Suspicious Activity Monitoring is a feature included in Endpoint Detection and Response (EDR). It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on endpoints. Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs.
Detections are highlighted for your review on the Suspicious Activity page. Not all activity detected is guaranteed to be malicious; some detections are triggered by benign operations on the system.
The Suspicious Activity screen gives context for each detection to help determine whether the activity is truly malicious. Once an administrator understands what triggered the detection, they can remediate the threat or close the incident as an expected behavior.
Feature requirements
- Sites assigned with an Endpoint Detection and Response subscription.
- Suspicious Activity Monitoring is enabled in policy settings in the Endpoint Detection and Response section.
- For optimal performance, 1.1Mbps of network bandwidth for every 100 endpoints that use Suspicious Activity Monitoring.
To enable Suspicious Activity Monitoring and manage monitored events, see: