I have a question on what triggers the File Activity Anomaly Alert. I understand it builds 7 days of daily monitoring activity but other than the use of Codes 7:211 | 7:212 what sets off this alert? Is it a certain percentage of add, deleted, modified or renamed files or combo in the 5 minute period? I have been tasked with ascertaining the condition, whether it is percentage or file count that generates this alert.
I cannot find an answer anywhere on what exactly triggers the alert.