As we discussed in a previous blog, the user behavior analytics (UBA) engine of ADAudit Plus can help administrators identify anomalies by establishing a baseline of normal activities specific to every single user. In this blog, we’ll look at how organizations can track users’ unusual file activity.

Tracking unusual file activity count

Consider a scenario where a disgruntled employee departing from the organization decides to steal critical financial information. If this user, who normally accesses ten documents a day, goes on to copy a hundred documents, that’s a clear sign of serious abnormality and warrants immediate attention. An auditing solution that doesn’t use UBA would consider this normal file access and activity, thus not triggering any alerts. However, this is a clear case where the user’s activity is abnormal and UBA would trigger an alert.

ADAudit Plus in conjunction with UBA tracks all abnormal file access behavior for all users in a domain. To track users’ unusual file activity in your organization, follow these steps:

  1. Log in to ADAudit Plus.
  2. Click Analytics to view the summary of all anomalies, as shown in Figure 1.
  3. Under the list of activity types, select Unusual Activity – File Activity Count (Based on User) to view the detailed report. See Figure 2.

Figure 1. Summary of unusual activities.

Figure 2. Monitoring unusual file activity count using UBA in ADAudit Plus.

Having a report of the activity is nice, but most administrators don’t have time to review reports. By default, ADAudit Plus’ UBA alerts trigger an email notification. You can also configure these alerts to be sent via SMS. To edit alert profiles, follow these steps:

  1. Select the Configuration tab.
  2. Go to Alert Profiles > View/Modify Alert Profiles. Select the profile named Unusual Activity – File Failure Count (Based on User).
  3. Click Configure to modify the alert profile. You can choose to be notified by email, SMS, or both. See Figure 3.
  4. Click Update.


Figure 3. Configuring an alert profile.

Once you’ve configured these settings, you’ll receive an alert when users have unusually high file activity counts.


ADAudit Plus’ UBA engine helps monitor user activity for instances of unusual activity. If a user’s activity count exceeds the threshold value that was calculated based on their normal behavior, ADAudit Plus triggers an alert to draw administrators’ attention so they can take immediate action.

Download ADAudit Plus to see it in action.