Suspicious Activity monitoring is a function of Endpoint Detection and Response (EDR). It observes the behaviors of processes, registry, file system, and network activity on the endpoint using a heuristic algorithm looking for deviations. A suspicious activity is an abnormal behavior observed and described using MITRE's adversary Tactics & Techniques. The severity of the suspicious activity is automatically determined based on the affected security posture of the endpoint.
The EDR workflow involves the following processes:
- Suspicious activity is detected and automatically classified by Severity and summarized for review.
- Response to a threat includes:
- Containment using Isolation (Network, Process, or User Isolation).
- Eradication using the Remediation engine.
- Restoration of data using Ransomware Rollback.
- Sample analysis in Cloud Sandbox
- Threat Hunting across your enterprise for Indicators of Compromise with Flight Recorder.
From the Suspicious Activity screen, click the detected path under the Location column or the number under the Triggered Rules column to view Suspicious Activity Details.
This screen shows details of the chosen Suspicious Activity to help you better understand the activities of this file or process and take action. This article provides an overview of the Suspicious Activity Details screen.
Suspicious activity summary
The summary on the Suspicious Activity Details screen provides a simple overview of adversary behaviors and tactical goals aligned with the MITRE ATT&CK framework. Review the summary to understand when and where the activity occurred and what triggered it.
Incident timeline
The timeline of events is displayed chronologically to aid in understanding suspicious activity before further investigation. Each event is labeled with a severity to help you understand when the most severe actions occurred.
Suspicious activity records
Below the incident timeline is a list of suspicious files and processes found by Nebula. Here you can see all detection rules triggered in the suspicious activity and their mapping to MITRE ATT&CK.
MITRE Tactics Mapping categorizes suspicious activity detections based on the exhibited behaviors of the file or process. Color-coded detection rules are provided to show which rules triggered the suspicious activity detection.
The detection rules are color-coded by severity:
- Red: High Severity
- Orange: Medium Severity
- Yellow: Low Severity
Hover over a triggered rule to display context of the detection, a description, threat tactics, and techniques detected during analysis. Use this option to view important hash keys and process information for exclusion purposes.
Process Graph
The Process Graph tile under the Suspicious Activity page shows a visual representation of the files or processes touched by the suspicious activity.
The Process Graph is made up of nodes representing the relationships between files or processes. These could be executed, spawned, or touched files or processes. The Process Graph has display controls in the upper right allowing you to zoom in/out or re-position the graph. Click the Print PDF button above the Process Graph to print a copy.
Click on a bubble to show Details in right-hand panel.
Node colors
The nodes are color coded based on the activity:
- Blue: Normal
- Orange: Dropped
- Red: Malicious
Node icons
Within each process bubble, there are two rows of node icons that summarize each activity. Hover over an icon in the node for a description.
Top row
The top row of icons indicate the type of node, severity and number of triggered rules, and the sandbox analysis results.
Shows if the node is a process. | |
Shows if the node is a document such as an Office or PDF document. | |
Triggered Rules are colored by Severity. The number in the middle represents the count of all the rules triggered. Severity is a combination of the type of actions, the number of actions, and the impact on the security posture of the endpoint.
|
|
Sandbox analysis results. The colors of the icons represent:
|
Bottom row
The bottom row of icons identify the type of activities took place for the node. Grayed out icons indicate no activity of that type occurred.
Shows whether the process performed outbound network activities. | |
Shows whether the process performed filesystem activities. | |
Shows whether the process performed registry activities. | |
Shows whether activities were detected via the Windows Antimalware Scan Interface (AMSI), which include User Account Control (UAC), security elevation and scripting activities. For more information, see Antimalware Scan Interface. | |
Shows whether the process performed suspicious Windows activities for example, calling to Windows Management Instrumentation (WMI) privileged functions. This is determined if there is code execution inside the process. |
Node Details
Click on the node to view more Details.
The following options are available:
Search in Flight Recorder Search. | |
Sandbox analysis results. Click to create a File Upload task or see the report of the analysis. | |
Check the sample in VirusTotal. |
Node details show the following information:
- Last activity Date
- Creation Date
- User Account
- Click to go to Flight Recorder Search.
- Path
- Click to copy the path to your clipboard.
- Click to go to Flight Recorder Search.
- Process ID
- Click to go to Flight Recorder Search.
- MD5 Hash
- Click to go to Flight Recorder Search.
- Integrity Level
- Relation to prior process
- Activities
- See additional information below.
- Command line parameters
- Click to copy the command line parameter to your clipboard.
- Click to go to Flight Recorder Search.
- Sandbox Analysis
- This sample has already been analyzed if No Threat or Malicious is displayed. Click No Threat or Malicious to review the sandbox analysis report. For more information, see Sandbox Analysis in Nebula.
- This sample has not been analyzed yet if Not analyzed is displayed. Click Upload to create a File Upload task.
Activities
Some nodes contain raw activities performed by the file or process. Next to the Activities, there is a number associated with the File Write, File Read or Reg set Value. Click this number to reveal a comprehensive list of raw activities executed by the file or process.
Raw activities can be:
- Antimalware scan: When scripted activities have been detected by Microsoft AMSI.
- File Writes: When the file or process attempted to write to the file system, including renaming of files. Common during a ransomware attack.
- Net Connect Outbound: When the endpoint has initiated outbound network communication with another host or device.
- Read Files: When the file or process attempts to read other files within the file system.
- Rename Files: When a file or process renames files
- Reg Set Values: When the file or process attempts to make changes to the Windows Registry.