AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Report Center > Use the Unusual Activities Analysis Report

Export to PDF

Use the Unusual Activities Analysis Report

Cloud Backup will learn from your backup statistics and warn you of the OneDrive accounts, SharePoint Online sites, Teams primary site, or the Microsoft 365 Groups team sites with unusual activities or that are under a potential ransomware attack.

Unusual activities are designed to provide visibility into those patterns within your environment, distinct from regular usage patterns. The unusual activities could be related to malware that is related to ransomware or non-ransomware. But in most cases they can be legitimate operations, for example, some users might kick off migration jobs, or run through a clean-up of their OneDrive on their work anniversary. It might be normal for a user to make changes that do not match their day-to-day patterns. While you should be aware that these changes are happening, you likely do not have to respond to every unusual activity report.

However, a Potential Ransomware Attack is much more serious and requires your immediate attention. It refers to the real suspicious files that were detected in a user’s OneDrive or a team site that requires investigation.

To learn how you use your environment and build the pattern, the Unusual Activities Analysis Report requires at least 12 days of successful backups. Once any unusual activity or potential ransomware attack has been detected, your administrators will receive email notifications. To enable alerts for unusual activities and potential ransomware attacks, refer to Configure Notifications.

If you receive email notifications regarding unusual activities or potential ransomware attacks and need to restore your OneDrive or SharePoint site to a secure state, refer to How to Recover OneDrive or Site to a Healthy State. For more details on the report, refer to View the Report.

View the Report

You can navigate to the corresponding page to view the report for OneDrive, SharePoint Online, Teams, or Microsoft 365 Groups. To download a detailed list of files under potential ransomware attack or with unusual activities, navigate to the Details tab of the service, select a OneDrive account or site, click a point in the chart, and then click the Download list button.

On each page, the Dashboard tab displays the number of OneDrive accounts or sites protected by Cloud Backup and the number of suspicious OneDrive accounts or sites. The main chart in the Dashboard tab shows the data tracked over the last 30 days for unusual activities and potential ransomware attacks.

The Dashboard.

You can click the number to view all the accounts/sites with suspicious activities or click the point on the chart to view the details of that specific date. The Details tab will show more information on the unusual activities and suspicious files for the reported accounts/sites. You can download the report in an Excel file.

You can also navigate to the Details page directly to view the data in a table. You can adjust the time range to change the data scope or click a OneDrive account or site to view the report with its own details.

The Details.

When you view the details of a specific OneDrive account or site, you can also adjust the time range to change the data scope and click a point in the chart to view the details of that date. The details are displayed below the chart. You can generate and download a list of the files for record or for further investigation.

The View details page.

How to Recover OneDrive or Site to a Healthy State

When you receive email notifications about unusual activities or potential ransomware attacks, take immediate action to restore your OneDrive or SharePoint site to a safe state.

  1. Log in to Cloud Backup for Microsoft 365.

  2. Navigate to Report center > Unusual activities analysis.

  3. Select the appropriate page to view reports for OneDrive, SharePoint Online, Teams, or Microsoft 365 Groups. For more details on the report, refer to View the Report.

  4. Click the Details tab. The Details tab lists the reported accounts or sites, along with information about unusual activities and suspicious files. Within this tab, you have two options to restore a OneDrive account or site to a healthy state:

    • Restore directly from the Details tab. Follow the steps below:

      1. In the Details tab, select the OneDrive or site, and click the Restore button.

        The Details tab.

      2. In the Restore pane, click the top field to find a safe date, then select the proper recovery point and click Apply.

      3. The calendar uses color indicators under the date:

        • Red dot – Recovery points with potential ransomware attacks.

        • Yellow dot – Recovery points with unusual activities.

        • Green dot – Safe recovery points.

        The recovery point calendar.

      4. Configure other restore settings. For details on the common restore settings, refer to Restore and Recover Your Data.

    • Restore from the object details page. Follow the steps below:

      1. In the Details tab, click the object name to view the details of a specific OneDrive account or site.

      2. On the View details page of a OneDrive account or site, click the Go to Restore page button.

        The View details page.

      3. In the Restore page, click the Recovery point field to find a safe date, then select the proper recovery point and click Apply.

      4. The calendar uses color indicators under the date:

        • Red dot – Recovery points with potential ransomware attacks.

        • Yellow dot – Recovery points with unusual activities.

        • Green dot – Safe recovery points.

        The Restore page.

      5. Select the object and click the Restore button. In the Restore pane, configure the restore settings. For details on the common restore settings, refer to Restore and Recover Your Data.