Threat Indicators - File-Related Anomalies

The File activity tab in the Threat Indicators dashboard lists Windows clients with file-related anomalies, including the creation and deletion of a large number of file system files.

Clicking a client computer opens the File Activity Report, which allows you to analyze the statistics for that client.

File Activity Tab

The table in the File activity tab is comprised of the following columns:

Column

Description

Name

The client computer. When you click the client computer, the File Activity Report appears (see below), which allows you to analyze the statistics for that client.

Indicators

The type of anomalous file activity, as follows:

  • Creation

  • Modification

  • Renaming

  • Deletion

Detected time

The time when the anomaly was detected.

Server type

The type of server identified.

Created files

The number of files that were created at the detected time.

Renamed files

The number of files that were renamed at the detected time.

Deleted files

The number of files that were deleted at the detected time.

Modified files

The number of files that were modified at the detected time.

Tags

Audit tags that you can use to record actions.

Actions

Click the action button action_button, and then select one of the following options:

  • Details: Open the File Activity Report (see below).

  • Clear anomaly: Remove the client that has unusual file activity from the client list in the table.

  • Manage tags: Add or remove a tag.

  • Recover as VM: Recover the client as a virtual machine. For more information, see Performing Virtualize Me for Windows or UNIX Computers.

  • Threat Scan: Scan files for malware, and analyze files for high levels of entropy and change, which can indicate ransomware and/or malware infections. For more information, see Commvault Threat Scan.

File Activity Report

Click a client name in the table in the File Activity tab to open the File Activity Report for file-related anomalies.

The report is divided into the following sections: File Activity chart and Unusual File Activity table.

Note

To restore a client that has unusual file activity, click Recover files in the upper right corner of the File Activity Report. The system will restore the client to a state before the anomaly was discovered, ensuring a clean recovery. For more information, see Performing File System Restores.

File Activity Chart

The File Activity chart displays information about the number of files that were affected over a period of 1 week or 1 day (selectable via the buttons in the top right of the chart).

The following image is an example of the File Activity chart for file-related anomalies:

embd_report description Unusual File Activity Report for File-Related Anomalies (1)

Unusual File Activity Table

The Unusual File Activity table is comprised of detailed information about the affected files in the client computer.

The following image is an example of the Unusual File Activity table for file-related anomalies:

embd_report description Unusual File Activity Report for File-Related Anomalies (1)

Note

To restore a path that has unusual file activity, select the checkbox of the path in the Unusual File Activity table, and then click Restore. The system will restore the path to a version before the anomaly was discovered, ensuring a clean recovery. For more information, see Performing File System Restores.

The following table includes descriptions for all columns in the Unusual file activity table for file-related anomalies.

Column

Description

Path

The path to the folder that contains the files that are affected by anomalous activity.

Created files

The number of files that were created in the given path at the detected time.

Renamed files

The number of files that were renamed in the given path at the detected time.

Deleted files

The number of files that were deleted in the given path at the detected time.

Modified files

The number of files that were modified in the given path at the detected time.

Detected time

The time when the anomaly was detected.

Loading...