Suspicious Activity Monitoring is a feature included in Endpoint Detection and Response. It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint.
Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs. This article explains how to remediate Suspicious Activity or close the incident as benign.
View and sort suspicious activity
The main area of the Suspicious Activity screen shows the list of all suspicious threat data. This data is stored for 45 days. Each column can be filtered to narrow the results. You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Use the filters
in the column headers to view specific data.
- Hover your cursor over a column header to reveal a hamburger icon
with options to pin and auto-size columns.
Perform action to suspicious activity
- On the left navigation pane, click Investigate > Suspicious Activity.
- In the Suspicious Activity table, you can review suspicious activity details including machines with detections, severity of the threats, and date/time of the detections. You can take action on an item or drill down into the cause of the detection in Actions column. In the Status column, new items display as Suspicious Activity Found.
- In the Location column, click the detected item to view additional details. A process graph displays associated activity, rules triggered by the detection, and additional context. The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs. To learn more, see Suspicious Activity Details in Nebula.
- Click the ellipsis icon
in the Actions column, or select multiple incidents with the same Status and click Actions to perform a bulk action.
- Choose one of the following actions:
- Isolate Endpoint: Block network connections, processes, and/or user activity on the endpoint until the isolation is removed.
- Remove isolation: Remove isolation on an endpoint. The endpoint will automatically reboot.
- Remediate: Deletes the suspicious activity found on the endpoint.
-
Close Incident: Use this to ignore the incident and mark it as closed. When closing an incident, you have the option to create an exclusion for it. Exclusions prevent this item from triggering future Suspicious Activity events. If you want to reopen the incident, click the ellipses icon (
) and choose Open Incident. You can choose one of the following exclusion options:
- Command Line: Exclude script and parameters run through Windows Command Line.
- MD5 Hash: Exclude files using their MD5 Hash value. If an MD5 Hash is not available, a File by Path exclusion is created instead through Nebula.
- Upload File: Uploads the suspicious file to the sandbox analysis section for review. For more information, see Sandbox Analysis in Nebula.
- Launch Active Response Shell: Securely connect to remote workstations and servers (Windows only) to investigate attacks, collect diagnostic data, and remediate breaches. Cannot be performed in bulk.