Suspicious Activity monitoring is a function of Endpoint Detection and Response (EDR). It observes the behaviors of processes, registry, file system, and network activity on the endpoint using a heuristic algorithm looking for deviations.
View, sort, and perform actions on suspicious activity events directly from the OneView console. This article explains how to manage suspicious activity events across your sites and managed endpoints.
View and sort suspicious activities
The main area of the Suspicious Activity page shows the list of all suspicious threat information, such as the site, location, severity, and status. This data is stored for 45 days. Filter each column to narrow the page results. Customize your data and results in the following ways:
- Click Add / Remove Columns above the results list to choose which suspicious activity information to display.
- Drag and drop specific column headers to the results bar to group data by those parameters.
- In the upper-right corner of the page, click Reset filters
to go back to the default filter settings.
- Hover your cursor over a column header to reveal a hamburger icon
with options to pin and auto-size columns.
Perform actions
Performing actions on suspicious activity events in OneView allows you to manage multiple sites and monitor threats from one console. To perform actions on suspicious activity events, go to the Suspicious Activity page in OneView.
In the Location column, click a detected item to view the status and additional information. This information includes detected file paths, triggered rules, and a mapped layout of MITRE Tactics. To learn more, see Suspicious Activity Details in OneView.
To perform bulk actions across multiple endpoints from different sites, select multiple incidents with the same Status.
On the top right, click the Actions button and choose from the following actions in the table below.
Action | Description |
Isolate Endpoint | Block network connections, processes, and/or user activity on the endpoint until the isolation is removed. |
Remove Isolation | Remove isolation on an endpoint. The endpoint will automatically reboot. |
Remediate Endpoint(s) | Deletes the suspicious activity found on the endpoint. |
Close Incident |
Use this to ignore the incident and mark it as closed. You have the option when closing an incident to create an exclusion. Exclusions prevent this item from triggering future Suspicious Activity events. Choose one of the following exclusion options:
|
Open Incident | Open a closed incident if further investigation is required. |