The File activity tab in the Threat Indicators dashboard lists Windows clients with file-related anomalies, including the creation and deletion of a large number of file system files.
Clicking a client computer opens the File Activity Report, which allows you to analyze the statistics for that client.
File Activity Tab
The table in the File activity tab is comprised of the following columns:
|
Column |
Description |
|---|---|
|
Name |
The client computer. When you click the client computer, the File Activity Report appears (see below), which allows you to analyze the statistics for that client. |
|
Indicators |
The type of anomalous file activity, as follows:
|
|
Detected time |
The time when the anomaly was detected. |
|
Server type |
The type of server identified. |
|
Created files |
The number of files that were created at the detected time. |
|
Renamed files |
The number of files that were renamed at the detected time. |
|
Deleted files |
The number of files that were deleted at the detected time. |
|
Modified files |
The number of files that were modified at the detected time. |
|
Tags |
Audit tags that you can use to record actions. |
|
Actions |
Click the action button
|
, and then select one of the following options:File Activity Report
Click a client name in the table in the File Activity tab to open the File Activity Report for file-related anomalies.
The report is divided into the following sections: File Activity chart and Unusual File Activity table.
Note
To restore a client that has unusual file activity, click Recover files in the upper right corner of the File Activity Report. The system will restore the client to a state before the anomaly was discovered, ensuring a clean recovery. For more information, see Performing File System Restores.
File Activity Chart
The File Activity chart displays information about the number of files that were affected over a period of 1 week or 1 day (selectable via the buttons in the top right of the chart).
The following image is an example of the File Activity chart for file-related anomalies:
Unusual File Activity Table
The Unusual File Activity table is comprised of detailed information about the affected files in the client computer.
The following image is an example of the Unusual File Activity table for file-related anomalies:
Note
To restore a path that has unusual file activity, select the checkbox of the path in the Unusual File Activity table, and then click Restore. The system will restore the path to a version before the anomaly was discovered, ensuring a clean recovery. For more information, see Performing File System Restores.
The following table includes descriptions for all columns in the Unusual file activity table for file-related anomalies.
|
Column |
Description |
|---|---|
|
Path |
The path to the folder that contains the files that are affected by anomalous activity. |
|
Created files |
The number of files that were created in the given path at the detected time. |
|
Renamed files |
The number of files that were renamed in the given path at the detected time. |
|
Deleted files |
The number of files that were deleted in the given path at the detected time. |
|
Modified files |
The number of files that were modified in the given path at the detected time. |
|
Detected time |
The time when the anomaly was detected. |