A method for detecting an unauthorized activity on a computer system involves obtaining current time stamps for a first type of access event related to the computer system, determining a current count of the first type of access event using the current time stamps, and predicting an expected count of the first type of access event using a current count of time stamps and a predictive model. The method further involves obtaining an actual count of the first type of access event, executing a first comparison of the actual count with the expected count, determining, based on a test comprising the first comparison, that the unauthorized access to the computer system occurred, and issuing an alert indicating the unauthorized activity occurred.