Unusual File Activity Report for File-Related Anomalies

Updated

The Unusual file activity report for file-related anomalies is a preview of file-related activities gathered from all Windows clients that have 11.23 or a more recent feature release. You can use this report to track large file anomalies for all Windows clients in the Commvault environment. For example, file activity such as deleting a large number of files or creating a large number of files might be flagged as anomalous.

The anomaly thresholds are based on historical activity and machine-learning algorithms to help reduce false positives from typical activity on the file system.

File activities on the Windows client computer are checked every 5 minutes and any abnormal activity is reported to the administrator by an alert and event. For the first 7 days, the client computer is monitored and analyzed for daily activity. After 7 days, a baseline of file activities is established and alerts and events are sent to the administrator when a large number of abnormal file activities is detected.

Up to 30 days of file activities are maintained in a database (Folderwatcher.db) on the client computer for use by the monitoring algorithm.

The following options are available in the upper-right corner of the page:

  • To remove a client that has unusual file activity from the client list in the report, click Clear anomaly.

  • To recover a client that has unusual file activity, as a VM, click Recover as VM.

    The data prior to the file-related anomaly is recovered.

  • To restore a file from a client that has unusual file activity, click Recover files.

    The data prior to the file-related anomaly is recovered.

Report Description

The Unusual file activity report for file-related anomalies is divided into the following sections: Unusual file activity chart and Unusual file activity data.

Unusual File Activity Chart

This chart displays information about the number of files that are affected by the user activity in the CommCell environment over a period of a day or a week.

The following image is an example of the unusual file activity for file-related anomalies chart section:

Unusual File Activity Table

The following table includes descriptions for all the columns in the Unusual file activity table for file-related anomalies.

Column

Description

Path

The path to the folder that contains the files that are affected by anomalous activity.

Created files

The number of files that were created in the given path at the detected time.

Renamed files

The number of files that were renamed in the given path at the detected time.

Deleted files

The number of files that were deleted in the given path at the detected time.

Modified files

The number of files that were modified in the given path at the detected time.

Detected time

The time when the anomaly was detected.

Actions

To restore a path that has unusual file activity from the folder path list, click the action button , and then click Restore path.

Alternatively, to restore a path or multiple paths that have unusual file activity from the folder path list, in the upper-right corner of the page, click Restore path.

Note: The data before the file-related anomaly is restored.

Performing File System Restores