Home > Data Protection > Data Protection (general) > Advanced Anomaly Detection with Data Protection Advisor > Example of Analysis Policy - Detecting higher rate of change in backups
The example used in this section relates to the volume of changed data protected for a client, based on the average of the last X number of backups and the percentage of change. All stakeholders can benefit from this type of analysis alerting for clients with unusually high-volume rate of change. Typically, high volumes of changed data relate to the migration or creation of new data, but could also result from data being encrypted by malware attack.
Create an Analysis Policy with a single Analysis Rule to detect backups larger than average and apply this policy to all Servers. Expand Policies in the menu on the left side of the Data Protection Advisor web UI and select Analysis Policies. Under Analysis Policy Library, select + Create Policy and provide the policy a name as shown in Figure 12.
Next, actions need to be set, which will be triggered if one or more Analysis Rules are met. At minimum, if no Policy Based Actions are enabled, an event will appear within the Data Protection Advisor Alerts section of the web UI.
A rule needs to be added to this Analysis Policy. Select Add/Remove Rules and a list of scheduled and event-based rules are presented. Use the Filter for the Rule Name to help narrow down a list of rules. For example, the Backup Larger than average for events number is added as shown in Figure 13.
With the Rule added, the default parameters for the rule are displayed. For this example, the percentage of the deviation parameter of the rule is set to 10% from the default 50% as shown in Figure 14.
Depending on the application type and size, the deviation percentage could be much smaller. For example, a large file system containing more than 100TB may not ever reach 10% deviation and a percentage as small as 2% may be required. In that case, create a separate Analysis Policy to be applied to large file systems.
With the Analysis Policy created it must be applied to a group or an individual object. If a Policy is applied directly to an object, it will take precedence over any policy applied or inherited by the group. Selecting the Applied Analysis Policies option, all applied policies can be reviewed, modified, and new policies applied. For this example, the newly created policy will be applied at the Servers level. This is achieved by expanding the groups and selecting Servers as shown in Figure 15.
The Analysis Policy can now be applied to the group by selecting Turn Policy On/Off, scrolling through the list of available Analysis Policies, selecting one to be applied and save the changes. In the example shown in Figure 16, the Analysis Policy of Higher rate of change than average has been applied to the Servers group.
To test that the Analysis Policy was applied successfully, a large volume of data was saved to the test01 client, a backup conducted, and an alert was seen in Data Protection Advisor as shown in Figure 17.
This example illustrates only a single Analysis rule that can be applied. To decide which Analysis rule should be implemented, determine what conditions would result in an elevated risk or undesirable condition. Looking for data protection gaps, unusual activity or behavior by using the Analysis Policy will help improve the overall health of the data protection environment.