Suspicious Activity monitoring is a function of Endpoint Detection and Response (EDR). It observes the behaviors of processes, registry, file system, and network activity on the endpoint using a heuristic algorithm looking for deviations.
View, sort, and perform actions on suspicious activity events directly from the OneView console. This article explains how to manage suspicious activity events across your sites and managed endpoints.
View and sort suspicious activities
The main area of the Suspicious Activity page shows the list of all suspicious threat information, such as the site, location, severity, and status. This data is stored for 45 days. Filter each column to narrow the page results. Customize your data and results in the following ways:
- Click Add / Remove Columns above the results list to choose which suspicious activity information to display.
- Drag and drop specific column headers to the results bar to group data by those parameters.
- In the upper-right corner of the page, click Reset filters to go back to the default filter settings.
- Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns.
Performing actions on suspicious activity events in OneView allows you to manage multiple sites and monitor threats from one console. To perform actions on suspicious activity events, go to the Suspicious Activity page in OneView.
In the Location column, click a detected item to view the status and additional information. This information includes detected file paths, triggered rules, and a mapped layout of MITRE Tactics. To learn more, see Suspicious Activity Details in OneView.
To perform bulk actions across multiple endpoints from different sites, select multiple incidents with the same Status.
On the top right, click the Actions button and choose from the following actions in the table below.
|Block network connections, processes, and/or user activity on the endpoint until the isolation is removed.
|Remove isolation on an endpoint. The endpoint will automatically reboot.
|Remediate the suspicious activity found on the endpoint.
Closes the suspicious incident. You have the option when closing an incident to create an exclusion. Exclusions prevent this item from triggering future Suspicious Activity events. Choose one of the following exclusion options:
|Open a closed incident if further investigation is required.