Chat now with support
Chat with Support

Metalogix ControlPoint 8.5 - O365 User Guide

Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Searching for SharePoint Sites Managing SharePoint Objects Managing Audit Settings Managing Metadata Managing SharePoint User Permissions Data Analysis and Reporting Scheduling a ControlPoint Operation Saving, Modifying and Executing Instructions for a ControlPoint Operation Provisioning SharePoint Site Collections and Sites Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Default Menu Options for ControlPoint Online Users About Us

Managing Quarantined Files

If you are a member of the ControlPoint Quarantine Administrators group, you can manage files that have been quarantined as a result of a Compliance Action.  When  a file is quarantined, it remains in the same location in the SharePoint list, but all permissions—except those of ControlPoint Quarantine Administrators—are removed.

Currently, members of the Quarantine Administrators group must

§be a Site Collection Administrator for each site collection containing quarantined content or a Global Adminstrator orSharePoint Administrator  (in order to invoke the Manage Quarantine Files page from the SharePoint Hierarchy)

OR

§also be a member of the Compliance Administrators Group.

To manage quarantined files:

1Use the information in the following table to determine the appropriate action to take.

If you are starting from ...

Then ...

the SharePoint Hierarchy

a)Select the object(s) containing the quarantined files you want to manage.

b)Choose Compliance > Manage Quarantined Files.

the Compliance Summary page

a)Make sure the Compliance Action jobs radio button is selected.

b)Select the Scan job containing the quarantined files you want to manage.

c)Click [Manage Quarantined Files].

Manage Quarantined Items

Manage Quarantined Files

2Select the quarantined file(s) you want to act on.

3If you want to review the content of a quarantined file before taking an action, click the Document link in the View column.

Now you can either:

·remove file from quarantine

NOTE:  When you remove a file from quarantine, it is restored in its original location with the same permissions it had before it was quarantined.

 

IMPORTANT:  You cannot remove an attachment from quarantine without also removing its parent item.

OR

·permanently remove the file(s) from SharePoint.

Reporting on Sensitive Content Activity

If you are a member of the ControlPoint Compliance Administrators group, you can use the ControlPoint Sensitive Document Activity report to view detailed information about documents analyzed by Sensitive Content Manager that:

·have been identified as "sensitive content" (that is, have been assigned a Severity Level)

AND

·have been accessed by at least one SharePoint user.

Before you can report sensitive document activity:

·Auditing must be enabled for each list or library for which you want to report sensitive document activity.  You can enable these settings for individual site collections from within SharePoint or, for a larger scope, using the ControlPoint Manage Audit Settings action.

·At least one Compliance scan must have been returned by Sensitive Content Manager with items that have been assigned a Severity Level.

To report sensitive document activity:

1Select the object(s) for which you want to report sensitive document activity.

2Choose Compliance > Sensitive Document Activity.

Sensitive Document Activity Report

The tiles at the top of the report highlight the following statistics for the selected time period (by default, the past month):

·Total Number of SCM (Sensitive Content  Manager) Classified Documents

·Sensitive Documents Accessed (that is, the number of times a document identified as having sensitive content has been accessed by a SharePoint user)

NOTE:  The number of times the System Account has modified the Scan Results field for the item on the SharePoint list will be included in this value unless the Sensitive Content Manager Configuration Setting Add Scan Results Column to Scanned SharePoint List is set to false.  Details can be found in the ControlPoint Administration Guide.

·Users Accessing Sensitive Documents (that is, the number of unique SharePoint users who have accessed documents identified as containing sensitive content)

·Realtime Scanning (that is, the number of days since the last realtime scan was performed)

To filter results that display in the body of the report:

1.Choose a different severity level from the Filter drop-down and/or modify the default date range.

Sensitive Document Activity FILTERS

2.Click [Refresh].

Graph Tab

The Sensitive Document Activity report Graph tab illustrates the Activity Count by Sensitivity for the selected Severity Level(s) and date range.

Note that you can click a Severity Level in the legend at the right side of the page to hide/display it.

Sensitive Document Activity GRAPH 2

Files Tab

The Sensitive Document Activity report Files tab lists all of the documents the Content Sensitive Manager identified as "sensitive content" for the selected Severity Level(s), grouped by list or library.

Note that this tab displays all content sensitive classified documents for the selected Severity Level(s), regardless of whether they have been accessed, and the date range filter does not apply.

Sensitive document Activity FILES

Users Tab

The Users tab lists the SharePoint users who have accessed documents with sensitive content within the specified time period, along with the Number of Docs Accessed.

Activity Tab

The Activity tab lists each individual instance of sensitive content activity, including the User Name. Activity Type, document Severity Level and Activity Date.

Analyzing Scanned Files

The Scanned Files by Search Term and Scanned Files by Scope analyses let you view all of the files that have been analyzed by SCM for sensitive content over a specified date range.

To generate a Scanned Files analysis:

1Select the object(s) you want to include in your analysis.

2Select the appropriate option, based on how you would like to have results grouped:

§Compliance > Scanned files by Scope

OR

§Compliance >Scanned files by Search terms.

3Specify the parameters for your analysis.

IMPORTANT:  

§Currently, you can only Filter by Search Terms if you enter one complete search term (that is, you cannot filter by multiple or partial search terms).

Filter by Search Term

If you leave the Filter by Search Terms field blank, all search terms within the scope of your analysis will be included.

4Under Advanced Parameters:

Manage Scanned Files ADVANCED PARAMETERS

·If you leave the Start Date and End Date blank (the default), the most recent scan performed on each scanned file will be included in analysis results.  If you enter a Start Date and End Date, results will include all scans performed within the date range.

·If you want to run the analysis on scans for which the permissions of users who performed the scans were collected since the last run of Discovery, check the Security trimming using cached permissions box. If you leave this box unchecked, the analysis will be run using real-time permissions, but processing time my increase significantly.

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be run at a later time.

Results are grouped either by scope or search term (depending on the analysis selected).

Scanned Files by Scope

Scanned Files by Search Terms

 

Using ControlPoint Sentinel to Detect Anomalous Activity

ControlPoint Sentinel functionality enables you to detect deviations in document views and downloads from individual users' "typical" daily usage patterns.  ControlPoint Sentinel uses the following components in its anomalous activity determinations:

·Business Hours: Daily start and end time for each day of the work week.  

·The following Anomalous Activity Limits:

§Default daily activity limits: The limits for each (measured in terms of document views and downloads) to apply to any user whose personal activity limits have not yet been characterized.

§Personal daily activity limits:  The deviation from "typical" daily usage patterns characterized for each individual user on a given day of the week.

ControlPoint Sentinel relies on SharePoint Audit Log events.  Therefore, for this functionality to be effective, the auditing of Delete, Edit, and View/Download must be enabled for every site collection for which you want to collect activity data.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating