Suspicious Activity Monitoring is a feature included in Endpoint Detection and Response (EDR). It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint. Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs.
Detections are highlighted for your review in the menu pane under Suspicious Activity. Not all activity detected is guaranteed to be malicious, some detections are triggered by benign operations on the system.
The Suspicious Activity screen gives context for each detection to help determine whether the activity is truly malicious. Once an administrator understands what triggered the detection, they can choose to remediate the threat or close the incident as an expected behavior.
Feature requirements
- Subscription to EDR.
- For optimal performance, reserve 1.1Mbps of network bandwidth for every 100 endpoints that use Suspicious Activity Monitoring.
To enable Suspicious Activity Monitoring and manage related events, see:
- Endpoint Detection and Response policy settings in Nebula
- Perform actions to Suspicious Activity events in Nebula
If you use Google Chronicle SIEM, check out our integration between EDR and Google Chronicle. For more information, see Introduction to Nebula integration with Google Chronicle SIEM