Intelligent alert customization in a backup and recovery activity monitoring system

What is claimed is: 1. A computer-implemented method of generating alert notifications for anomalous user behavior detected in a data processing system, comprising: defining key performance indicators for user behavior of a plurality of users in the computer network; collecting behavior statistics for each of the users with respect to each of the key performance indicators as compared to defined normal behavior for each user with respect to the key performance indicators; receiving a user defined severity ranking of selected operations performed by an application executed in the system; detecting anomalous behavior of a user for a key performance indicator based on the behavior statistics of the user and the defined severity ranking for the selected operations; and sending a notification to the user upon detection of the anomalous behavior. 2. The method of claim 1 wherein the selected operations comprise a subset of all operations utilized by the application, and which impact creation, deletion, modification, backup, and replication of data by the application. 3. The method of claim 2 wherein the application is a database program, and wherein the selected operations are monitored for excessive creation of databases, unusual database deletions, corruption of database metadata, excessive backups of database data, and excessively long replication times. 4. The method of claim 2 wherein the severity ranking comprises a severity level within a defined range. 5. The method of claim 4 further comprising creating notification rules comprising associating a severity ranking with each asset type and operation, and wherein the defined range comprises critical, urgent, and info. 6. The method of claim 5 further comprising defining a metric for each combination of severity, asset type, and operation, wherein the metric comprises a numerical value of an operation relative to an average value for the operation. 7. The method of claim 6 further comprising using the metrics to set the severity level for each respective operation and asset type. 8. The method of claim 1 further comprising specifying one or more users to send the notification based on the severity level. 9. The method of claim 8 further comprising: defining an action list tabulating mechanisms to provide the notification to the user, the mechanisms comprising at least one of: an automated phone call, an automated text message, a prioritized e-mail message, and a graphical user interface message; and sending the notification to the user in accordance with the action list. 10. The method of claim 1 wherein the key performance indicators include at least one of: frequency of user login to the computer system, length of login, initiated and role-based activities with respect to data assets in the computer system, number of failed login attempts, and login location, and wherein the method further comprises: defining one or more anomaly detection conditions to define abnormal user behavior in the computer network using defined threshold values; and applying an anomaly detection policy to the collected behavior statistics to define the anomalous behavior. 11. A computer-implemented method of generating alert notifications for anomalous user behavior detected in a data processing system, comprising: identifying key operations of an application executed by the system, wherein the key operations comprise a subset of all operations utilized by the application acting on data assets, and which impact creation, deletion, modification, backup, and replication of data by the application; listing metrics defining anomalous behavior with respect to each key operation on an asset type of the data assets; assigning a severity level per operation for each asset type; and generating an alert notification to a user only if a severity level of an operation exceeds a defined threshold. 12. The method of claim 11 wherein the application is a database program, and wherein the selected operations are monitored for excessive creation of databases, unusual database deletions, corruption of database metadata, excessive backups of database data, and excessively long replication times. 13. The method of claim 12 wherein the severity ranking comprises a severity level within a defined range, the method further comprising creating notification rules comprising associating a severity ranking with each asset type and operation, and wherein the defined range comprises critical, urgent, and info. 14. The method of claim 13 further comprising defining the metric for each combination of severity, asset type, and operation, wherein the metric comprises a numerical value of an operation relative to an average value for the operation. 15. The method of claim 14 further comprising: specifying one or more users to send the notification based on the severity level; defining an action list tabulating mechanisms to provide the notification to the user, the mechanisms comprising at least one of: an automated phone call, an automated text message, a prioritized e-mail message, and a graphical user interface message; and sending the notification to the user in accordance with the action list. 16. The method of claim 11 wherein the key performance indicators include at least one of: frequency of user login to the computer system, length of login, initiated and role-based activities with respect to data assets in the computer system, number of failed login attempts, and login location, and wherein the method further comprises: defining one or more anomaly detection conditions to define abnormal user behavior in the computer network using defined threshold values; and applying an anomaly detection policy to collected behavior statistics to define the anomalous behavior. 17. A system for detecting anomalous user behavior in a data processing system and generating customized alert notifications, comprising: an agent running in a user host system containing data assets to be protected, and collecting user behavior statistics for key performance indicators defining certain activities of users of the network and the data assets; a key performance monitoring service running on a data protection system coupled to the host system and generating key performance indicator events from the collected behavior statistics from the agent; a custom notification process receiving a user defined severity ranking of selected operations performed by an application executed in the system; an anomaly detection service detecting anomaly alerts from scans triggered by key performance indicator events received from the key performance monitoring service; and a notification service receiving anomaly alert events from the anomaly detection service and generating notification messages based on the severity ranking to be transmitted to the user. 18. The system of claim 17 wherein the application is a database program, and wherein the selected operations are monitored for excessive creation of databases, unusual database deletions, corruption of database metadata, excessive backups of database data, and excessively long replication time, and wherein the severity ranking comprises a severity level within a defined range. 19. The system of claim 18 further comprising a process creating notification rules comprising associating a severity ranking with each asset type and operation, and wherein the defined range comprises critical, urgent, and info, and specifying one or more users to send the notification based on the severity level.