Home > report-center-for-avepoint-cloud-backup > Use the Unusual Activities Analysis Report
Export to PDFUse the Unusual Activities Analysis Report
Cloud Backup will learn from your backup statistics and warn you of the OneDrive accounts, SharePoint Online sites, Teams primary site, or the Microsoft 365 Groups team sites with unusual activities or that are under a potential ransomware attack.
Unusual activities are designed to provide visibility into those patterns within your environment, distinct from regular usage patterns. The unusual activities could be related to malware that is related to ransomware or non-ransomware. But in most cases they can be legitimate operations, for example, some users might kick off migration jobs, or run through a clean-up of their OneDrive on their work anniversary. It might be normal for a user to make changes that do not match their day-to-day patterns. While you should be aware that these changes are happening, you likely do not have to respond to every unusual activity report.
However, a Potential Ransomware Attack is much more serious and requires your immediate attention. It refers to the real suspicious files that were detected in a user’s OneDrive or a team site that requires investigation.
To learn how you use your environment and build the pattern, the Unusual Activities Analysis Report requires at least 12 days of successful backups. Once any unusual activity or potential ransomware attack has been detected, your administrators will receive email notifications. To enable alerts for unusual activities and potential ransomware attacks, refer to Configure Notifications.
View the Report
You can navigate to the corresponding page to view the report for OneDrive, SharePoint Online, Teams, or Microsoft 365 Groups. To download a detailed list of files under potential ransomware attack or with unusual activity files, navigate to the Details tab of the service, select a OneDrive account/site, click a point in the chart, and then Download list in the More comments list.
On each page, the Dashboard tab displays the number of OneDrive accounts or team sites protected by Cloud Backup and the number of suspicious OneDrive accounts/team sites. The main chart in the Dashboard tab shows the data tracked over the last 30 days for unusual activities and potential ransomware attacks.
You can click the number to view all the accounts/sites with suspicious activities or click the point on the chart to view the details of that specific date. The Details tab will show more information on the unusual activities and suspicious files for the reported accounts/sites. You can download the report in an Excel file.
You can also navigate to the Details page directly to view the data in a table. You can adjust the time range to change the data scope or click a OneDrive account/site to view the report with its own details.
When you view the details of a specific OneDrive account/SharePoint Online site, you can also adjust the time range to change the data scope and click a point in the chart to view the details of that date. The details are displayed below the chart. You can generate and download a list of the files for record or for further investigation.
Recover OneDrive or Site to a Healthy State
To recover OneDrive or site to a safe state, you can choose the following ways:
- In the Details tab, select the OneDrive or site, and click Restore on the Restore pane, find a safe date and select the proper recovery point to restore.
The Recovery Point calendar will display a yellow dot under the date where its recovery points are detected with unusual activities. For details on the common restore settings, refer to Restore and Recover Your Data.
- On the details pane of a OneDrive account or site, click a safe date and click the Go to Restore Page button. For details on the common restore settings, refer to Restore and Recover Your Data.