Skip to main content

How can we help you?

Druva Documentation

Unusual data activity

inSync Cloud Editions: File:/tick.png Elite Plus File:/cross.png Elite File:/cross.png Enterprise File:/cross.png Business

The suspicious data modification on a device is called unusual data activity. A user or a malicious software can modify data in a suspicious manner on a device. For example, if a device in your organization is under attack, typically, the malicious software on the device starts changing data on the device. When a potential threat changes data on a device, it is suspicious in nature and is unlike how the device owner works with data on the device. inSync provides reports that can help you identify devices exhibiting unusual data activity such as:

  • Large number of files deleted
  • Large number of files added
  • Unwarranted modification of files
  • Suspicious encryption of files (inSync checks if a minimum of 100 files are encrypted)

Since anomalies of this type often indicate issues that require attention, inSync flags such devices in the Unusual Data Activity Report. Being notified about devices showing unusual data activity can help you identify a potential threat in your environment such as a ransomware attack or a compromised user. Similarly, in the device details page (top menu > Data Sources > Devices > click on the device under the Devices List), you can see data activity trends for the device. The Data Activity Trend tab in the device details displays a chart about the updates in each snapshot.


If a snapshot exhibits anomalous behavior, it is flagged in the chart and you can click it to launch the Restore Data window. You can click on any snapshot.

Note: The Data Activity Trend tab is not available for Cloud Apps, however, inSync provides Unusual Data Activity Reports for Cloud Apps such as Box, GDrive, and OneDrive. inSync does not support Unusual Data Activity identification from:

  • Exchange Online, GMail, and MAPI
  • System app settings
  • Data backed up from mobile devices
  • Users mapped to Cache Server

In addition to the report, inSync also generates an Unusual Data Activity alert and admins receive an email that indicates unusual data activity. inSync monitors data trend for a given device, and after a sufficient sample size (defaults to 33) builds the anomaly base line. For example, a folder on a particular device contained 400 files when it was configured for backup in inSync. Over 33 backup jobs, user has deleted 50 files in the folder. Total count at 33rd backup job is now 350 files. Suddenly, for the 34th backup job, 300 files are deleted from the folder. In such a case, inSync flags it as anomalous behavior and lists the device in the Unusual Data Activity Report. Administrators can take action based on the security policies of the organization to identify and isolate a possible threat, and prevent additional losses. 


  • This example is for understanding purpose only. In the background, inSync executes complex algorithms that use multiple parameters to detect unusual data activity. 
  • inSync does not consider data statistics gathered in the first snapshot.


  • inSync detects anomaly only after the backup job is complete and a snapshot is created. For incomplete backup jobs, or interrupted backup jobs, inSync cannot detect an anomaly. 
  • You can see information getting added in the trend after the feature is enabled for your account. As soon as a snapshot is created after the feature is enabled, its information is captured in the trend. For example, if fifteen snapshots are created after the feature is enabled for your account, the trend shows information for the fifteen snapshots. 
  • The Data Activity Trend can show information for the last hundred snapshots. For example, hundred snapshots are created for a device after the feature is enabled. Information for each snapshot from the first through hundredth snapshot is added one-by-one in the trend. When the hundred and first (101st) snapshot is created, the chart shows information from second snapshot through the hundred and first (101st) snapshot. You cannot see information from the first snapshot in the chart. 
  • There are possible scenarios when inSync does not detect anomalous behavior. For example, if an attack is slow, such as five files removed per day, inSync may not flag it as unusual data activity.
  • If you change inclusion-exclusion filters from profile, inSync clears data activity trend for the devices in the profile. It builds fresh data activity trend for the next 33 backups and starts detecting anomalies after the 33rd backup job. 

For more information, see:

  • Was this article helpful?