Skip to main content
All CollectionsCyber ResiliencyPosture & Observability
Data Anomalies Dashboard
Data Anomalies Dashboard

Provides information about the Data Anomalies page

Updated over 2 weeks ago

Overview

Suspicious data modification on a resource is called Data Anomaly. For example, if a resource in your organization is under attack, malicious software can start deleting the data present in it.

To learn more about Data Anomalies and the detection mechanism that Druva uses to trigger an alert, see the Data Anomalies settings.

You can use the Cyber Resiliency > Posture & Observability > Data Anomalies > Anomalies tab to get an overview of Data Anomalies details, such as the number of impacted resources, the number of Data Anomalies alerts generated, and so on for different resource types. Use this information for your analysis and take appropriate action.

The sections of the page are described below.

Last Updated at <date timestamp> UTC

Displays the most recent date and timestamp (UTC) when the data was refreshed.

Filter the dashboard details using the Time Duration option. By default, the Data Anomalies data for the last seven days is displayed.

Summary Card section for Data Anomalies

The Data Anomalies Summary card displays the count of all data anomaly alerts for the selected time range. By default, the total count for the last seven days is displayed.

You can also view the number of impacted resources and the number of encrypted alerts generated along with encryption reasons for different resource types.

Hover on the pie chart to get the summary of the detected anomalies for the impacted resources, and take action accordingly.

Impacted Resources: Shows the total number of impacted resources on which data anomaly was identified. Resources can be Endpoints, File Servers, NAS devices, VMware, or Microsoft 365 (SharePoint and OneDrive). For more information, see Data Anomalies.

Encryption Alerts: Shows the total number of alerts generated for the encryption of files.

Date-specific distribution of anomalies

A graphical representation displays the summary of the number of anomalous snapshots for which Data Anomalies alerts were generated on specific days.

The following screenshot displays the date-wise graphical summary for anomalies on impacted resources.

Impacted Snapshot: Shows the total number of anomalous snapshots for which Data Anomalies alerts were generated for your resources. Resources can be Endpoints, File Servers, NAS devices, VMware, or Microsoft 365 (SharePoint and OneDrive). For more information, see Data Anomalies.

Deletion Alert: Shows the total number of alerts generated for the deletion of files from the snapshot.

Encryption Alert: Shows the total number of alerts generated for the encryption of files.

Creation Alert: Shows the total number of alerts generated for the creation of too many files.

Modification Alert: Shows the total number of alerts generated for the modification or edits of too many files.

Data Anomalies Service Status

The following information describes the information in the Data Anomalies-Service Status section:

  • Total Resources
    Shows the total number of resources present.

  • Healthy Resources
    Shows the total number of resources that were found safe out of the total number of resources for which Data Anomaly alerts were generated. Resources can be Endpoints, File Servers, NAS devices, VMware, or Microsoft 365 (SharePoint and OneDrive).

  • Impacted Resources
    Shows the total number of resources that were found infected out of the total number of resources for which Data Anomaly alerts were generated. Resources can be Endpoints, File Servers, NAS devices, VMware, or Microsoft 365 (SharePoint and OneDrive).

  • Not Scanned Resources
    Shows the total number of resources that were not scanned for Data Anomalies. Resources can be Endpoints, File Servers, NAS devices, VMware, or Microsoft 365 (SharePoint and OneDrive). This count includes

    • Resources for which the learning period is in progress for the data backup pattern analysis.

    • Resources for which the snapshot does not comply with the minimum files required parameter.

  • Details for each resource
    (Endpoints, File Server, NAS, VMware, Microsoft 365: One Drive & SharePoint):
    Shows the data anomalies service status for each resource. Hover over the graph to view the details.

💡 Tip

If you encounter Data anomaly errors for VMware resources, see VMware errors for Data anomalies to resolve them.

Detailed Card section for Data Anomalies

Notifying you about resources showing Data Anomalies can help you identify a potential threat in your environment, such as a ransomware attack or a compromised user.

Use the Impacted Resources section to view a list of all the impacted resources for the selected time range.

You can search and filter this list based on Resource Name, Resource Type, Alert Type, and Alert Status criteria based on your requirements.

Impacted Resources

This section provides the following details:

  • Resource Name: The name of the resource for which the alert was generated. Click to view the details of the alerts generated for this resource.

  • Resource Type: The type of resources for which the alert was generated such as Virtual Machines (VMware), File Backup sets, and Microsoft 365.

  • Snapshot Impacted: Total number of snapshots for the selected resource for which data anomalies were detected.

  • Last Impacted Snapshot: The date and time stamp of the most recent impacted snapshot.

Anomalies: Type of data anomaly alerts

  • Creation: Number of anomalies for created files.

  • Modification: Number of anomalies for modified or updated files.

  • Deletion: Number of anomalies for deleted files.

  • Encryption: Number of encrypted files.

Click the name of the resource to view the details of the resource and the alerts generated for that resource.

Data anomaly for the selected resource

Summary

  • User Name: The name of the user associated with the device. This field is displayed only for Endpoints and OneDrive.

  • Server Name: The name of the server associated with the backupset. This field is displayed only for Servers.

  • Virtual Machine Name: The name of the virtual machine. This field is displayed only for Virtual Machines.

  • VCentre/ESXi hosts: The details of VCentre/ESXi hosts. This field is displayed only for Virtual Machines.

Data anomaly details for a selected resource

The Data Anomalies section provides the following details for the selected resource:

  • Impacted Snapshot: Date and time when the snapshot was created.

  • Alert Type: There can be any of the following alert types:

    • Creation: A large number of files are created in a short span.

    • Modification: A large number of files are edited or modified.

    • Deletion: Several files are deleted from the snapshot.

    • Encryption: Files are encrypted and are unusable.

  • Alert Time: The time at which the alert was generated.

  • Snapshot Size: The memory size of the impacted snapshot.

  • Impacted Files: Total number of impacted files

  • Encryption Reason: Cause of file encryption

  • Action Taken: The action performed on the alert - Quarantine, Ignore, or No Action.

    • Quarantine: The resource is quarantined as data anomaly was detected

    • Ignore: If the alert is deemed as a false positive, you can ignore the alert.

  • Alert Status: here can be the following two statuses:

    Active: Denotes that no action has been taken on the alert.

    Resolved: Denotes that the alert has been looked into and the necessary actions were taken.

Data Activity Trend

The Data Activity Trend is a graphical representation of data backed up in the resource by snapshots.

Hover over the graph to view the following details of Data Anomalies for files:

  • Type of snapshots represented by different color codes:

    • Unscanned Snapshots (Grey dot icon): Indicates either of the following

      • Learning period is in progress for the data backup pattern analysis

      • Snapshot does not comply with the minimum files required parameter set

    • Scanned Snapshots (Blue dot icon): This indicates that the learning period and data anomaly detection are complete, and no data anomaly is detected. Snapshots are safe.

    • Impacted Snapshots (Red dot icon): Indicates learning period and Data Anomalies detection is complete. Data anomaly is detected within snapshots, and the Data Anomalies alert is generated for you to take action.

    • Quarantined Snapshots (Quarantine icon): Indicates quarantined snapshots and needs further investigation by the security team.

  • Snapshot Size: The size of the snapshot

  • #Files: Number of files included in the snapshot

  • File Activity: The action performed on the file - Created, Updated, Deleted, and Encrypted

  • This Snapshot: The snapshot count for each file activity - Created, Updated, Deleted, and Encrypted

  • Baseline: This value is generated dynamically from the list of snapshots based on the learning duration.

  • Total File Change: The total number of files changed observed for different file activities—creation, modification, and deletion.

  • Deviation: The change of anomaly observed with reference to the baseline value. The deviation could be a positive or negative number and is displayed in percentage.

📝 Note

  • Baseline values are not applicable for Encrypted files.

  • Deviation is not applicable for Encrypted files.

Next Step: Take action on Data Anomalies Alert

Related Keywords:

Unusual Data Activity

UDA

unusualdataactivity

Data Anomalies

dataanomalies

data anomaly

Data Anomaly

Related Articles
Alerts Overview
Quarantine Bay
Data Anomalies Settings
Data Anomaly Alerts Report
Threat Hunting Dashboard
Did this answer your question?