The File activity tab in the Threat Indicators dashboard lists Windows clients and virtual machines with backup job anomalies. This includes backup jobs in which the number of created, deleted, or modified files in the job is significantly different than normal behavior, or when the total backed up root size increases or decreases.
The anomaly thresholds are based on historical activity and machine-learning algorithms to help reduce false positives.
Backup jobs on the client computer or VM are monitored and analyzed to establish a base line of job activities, and alerts and events are sent to the administrator when an abnormal number of file operations is detected.