Unusual File Activity Monitoring Dashboard

The Unusual file activity dashboard in the Command Center displays information about such anomalous file activity on active client computers and in backup jobs. This panel provides a single location for identifying this activity, and allows you to act on potential threats with quick and safe recovery options, as follows:

  • View file path information for the file anomalies and track anomaly trending information

  • Recover the most recent good versions of files

  • Recover the entire client computer as a virtual machine

Commvault bases its file anomaly thresholds on historical activity and machine-learning algorithms, which separate false positives from typical activity on the file system.

You can configure the alerts when anomalous activities are detected. For more information, see File Activity Anomaly Alert.

Note

  • File anomalies that are older than 7 days are pruned automatically.

  • When a file system is installed on a VSA client that has backup anomaly enabled, then the backup that has the latest anomalous job will be listed on the dashboard.

The Unusual file activity dashboard also displays anomalies in the file types of backed up files on Windows clients computers. The anomaly is displayed when there is a mismatch in the file type of the file and the file extension. To enable anomaly check on file types, add the DetectMimeType additional setting with value 1 on the client computer.

Where to Access the Panel

You can view the Unusual file activity dashboard in the Command Center. For more information, see Viewing the Unusual File Activity Panel in the Command Center.

Note

To view the Unusual file activity dashboard, both the client and the CommServe computer need to be at Feature Release 11.23 or later.

Who Can View the Panel

The Unusual file activity dashboard for file and backup job anomalies is available to tenant administrators as well as to users who have the necessary permissions on the client computer with the anomaly.

What Is Monitored

  • Windows clients that have the file system package installed can be monitored for unusual activity on the file systems and in backup jobs.

  • Linux clients can be monitored for unusual activity in backup jobs.

  • Network shares can be monitored for unusual activity in backup jobs.

  • Virtual machine and non-file system clients can be monitored if the file system package is installed in restore-only mode.

  • Virtual machines with file indexing enabled can be monitored for unusual activity in backup jobs.

  • Backup jobs that utilize V2 indexing are monitored for any mismatch in the file type and file extension of the backed up files.

What You Can View in the Dashboard

The following tables include descriptions for all the columns in each tab in the Unusual file activity dashboard.

"All" Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

You can use the reports to analyze the statistics.

File anomaly type

The type of anomalous activity, such as the following:

  • File activity

  • File type

Detected time

The time when the anomaly was detected.

Server type

The type of server identified.

File Count

Number of files detected with the anomaly.

Tags

Audit tags that you can use to record actions.

Actions

Click the action button action_button for a client, and then select one of the following options:

"File Activity" Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

You can use the reports to analyze the statistics.

File anomaly type

The type of anomalous file activity, such as the following:

  • Creation

  • Modification

  • Renaming

  • Deletion

Detected time

The time when the anomaly was detected.

Server type

The type of server identified.

Created files

The number of files that were created at the detected time.

Renamed files

The number of files that were renamed at the detected time.

Deleted files

The number of files that were deleted at the detected time.

Modified files

The number of files that were modified at the detected time.

Tags

Audit tags that you can use to record actions.

Actions

Click the action button action_button, and then select one of the following options:

"File Type" Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

You can use the reports to analyze the statistics.

File anomaly type

File type

Detected time

The time when the anomaly was detected.

Server type

The type of server identified.

File Count

Number of files detected with the anomaly.

Tags

Audit tags that you can use to record actions.

Actions

Click the action button action_button, and then select one of the following options:

"File Extension" Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

You can use the reports to analyze the statistics.

File anomaly type

File extension

Detected time

The time when the anomaly was detected.

Server type

File system.

File Count

Number of files detected with the anomaly.

Tags

Audit tags that you can use to record actions.

Actions

Click the action button action_button, and then select one of the following options:

"Partner Integration" Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed report is available:

You can use the reports to analyze the statistics.

File anomaly type

Partner integration

Source

The partner that discovered the anomaly (either DarkTrace or Netskope CTE).

Detected time

The time when the anomaly was detected.

Anomaly Count

Number of anomalies detected.

Server type

File system.

Tags

Audit tags that you can use to record actions.

Actions

Click the action button action_button, and then select one of the following options:

Loading...