Skip to main content

How can we help you?

Druva Documentation

Unusual Data Activity

The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact your Druva Account Manager or Druva Support.


Suspicious modification of data on a resource is called Unusual Data Activity (UDA). A user or malicious software can make such changes. For example, if a resource in your organization is under attack, the malicious software on the resource can start deleting files present in the resource. A resource is a device or server where data is stored. 

  • Unusual Data Activity displays insights about the data protected only for the following resources:
    • Endpoints,
    • NAS, and
    • File Servers (Windows/Linux)
  • Data is displayed for up to the last 30 days.

 When such a potential threat manipulates the data on a resource, it is suspicious in nature and is unlike how the resource owner works with data on that resource. Since anomalies of this type often indicate issues that require attention, Druva Realize flags any such anomalous behavior in a resource and generates an alert.

How does Druva Realize detect UDA

Druva Realize monitors the data activity trend for a given resource, and after a sufficient sample size, it builds the anomaly baseline. Following are the prerequisites for Druva Realize to start scanning a resource:

  1. 33 snapshots: The resource must have a minimum of 33 successfully backed up data snapshots. 
  2. 30 days: Scanning starts 30 days after the resource was configured for backup.

The 30-day count starts from the day the Unusual Data Activity feature was enabled for your Druva account. 

For example, if the UDA feature was enabled for your account on 1 July, then you will start receiving alerts (if any) after 2 August for resources that were already configured for backup before 1 July. 

This information is for understanding purposes only. In the background, Druva Realize executes complex algorithms that use multiple parameters to detect unusual data activities. 

The following table explains the UDA behavior in detail.

Date Activity Snapshot number Number of files
Scenario: UDA is already enabled and backup frequency is once a day
1 July  Resource configured for backup 1 400
10 July 10 files were deleted 10 390
17 July 10 files were deleted 17 380
26 July 30 files were deleted 26 350
2 August 300 files were deleted 34 50
(a deletion alert is generated notifying that 300 files were deleted)
Scenario: UDA is already enabled and backup frequency is every 8 hours
1 July  Resource configured for backup 1 400
10 July  10 files were deleted 30 390
20 July 10 files were deleted 60
(minimum 33 successfully backed up snapshots criteria is fulfilled)
31 July 300 files were deleted 92 80 
(a deletion alert is generated notifying that 300 files were deleted)
Scenario: UDA is already enabled and backup frequency is once every 3 days
1 July  Resource configured for backup 1 400
10 July UDA feature is enabled
20 July 20 files were deleted 6 380
30 July 10 files were deleted 10 370
29 August
(minimum 30 days after the feature is enabled criteria is fulfilled)
10 files were deleted 20 360
October 10 300 files were deleted 34 60
(a deletion alert is generated notifying that 300 files were deleted)

Administrators can take action based on the security policies of the organization to identify and isolate a possible threat and prevent additional losses.


Anomaly detection kicks in only after the backup job is complete and a snapshot is created. For incomplete backup jobs or interrupted backup jobs, no anomalous is behavior is tracked. 




View UDA alerts

Log in to Druva Console and go to Ransomware Recovery > Overview. The Unusual Data Activity Alerts card displays the number of active alerts in the defined time period.

UDA card alert count.png

Being notified about the resources showing unusual data activity can help you identify a potential threat in your environment such as a ransomware attack or a compromised user. Click the card to view details of the generated alerts.

details of UDA alerts.png

The details of the generated alert contain the following information:

  • Resource Name: The name of the resource for which the alert was generated. Click to view the details of the alerts generated for this resource. 
  • User Name: The name of the user associated with the device. This field is displayed only for Endpoints.
  • Server Name: The name of the server associated with the backupset. This field is displayed only for Servers.
  • Affected Snapshot: The date and time stamp of the snapshot that was affected.
  • Alert Type: There can be the following alert types:
    • Creation: Too many files created in a short span.
    • Modification: A large number of files edited or modified.
    • Deletion: Several files deleted from the snapshot.
    • Encryption: Files encrypted and are inaccessible.
  • #Impacted Files: The number of files in the affected snapshot. If there are multiple types of unusual behavior in the snapshot, there is an info icon beside the number that provides details of the unusual activity.
  • Status: There can be the following two statuses:
    • Active: Denotes that no action has been taken on the alert.
    • Resolved: Denotes that the alert has been looked into and the necessary actions were taken. 

You can also download the logs for a particular alert and use it for further inspection. 

Click the name of the resource to view the details of the resource and the alerts generated for that resource.  

Alert details of a device page 1.png

The Data Activity Trend is a graphical representation of data backed up in the resource by snapshots. 

Data activity trend new.png

Take action on an alert

For any unusual data activity alert, you can do any of the following:

  • Ignore the alert If you deem any alert as a false positive, click the resource name and select the false positive alert. Click Ignore to resolve the alert. 
  • Quarantine the resource: Select an alert and click Quarantine Resource to stop the ransomware from spreading further. Before you quarantine, see Know the impact of quarantining to learn more about the effects of quarantining the resource. To learn about the options to quarantine a resource, see Quarantine Response.

After you have taken an action, the status of the alert changes to Resolved

  • Was this article helpful?