Skip to main content

How can we help you?

Druva Documentation

Unusual Data Activity

License editions: To understand the applicable license editions, see Plans & Pricing.


Suspicious modification of data on a resource is called Unusual Data Activity (UDA). A user or malicious software can make such changes. For example, if a resource in your organization is under attack, the malicious software on the resource can start deleting files present in the resource. A resource is a device or server where data is stored. 

  • Unusual Data Activity displays insights about the data protected only for the following resources:
    • Endpoints,
    • NAS, and
    • File Servers (Windows/Linux)
  • Data is displayed for up to the last 30 days.

 When such a potential threat manipulates the data on a resource, it is suspicious in nature and is unlike how the resource owner works with data on that resource. Since anomalies of this type often indicate issues that require attention, Druva flags any such anomalous behavior in a resource and generates an alert.

How does Druva detect UDA

Druva monitors the data activity trend for a given resource, and after a sufficient sample size, it builds the anomaly baseline. Following are the prerequisites for Druva to start scanning a resource:

  1. 33 snapshots (For Endpoints): The resource must have a minimum of 33 successfully backed up data snapshots within a period of the last 30 days.
  2. 20 snapshots (For File Server/NAS): The resource must have a minimum of 20 successfully backed up data snapshots within a period of the last 30 days.

 Behaviour for the first 30 days

For EndpointsUnusual Data Activity alert may get generated after every 33 snapshots after the license is enabled or the device is activated.

For File Server/NAS Unusual Data Activity alert may get generated after every 20 snapshots after the license is enabled or the backup set is activated.

This information is for understanding purposes only. In the background, Druva executes complex algorithms that use multiple parameters to detect unusual data activities. 

The following table explains the UDA behavior in detail.

Date Activity Snapshot number Number of files
Scenario: UDA is already enabled and backup frequency is every 8 hours
1 July  Resource configured for backup 1 400
10 July  10 files were deleted 30 390
20 July 10 files were deleted 60
(minimum 33 successfully backed up snapshots criteria is fulfilled)
31 July 300 files were deleted 92 80 
(a deletion alert is generated notifying that 300 files were deleted)

Administrators can take action based on the security policies of the organization to identify and isolate a possible threat and prevent additional losses.


Anomaly detection kicks in only after the backup job is complete and a snapshot is created. For incomplete backup jobs or interrupted backup jobs, no anomalous is behavior is tracked. 




View UDA alerts

Note: In the case of deleted resources (devices, backupsets, and virtual machines) you cannot view the alerts for those resources. However, you can retrieve the deleted resources and view their alerts with the Rollback Action option.

Log in to Druva Console and go to Ransomware Recovery > Security Events. The Unusual Data Activity Alerts card displays the number of active alerts in the defined time period.

UDA card alert count.png

Being notified about the resources showing unusual data activity can help you identify a potential threat in your environment such as a ransomware attack or a compromised user. Click the card to view details of the generated alerts.

details of UDA alerts.png

The details of the generated alert contain the following information:

  • Resource Name: The name of the resource for which the alert was generated. Click to view the details of the alerts generated for this resource. 
  • User Name: The name of the user associated with the device. This field is displayed only for Endpoints.
  • Server Name: The name of the server associated with the backupset. This field is displayed only for Servers.
  • Affected Snapshot: The date and time stamp of the snapshot that was affected.
  • Alert Type: There can be the following alert types:
    • Creation: Too many files created in a short span.
    • Modification: A large number of files edited or modified.
    • Deletion: Several files deleted from the snapshot.
    • Encryption: Files encrypted and are inaccessible.
  • #Impacted Files: The number of files in the affected snapshot. If there are multiple types of unusual behavior in the snapshot, there is an info icon beside the number that provides details of the unusual activity.
  • Status: There can be the following two statuses:
    • Active: Denotes that no action has been taken on the alert.
    • Resolved: Denotes that the alert has been looked into and the necessary actions were taken. 

You can also download the logs for a particular alert and use it for further inspection. 

Click the name of the resource to view the details of the resource and the alerts generated for that resource.  

Alert details of a device page 1.png

The Data Activity Trend is a graphical representation of data backed up in the resource by snapshots. 

Data activity trend new.png

Take action on an alert

For any unusual data activity alert, you can do any of the following:

  • Ignore the alert If you deem any alert as a false positive, click the resource name and select the false positive alert. Click Ignore to resolve the alert. 
  • Quarantine the resource: Select an alert and click Quarantine Resource to stop the ransomware from spreading further. Before you quarantine, see Know the impact of quarantining to learn more about the effects of quarantining the resource. To learn about the options to quarantine a resource, see Quarantine Response.

After you have taken an action, the status of the alert changes to Resolved

  • Was this article helpful?