Chat now with support
Chat with Support

Metalogix ControlPoint 8.2 - for Office 365 User Guide

Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Searching for SharePoint Sites Managing SharePoint Objects Managing Audit Settings Managing Metadata Managing SharePoint User Permissions Data Analysis and Reporting Scheduling a ControlPoint Operation Saving, Modifying and Executing Instructions for a ControlPoint Operation Provisioning SharePoint Site Collections and Sites Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity About Us

Analyzing Scanned Files

The Scanned Files by Search Term and Scanned Files by Scope analyses let you view all of the files that have been analyzed by SCM for sensitive content over a specified date range.

To generate a Scanned Files analysis:

1Select the object(s) you want to include in your analysis.

2Select the appropriate option, based on how you would like to have results grouped:

§Compliance > Scanned files by Scope

OR

§Compliance >Scanned files by Search terms.

3Specify the parameters for your analysis.

IMPORTANT:  

§Currently, you can only Filter by Search Terms if you enter enter one complete search term (that is, you cannot filter by multiple or partial search terms).

Filter by Search Term

If you leave the Filter by Search Terms field blank, all search terms within the scope of your analysis will be included.

§If the Use cached data box is checked, results will include only files within the scope of your analysis that have been scanned.  If this box is not checked (that is, the analysis is run on real-time data), results will also include items within the scope of your analysis that have not been scanned.

Now you can either:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be executed at a later time.

If you chose to run the analysis on cached data, all of the files that have been scanned by Sensitive Content Manager within the specified date range are listed, grouped either by scope or search term (depending on the analysis selected).

Scanned Files by Search Term CACHED

Scanned Files by Scope CACHED

If you ran the analysis on real-time data, results will also include items within the scope of your analysis that were Not Scanned.

Scanned Files by Search Term NOT SCANNED

Scanned Files by Scope NOT SCANNED

Using ControlPoint Sentinel to Detect Anomalous Activity

ControlPoint Sentinel functionality enables you to detect deviations in document views and downloads from individual users' "typical" daily usage patterns.  ControlPoint Sentinel uses the following components in its anomalous activity determinations:

·Business Hours: Daily start and end time for each day of the work week.  

·The following Anomalous Activity Limits:

§Default daily activity limits: The limits for each (measured in terms of document views and downloads) to apply to any user whose personal activity limits have not yet been characterized.

§Personal daily activity limits:  The deviation from "typical" daily usage patterns characterized for each individual user on a given day of the week.

ControlPoint Sentinel relies on SharePoint Audit Log events.  Therefore, for this functionality to be effective, the auditing of Delete, Edit, and View/Download must be enabled for every site collection for which you want to collect activity data.

How Personal Daily Activity is Determined

Anomalous activity limits are set based on the statistical analysis of how often each user views and downloads documents. The personal daily activity limits used by ControlPoint Sentinel are defined in terms of standard deviations above the mean or average observed over a period of time (currently, 12 days worth of observations for each day of the week).

Standard deviation is a statistical measure of the variation within a set of data values. Two users may have the same average of document views and downloads per day, but their standard deviation or the variation in the number of documents they view and download in any given day can be very different. If a user consistently views and downloads roughly the same number of documents every day, then their standard deviation will be low. If a user is more erratic in the number of documents they view or download in a day (for example, sometimes viewing or downloading no documents, sometimes one or two, sometimes 30 or 40) then their standard deviation will be high. By using an individual user’s standard deviation to define the limits for anomalous activity the limits are tailored to each user’s usage pattern.

Using the user’s standard deviation we can determine how likely it is that a user would view or download a particular number of documents in a day. When looking for anomalous activity we are looking at activity that is not very likely, that should happen much less than 1% of the time. For highly anomalous activity we are looking for activity that should happen a very small fraction of a percentage of the time.

Defining Business Hours for Anomalous Activity Detection

The first step in Sentinel Setup is to define Business Hours, so that Anomalous Activity Limits can be defined differently for both business and non-business hours.  For example, you may want to specify a lower limit for non-business hours, when typical activity is expected to be lower.

Note that Business Hours reflect the local time of the server on which SharePoint is installed.

To define business and non-business hours for anomalous activity detection:

1From the Manage ControlPoint tree choose ControlPoint Sentinel > Sentinel Setup.

2On the Sentinel Setup page, make sure the Business Hours tab is selected.

Anomalous Activity Setup BUSINESS HOURS

3For each day that you want activity data to be collected, select the start and end time that represent the standard work hours for that particular day, and make sure the Work Day box is checked.

Anomalous Activity Setup BUSINESS HOURS CHANGE

4For each non-work day, uncheck the Work Day box.

Anomalyous Activity NON WORK HOURS

NOTE:  When the Work Day box is unchecked, activity data will not be collected for that day.  Start and end times are irrelevant and will be cleared when you save the setup.

5When you have finished defining business and non-business hours, click [Save Setup].

Related Documents