Unusual File Activity Report

Updated

The Unusual File Activity report for Security IQ dashboard displays information about anomalous file systems activity of the protected file system server, or the protected endpoint servers. You can view file path information for the anomalies and track anomaly trending information. This report helps in identifying and acting on potential threats with quick and safe recovery options.

Unusual file activity occurs when a large number of files are created, deleted, modified, or renamed on a client computer, or when the number of created, modified, or deleted files in a backup job suddenly increases or decreases. These situations might indicate the presence of ransomware or other unauthorized changes to the file system data.

The Unusual file activity panel also displays anomalies in the file types of backed up files on Windows clients computers. The anomaly is displayed when there is a mismatch in the file type of the file and the file extension.

The anomaly thresholds are based on historical activity and machine-learning algorithms to reduce false positives from typical activity on the file systems. These activities are monitored by default. To receive alerts when abnormal activities are detected, in Alerts, configure the File Activity Anomaly Alert.

Note: The file anomalies that are older than 30 days are pruned automatically.

The following tables include descriptions for all the columns in each tab in the Unusual file activity panel.

All Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

  • Unusual File Activity Report for File-Related Anomalies

  • Unusual File Activity Report for Backup Job Anomalies

You can use the reports to analyze the statistics.

File anomaly type

The type of anomalous activity, such as the following:

  • File activity

  • File type

Detected time

The time when the anomaly was detected.

File Count

Number of files detected with the anomaly.

Actions

Click the action button , and then select one of the following options:

  • To recover a client from the client list on the panel, as a VM, click Recover as VM.

  • To remove a client or multiple clients from the client list on the panel, click Clear anomaly.

File Activity Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

  • Unusual File Activity Report for File-Related Anomalies

  • Unusual File Activity Report for Backup Job Anomalies

You can use the reports to analyze the statistics.

File anomaly type

The type of anomalous file activity, such as the following:

  • Creation

  • Modification

  • Renaming

  • Deletion

Created files

The number of files that were created at the detected time.

Renamed files

The number of files that were renamed at the detected time.

Deleted files

The number of files that were deleted at the detected time.

Modified files

The number of files that were modified at the detected time.

Detected time

The time when the anomaly was detected.

Actions

Click the action button , and then select one of the following options:

  • To recover a client from the client list on the panel, as a VM, click Recover as VM.

  • To remove a client or multiple clients from the client list on the panel, click Clear anomaly.

File Type Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed report is available:

  • Unusual File Activity Report for File-Related Anomalies

You can use the report to analyze the statistics.

File anomaly type

File type

Detected time

The time when the anomaly was detected.

File Count

Number of files detected with the anomaly.

Actions

Click the action button , and then select one of the following options:

  • To recover a client from the client list on the panel, as a VM, click Recover as VM.

  • To remove a client or multiple clients from the client list on the panel, click Clear anomaly.