Preparing Your Environment for Using ControlPoint Sentinel
Before ControlPoint Sentinel can begin collecting data for Anomalous Activity Detection:
A.SharePoint auditing must be enabled on all site collections for which Anomalous Activity detection will be performed.
B.Anomalous Activity Detection must be enabled to run:
§via the ControlPoint Anomalous Activity Detection job
OR
§as part of the ControlPoint Scheduled Job Review.
Enabling SharePoint Auditing
ControlPoint Sentinel analyzes the following SharePoint audit log events for Anomalous Activity Detection:
·Editing items
·Deleting or restoring items
You can enable these settings for individual site collections from within SharePoint or, for a larger scope, using the ControlPoint Manage Audit Settings action.
Enabling the Anomalous Activity Detection Job
1From SharePoint Central Administration, select Monitoring, then choose Timer Jobs > Review job definitions.
2Select ControlPoint Anomalous Activity Detection Job.
By default, the job is scheduled to run daily, at 5:00 am (local server time). You may however, change the schedule to run more frequently. Note that, the more frequently the job is run, the sooner an alert may be generated when an Anomalous Activity Limit is reached.
3Click [Enable].
Enabling Anomalous Activity Detection via the ControlPoint Scheduled Job Review
As an alternative to using the Anomalous Activity Detection Job, you can choose to have anomalous activity detection performed as part of the ControlPoint Scheduled Job Review (which, by default, runs every 10 minutes). ControlPoint Application Administrators can enable this option by changing the ControlPoint Configuration Setting Enable Options That Require Anomalous Activity Detection from False to True.
Refer to the ControlPoint Administration Guide for more detail on modifying ControlPoint Configuration Settings.
Reporting Anomalous Activity
The ControlPoint Sentinel Report lets you view anomalous activity events for which an Alert has been specified on the Sentinel Setup - Anomalous Activity Rules page. You can also filter results by user and/or date range.
To report anomalous activity:
1From the Manage ControlPoint tree choose ControlPoint Sentinel > Sentinel Report.
2If you want to narrow your results, enter one or more user(s) in the People Picker and/or enter a date range.
NOTE: If you leave the From and To Dates blank, all available results will be returned.
The tiles at the top of the report highlight the following statistics:
·The Total Number of Anomalous Activities Detected
·The number of High Risk Events as characterized by ControlPoint Sentinel
·The Number of Users with anomalous activity
·The Security Risk Score (which is derived by the Severity of each activity within the date range covered by the report)
For each anomalous event detected, report detail displays:
·the Event Time (that is, the date and the time when the ControlPoint Anomalous Activity Detection Job captured the event)
·the User whose activity triggered the anomalous activity detection alert
·the Event Severity (as defined on the Sentinel Setup - Anomalous Activity Limits page)
·the Triggering Activity Level that resulted in the anomalous activity detection alert:
§for Default daily activity, activity above the specified limit for the Event Severity
§for Personal daily activity, the amount of activity for the Event Severity to which the specified deviations above from the user's "typical" usage pattern have been applied.
·the Expected Activity Level:
§for Default daily activity, the specified limit for the Event Severity
§for Personal daily activity, "typical" usage pattern as calculated by ControlPoint Sentinel
·the Delta Activity Level (that is, the difference between Triggering Activity Level and the Expected Activity Level).
To view detailed audit log data for a user:
Click the User link to generate a ControlPoint Audit Log analysis.
Default Menu Options for ControlPoint Users
The following tables identify ControlPoint default menu items at all levels of the SharePoint Hierarchy as well as the Manage ControlPoint panel.
The following terms are used to describe menu item behavior in a Multi-farm installation:
·Home Only - The operation can be performed on the home farm only.
·Home or Remote - The operation can be performed on a single farm; either home or remote
·Multiple - The operation can be performed on multiple farms.
·Farm-Independent - The operation is not farm-specific.
Farm-Level Default Menu Items
|
Farm-Level Item |
Type |
Multi-Farm | |
|---|---|---|---|
|
Central Administration Not available to members of the Business Administrators group. |
SharePoint |
Home or Remote | |
|
Advanced Search |
Search |
Home or Remote | |
|
Search Hierarchy |
Search |
Home only | |
|
SharePoint Summary Not available to members of the Business Administrators group. |
Analysis |
Home only | |
|
Refresh SharePoint Hierarchy |
Action |
Home or Remote | |
|
Properties |
Action |
Home or Remote | |
|
Execute Saved Instructions Not available to members of the Business Administrators group. |
Action |
Home only | |
|
Refresh with Ribbon On/Off Available for single-farm installations only. |
Action |
Farm-Independent | |
|
Activity folder: | |||
|
Most/Least Activity Not available for WSS-only farms. |
Analysis |
Home only | |
|
Site Collection Activity Analysis |
Analysis |
Multiple | |
|
Site Activity Analysis Not available for WSS-only farms. |
Analysis |
Multiple | |
|
Trend Analysis for Activity Not available for WSS-only farms. |
Analysis |
Home only | |
|
Activity by Profile Property Available for SharePoint 2010 and later Server farms. |
Analysis |
Home only | |
|
Activity by User Not available for WSS-only farms. |
Analysis |
Multiple | |
|
Activity by Document Not available for WSS-only farms. |
Analysis |
Multiple | |
|
Checked Out Documents |
Analysis |
Multiple | |
|
Blog Post Activity Available for SharePoint 2010 and later farms. |
Analysis |
Home only | |
|
Inactive Users Not available for WSS-only farms. |
Analysis |
Home only | |
|
Social Activity Analysis Available for SharePoint Server 2010 farms. |
Analysis |
Home only | |
|
Audits and Alerts folder: | |||
|
Manage Audit Settings |
Action |
Multiple | |
|
ControlPoint Alerts |
Action |
Home only | |
|
Create SharePoint Alerts |
Action |
Home only | |
|
Manage SharePoint Alerts |
Action |
Home only | |
|
Audit Log Analysis |
Analysis |
Multiple | |
|
Change Log Analysis |
Analysis |
Multiple | |
|
SharePoint Alerts by Site |
Analysis |
Multiple | |
|
SharePoint Alerts by User |
Analysis |
Multiple | |
|
Automation folder: | |||
|
Create ControlPoint Policy |
Action |
Home only | |
|
Manage ControlPoint Policies |
Action |
Home only | |
|
Governance Policy Manager Available for SharePoint 2010 and later farms. Not available to members of the Business Administrators group. |
Action |
Home only | |
|
Set Metadata Value Available for SharePoint Server 2010 and later farms. |
Action |
Home only | |
|
Create Managed Metadata Available for SharePoint Server 2010 and later farms. |
Action |
Home only | |
|
Manage SharePoint Groups |
Action |
Home or Remote | |
|
ControlPoint Policies |
Analysis |
Home only | |
|
Change Management folder: | |||
|
Content Types |
Analysis |
Multiple | |
|
Web Parts by Part |
Analysis |
Multiple | |
|
Web Parts by Site |
Analysis |
Multiple | |
|
Workflow Analysis |
Analysis |
Multiple | |
|
Compliance folder: Available for SharePoint 2010 and later farms, and not available to members of the Business Administrators group. | |||
|
Analyze Content |
Action |
Home only | |
|
Managing Quarantine Documents |
Action |
Home only | |
|
Compliance Summary |
Analysis |
Home only | |
|
Sensitive Content Activity |
Analysis |
Home only | |
|
Scanned files by Scope |
Analysis |
Home only | |
|
Scanned files by Search terms |
Analysis |
Home only | |
|
Configuration folder: | |||
|
Set Site Collection Properties |
Action |
Multiple | |
|
Set Site Properties |
Action |
Multiple | |
|
Set List Properties |
Action |
Multiple | |
|
Manage Site Collection Features |
Action |
Multiple | |
|
Manage Site Features |
Action |
Multiple | |
|
SharePoint Hierarchy |
Analysis |
Multiple | |
|
Site Collection Properties |
Analysis |
Home Only | |
|
Site Properties |
Analysis |
Home Only | |
|
List Properties |
Analysis |
Multiple | |
|
Content folder: | |||
|
Managed Metadata Usage Available for SharePoint Server 2010 and later farms. |
Analysis |
Multiple | |
|
Trend Analysis for Site Count |
Analysis |
Home only | |
|
Broken Links |
Analysis |
Multiple | |
|
Solution Summary Not available to members of the Business Administrators group. |
Analysis |
Multiple | |
|
Storage folder: | |||
|
Most/Least Storage Not available for WSS-only farms. |
Analysis |
Home Only | |
|
Site Collection Storage Analysis |
Analysis |
Multiple | |
|
Site Storage Analysis |
Analysis |
Multiple | |
|
Content Database Storage |
Analysis |
Multiple | |
|
Trend Analysis for Storage |
Analysis |
Home only | |
|
Duplicate Files |
Analysis |
Home only | |
|
Storage by File Type |
Analysis |
Home only | |
|
Recycle Bins |
Analysis |
Multiple | |
|
Users and Security folder: | |||
|
Set User Direct Permissions |
Action |
Multiple | |
|
Delete User Permissions |
Action |
Multiple | |
|
Duplicate User Permissions |
Action |
Multiple | |
|
Add User to SharePoint Group |
Action |
Home or Remote | |
|
Delete SharePoint Groups |
Action |
Home only | |
|
Backup Permissions |
Action |
Home only | |
|
Manage Permissions Backups |
Action |
Home only | |
|
Manage Permissions Inheritance |
Action |
Multiple | |
|
Migrate Users |
Action |
Home or Remote | |
|
Orphaned Domain Users |
Analysis |
Multiple | |
|
Site Permission |
Analysis |
Multiple | |
|
Comprehensive Permissions |
Analysis |
Multiple | |
|
Comprehensive User Analysis |
Analysis |
Home only | |
|
SharePoint Group Analysis |
Analysis |
Multiple | |