Threat Detection - Anomalies

Threat Detection provides visibility into unusual behavior across protected resources by detecting anomalies with files and backup jobs. These anomalies help identify potential ransomware, data corruption, or unauthorized file activity. The system leverages historical baselines, statistical thresholds, and file metadata validation to highlight abnormal behavior.

The system detects the following primary anomaly types:

• File activity anomalies

• File MIME type anomalies

• File extension anomalies

• Backup size anomalies

File Activity Anomalies

File activity anomalies are irregular file operations such as unusual rates of file creation, modification, rename, or deletion. These anomalies are derived from changes detected between indexed backup jobs to identify potentially malicious or unexpected activity.

Detection Logic

• Telemetry Source: Index server performing File Indexing Version 2

• Operation: Established from multiple prior backup jobs to determine normal change volume.

• Trigger Condition: File operation counts deviating more than three standard deviations above the baseline.

• Retention: 30 days of anomaly data retained.

Configuration

To enable file activity anomaly detection, the resource must be assigned to a Threat Detection plan. The Threat Detection plan automatically configures indexing and anomaly detection for supported workloads.

Supported Workloads

• Windows file system resources (Indexing Version 2)

• Linux file system resources (Indexing Version 2)

• Virtual Machines (Indexing Version 2)

• Network shares (Indexing Version 2)

File MIME Type Anomalies

File MIME type anomalies are mismatches between a file’s actual content type (MIME) and its file extension. This often indicates ransomware disguising files (for example, .exe renamed as .jpg).

Detection Logic

• Telemetry Source: Index server performing File Indexing Version 2.

• Operation: The first 36 KB of each indexed file is analyzed to determine MIME type.

• Trigger Condition: MIME mismatch rate exceeds the baseline percentage by +5%.

• Retention: 7 days of anomaly data retained.

Configuration

To enable file MIME type anomaly detection, assign the resource to a Threat Detection plan. The plan configures required indexing and anomaly collection settings.

Supported Workloads

• Windows file system (Indexing Version 2)

• Network file shares (Indexing Version 2)

File Extension Anomalies

File extension anomalies are unusual or newly introduced file extensions within a resource. A sudden increase in uncommon or random extensions may indicate ransomware activity.

Detection Logic

• Telemetry Source: Index Server (Indexing Version 2).

• Operation: Distribution of file extensions from the previous 5 backup jobs.

• Trigger Condition: New or rare extensions appear more than 10× baseline frequency or represent over 5% of total files.

• Retention: 7 days of anomaly data retained.

Configuration

To enable file extension anomaly detection, assign the resource to a Threat Detection plan. The plan ensures indexing and anomaly analysis are configured automatically.

Supported Workloads

• Windows file system resources (Indexing Version 2)

• Virtual Machines (Indexing Version 2)

Backup Size Anomalies

Backup size anomalies are unexpected increases or decreases in the amount of data written during a backup. Large deviations may suggest encryption, skipped data, or corruption.

Detection Logic

• Telemetry Source: Job Manager Service and Backup Gateway statistics.

• Operation: Average size of the last 10 incremental backup jobs.

• Trigger Condition: Backup size deviation greater than +40% or −50% from baseline.

• Retention: 30 days of anomaly data retained.

Configuration

To enable backup size anomaly detection, the resource must be assigned to a Threat Detection plan. This plan configures the required indexing and monitoring parameters for backup size anomaly tracking.

Supported Workloads

• Windows file system backups (Indexing Version 2)

• Linux file fystem backups (Indexing Version 2)

• Virtual Machine backups (Indexing Version 2)

Summary Support Matrix