurred.
ControlPoint Sentinel Anomalous Activity Detection settings display under the category Audit Log:
These configuration settings display in the ControlPoint Settings list under the category Business Administrators Functionality.