You can define two types of anomalous activity limits:
·Default daily activities, which are used for all users until personal user limits have been characterized.
·Personal daily activities, which are used as soon as a user's personal activity limits have been characterized.
NOTE: For each day of the week, personal user limits replace default daily limits after 12 days worth of observations by the Anomalous Activity Detection Job.
To access the Anomalous Activity Limits page:
From the Sentinel Setup page, select the Anomalous Activity Limits tab.
Defining Default Daily Activity Limits
Default Daily Activity Limits are expressed in terms of the number of "typical" views and downloads. Because they apply to all users until personal user limits have been characterized, it is recommended that you enter limits that would be considered typical and anomalous for any SharePoint user in your organization. For example, 100 document views and downloads per day may take into account "typical" daily activity for your most active users without being an alarmingly high number for less active users. Double that number may be considered moderately anomalous, while triple that number may be considered highly anomalous.
NOTE: If you do not want ControlPoint Sentinel to track Default Daily Activity Limits, leave the limit fields set to 0.
Defining Personal Daily Activity Limits
The following table shows the percentage of values that fall around or above the mean in terms of the standard deviation.
Standard Deviations (σ) Above the Mean
Percentage (%) of Values Above the Standard Deviations from the Mean
It is recommended that you:
·Set the Typical daily activity limit to 3 standard deviations above the mean.
A user could exceed this limit once every two years. This is not cause for concern but if it happens more frequently than that it may warrant investigation.
·Set the Moderately anomalous activity limit to 5 standard deviations above the mean.
A user could exceed this limit once in about 10,000 years. This is an indication of anomalous activity that should be investigated immediately.
·Set the Highly anomalous activity limit to 7 standard deviations above the mean.
This level of activity is very very unlikely and should be acted upon immediately.
After you have defined Business Hours and Activity Limits, the next step is to define Anomalous Activity Rules, or the action (if any) to take when a defined activity limit is exceeded, during both business hours and non-business hours.
To define Anomalous Activity Rules:
1.From the Sentinel Setup page, select the Anomalous Activity Rules tab.
2If you want to have an alert generated whenever a limit is exceeded for a particular combination of criteria (Business Hours/Non-Business Hours; Default Daily Activity/Personal Activity; Activity Limit):
§Select Alert from the Action drop-down.
§If you want to have an email generated when the limit is exceeded, enter an Email address. (You can enter multiple email addresses, separated by commas (,).
NOTE: Only limits to which an Alert is applied will be subject to Sentinel reporting. Limits with No Action Required will not be reported.
Before ControlPoint Sentinel can begin collecting data for Anomalous Activity Detection:
A.SharePoint auditing must be enabled on all site collections for which Anomalous Activity detection will be performed.
B.Anomalous Activity Detection must be enabled to run:
§via the ControlPoint Anomalous Activity Detection job
§as part of the ControlPoint Scheduler Job..
Enabling SharePoint Auditing
ControlPoint Sentinel analyzes the following SharePoint audit log events for Anomalous Activity Detection:
·Deleting or restoring items
·Opening or downloading documents, viewing items in lists, or viewing item properties.
You can enable these settings for individual site collections from within SharePoint.
Enabling the Anomalous Activity Detection Job
1From the Manage ControlPoint tree choose Schedule Management and Logging > Schedule Monitor.
2Choose Switch Monitor Views > Windows Jobs.
3Click the Edit icon () to the left of the AnomalousActivityDetectionJob.
4Check the Active box.
By default, the job is scheduled to run daily, at 4:00 am (local server time). You may however, change the schedule to run more frequently. Note that, the more frequently the job is run, the sooner an alert may be generated when an Anomalous Activity Limit is reached.
Enabling Anomalous Activity Detection via the ControlPoint Scheduled Job Review
As an alternative to using the Anomalous Activity Detection Job, you can choose to have anomalous activity detection performed as part of the ControlPoint Scheduler Job. (which, by default, runs every 10 minutes). ControlPoint Application Administrators can enable this option by changing the ControlPoint Configuration Setting Enable Options That Require Anomalous Activity Detection from False to True.
Refer to the ControlPoint Administration Guide for more detail on modifying ControlPoint Configuration Settings.
The ControlPoint Sentinel Report lets you view anomalous activity events for which an Alert has been specified on the Sentinel Setup - Anomalous Activity Rules page. You can also filter results by user and/or date range.
To report anomalous activity:
1From the Manage ControlPoint tree choose ControlPoint Sentinel > Sentinel Report.
2If you want to narrow your results, enter one or more user(s) in the People Picker and/or enter a date range.
NOTE: If you leave the From and To Dates blank, all available results will be returned.
The tiles at the top of the report highlight the following statistics:
·The Total Number of Anomalous Activities Detected
·The number of High Risk Events as characterized by ControlPoint Sentinel
·The Number of Users with anomalous activity
·The Security Risk Score (which is derived by the Severity of each activity within the date range covered by the report)
For each anomalous event detected, report detail displays:
·the Event Time (that is, the date and the time when the ControlPoint Anomalous Activity Detection Job captured the event)
·the User whose activity triggered the anomalous activity detection alert
·the Event Severity (as defined on the Sentinel Setup - Anomalous Activity Limits page)
·the Triggering Activity Level that resulted in the anomalous activity detection alert:
§for Default daily activity, activity above the specified limit for the Event Severity
§for Personal daily activity, the amount of activity for the Event Severity to which the specified deviations above from the user's "typical" usage pattern have been applied.
·the Expected Activity Level:
§for Default daily activity, the specified limit for the Event Severity
§for Personal daily activity, "typical" usage pattern as calculated by ControlPoint Sentinel
·the Delta Activity Level (that is, the difference between Triggering Activity Level and the Expected Activity Level).
To view detailed audit log data for a user:
Click the User link to generate a ControlPoint Audit Log analysis.