Chat now with support
Chat with Support

Metalogix ControlPoint 8.5 - User Guide

Preface Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Using ControlPoint Dashboards Searching for SharePoint Sites Managing SharePoint Objects Using ControlPoint Policies to Control Your SharePoint Environment Managing SharePoint User Permissions Data Analysis and Reporting
Specifying Parameters for Your Analysis Analysis Results Display Generating a SharePoint Summary Report Analyzing Activity Analyzing Object Properties Analyzing Storage Analyzing Content Generating a SharePoint Hierarchy Report Analyzing Trends Auditing Activities and Changes in Your SharePoint Environment Analyzing SharePoint Alerts Analyzing ControlPoint Policies Analyzing Users and Permissions The ControlPoint Task Audit Viewing Logged Errors
Scheduling a ControlPoint Operation Saving, Modifying and Running Instructions for a ControlPoint Operation Using the ControlPoint Governance Policy Manager Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Default Menu Options for ControlPoint Users About Us

Defining Business Hours for Anomalous Activity Detection

The first step in Sentinel Setup is to define Business Hours, so that Anomalous Activity Limits can be defined differently for both business and non-business hours.  For example, you may want to specify a lower limit for non-business hours, when typical activity is expected to be lower.

Note that Business Hours reflect the local time of the server on which SharePoint is installed.

To define business and non-business hours for anomalous activity detection:

1From the Manage ControlPoint tree choose ControlPoint Sentinel > Sentinel Setup.

2On the Sentinel Setup page, make sure the Business Hours tab is selected.

Anomalous Activity Setup BUSINESS HOURS

3For each day that you want activity data to be collected, select the start and end time that represent the standard work hours for that particular day, and make sure the Work Day box is checked.

Anomalous Activity Setup BUSINESS HOURS CHANGE

4For each non-work day, uncheck the Work Day box.

Anomalyous Activity NON WORK HOURS

NOTE:  When the Work Day box is unchecked, activity data will not be collected for that day.  Start and end times are irrelevant and will be cleared when you save the setup.

5When you have finished defining business and non-business hours, click [Save Setup].

Defining Anomalous Activity Limits

You can define two types of anomalous activity limits:

·Default daily activities, which are used for all users until personal user limits have been characterized.

·Personal daily activities, which are used as soon as a user's personal activity limits have been characterized.

NOTE:   For each day of the week, personal user limits replace default daily limits after 12 days worth of observations by the Anomalous Activity Detection Job.

To access the Anomalous Activity Limits page:

From the Sentinel Setup page, select the Anomalous Activity Limits tab.

Defining Default Daily Activity Limits

Default Daily Activity Limits are expressed in terms of the number of "typical" views and downloads.  Because they apply to all users until personal user limits have been characterized, it is recommended that you enter limits that would be considered typical and anomalous for any SharePoint user in your organization.  For example, 100 document views and downloads per day may take into account "typical" daily activity for your most active users without being an alarmingly high number for less active users. Double that number may be considered moderately anomalous, while triple that number may be considered highly anomalous.

Anomalous Activity DEFAULT LIMITS

NOTE:  If you do not want ControlPoint Sentinel to track Default Daily Activity Limits, leave the limit fields set to 0.

Defining Personal Daily Activity Limits

The following table shows the percentage of values that fall around or above the mean in terms of the standard deviation.

Standard Deviations (σ) Above the Mean

Percentage (%) of Values Above the Standard Deviations from the Mean








It is recommended that you:

·Set the Typical daily activity limit to 3 standard deviations above the mean.

A user could exceed this limit once every two years. This is not cause for concern but if it happens more frequently than that it may warrant investigation.

·Set the Moderately anomalous activity limit to 5 standard deviations above the mean.

A user could exceed this limit once in about 10,000 years. This is an indication of anomalous activity that should be investigated immediately.

·Set the Highly anomalous activity limit to 7 standard deviations above the mean.

This level of activity is very very unlikely and should be acted upon immediately.

Anomalous Activity PERSONAL LIMITS

See also How Personal Daily Activity is Determined.

Defining Anomalous Activity Rules

After you have defined Business Hours and Activity Limits, the next step is to define Anomalous Activity Rules, or the action (if any) to take when a defined activity limit is exceeded, during both business hours and non-business hours.

To define Anomalous Activity Rules:

1.From the Sentinel Setup page, select the Anomalous Activity Rules tab.

Anomalous Activity RULES

2If you want to have an alert generated whenever a limit is exceeded for a particular combination of criteria (Business Hours/Non-Business Hours; Default Daily Activity/Personal Activity; Activity Limit):

§Select Alert from the Action drop-down.

§If you want to have an email generated when the limit is exceeded, enter an Email address.  (You can enter multiple email addresses, separated by commas (,).

NOTE:  Only limits to which an Alert is applied will be subject to Sentinel reporting.  Limits with No Action Required will not be reported.

Preparing Your Environment for Using ControlPoint Sentinel

Before ControlPoint Sentinel can begin collecting data for Anomalous Activity Detection:

A.SharePoint auditing must be enabled on all site collections for which Anomalous Activity detection will be performed.

B.Anomalous Activity Detection must be enabled to run:

§via the ControlPoint Anomalous Activity Detection job


§as part of the ControlPoint Scheduled Job Review.

Enabling SharePoint Auditing

ControlPoint Sentinel analyzes the following SharePoint audit log events for Anomalous Activity Detection:

·Editing items

·Deleting or restoring items

You can enable these settings for individual site collections from within SharePoint or, for a larger scope, using the ControlPoint Manage Audit Settings action.

Manage Audit Settings for AAD

Enabling the Anomalous Activity Detection Job

1From SharePoint Central Administration, select Monitoring, then choose Timer Jobs > Review job definitions.

2Select ControlPoint Anomalous Activity Detection Job.


By default, the job is scheduled to run daily, at 5:00 am (local server time).  You may however, change the schedule to run more frequently.  Note that, the more frequently the job is run, the sooner an alert may be generated when an Anomalous Activity Limit is reached.

3Click [Enable].

Enabling Anomalous Activity Detection via the ControlPoint Scheduled Job Review

As an alternative to using the Anomalous Activity Detection Job, you can choose to have anomalous activity detection performed as part of the ControlPoint Scheduled Job Review (which, by default, runs every 10 minutes).  ControlPoint Application Administrators can enable this option by changing the ControlPoint Configuration Setting Enable Options That Require Anomalous Activity Detection from False to True.


Refer to the ControlPoint Administration Guide for more detail on modifying ControlPoint Configuration Settings.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating