Suspicious Activity Monitoring provides a pre-emptive analysis of a potentially malicious threat on your site's managed endpoints. A suspicious activity is an abnormal behavior observed and analyzed using MITRE's adversary Tactics & Techniques. The severity of suspicious activities is automatically determined based on the affected security elements of the endpoint. This article provides an overview of the suspicious activity status screen.
The suspicious activity workflow includes the following steps:
- Suspicious activity is detected and automatically classified by Severity and summarized for review.
- Response and action taken on the detected threat. For more information, see Manage Suspicious Activity events in OneView.
From the Suspicious Activity screen, click the detected path under the Location column. This screen displays an analysis of the suspicious activity to help you understand what the file or process is doing and what actions to take.
Suspicious activity summary
The summary on the Suspicious Activity Details screen provides a simple overview of adversary behaviors and tactical goals aligned with the MITRE ATT&CK framework. Review the summary to understand when and where the activity occurred and what triggered it.
Incident timeline
The timeline of events is displayed chronologically to aid in understanding suspicious activity before further investigation. Each event is labeled with a severity to help you understand when the most severe actions occurred.
Rules Triggered
The Rules Triggered tile at the top of the suspicious activity status screen shows a list of suspicious files and processes found by OneView. Click the Show Summary button to expand details. Here, you can see all detection rules triggered by the suspicious activity and their mapping in MITRE ATT&CK. Click MITRE ATT&CK Framework at the top for more information.
MITRE Tactics Mapping categorizes suspicious activity detections based on the exhibited behaviors of the file or process. Color-coded detection rules are provided to show which rules triggered the suspicious activity detection.
The detection rules are color-coded by severity:
- Red: Critical Severity
- Orange: High Severity
- Yellow: Medium Severity
- Gray: Low Severity
Click on a triggered rule to display the context of the detection, a description, threat tactics, and techniques detected during analysis.
Use this option to view important hash keys and process information for exclusion purposes.
Ransomware activity
Ransomware encrypting files over the network often appears as local Windows kernel activity, masking the true source, usually another compromised machine. The hostname, IPv4 address, remote port, and username can be provided to identify the real origin, aiding faster tracking and response. These details are displayed when hovering over a Ransomware Activity triggered rule.
Process Graph
The Process Graph tile in the Suspicious Activity Details screen shows a visual representation of nodes indicating the relationships between the files or processes touched by a suspicious activity.
The process graph helps determine if suspicious activities are legitimate or a possible false positive. To investigate suspicious activity, review the detected nodes and analyze the rules triggered, severity, tactics, and techniques used.
The graph below represents a legitimate detection.
To investigate suspicious activity, review the following:
- The number of files and processes connected to the initial suspicious activity detection.
- The number of rules triggered within each node.
- The severity of the rules triggered.
Click the nodes that triggered a detection rule to display the Details panel. Use the Details panel to investigate individual files in the process graph, analyzing the following key components:
- MD5 Hash
- Activities
- Sandbox Analysis
Process Graph legend
Hover over the Legend tool-tip, or refer to this legend when viewing the process graph.
Tree view
Click the Tree button to view the process graph as a tree instead. This helps display more detailed information all at once without having to check each process graph node.
Tree legend
Hover over the Legend tool-tip, or refer to this legend when viewing the process tree.
Node details
Click on the node to view additional Details.
The following options are available:
| Search in Flight Recorder Search. | |
| Sandbox analysis results. Click to create a File Upload task or see the analysis report. | |
| Check the sample in VirusTotal. |
Node details can show the following information:
- Last activity Date
- Process ID
- Creation Date
- User Account
- Path
- MD5/SHA1/SHA256 Hash
- Activities
- See additional information below.
- Command line parameters
- Sandbox Analysis
- This sample has already been analyzed if No Threat or Malicious is displayed. Click No Threat or Malicious to review the sandbox analysis report. For more information, see Overview of Sandbox Analysis in OneView.
- This sample has not been analyzed yet if Unanalyzed is displayed. Click Unanalyzed to create a File Upload task.
Activities
Some nodes contain raw activities performed by the file or process. Next to the Activity, there is a number associated with the File Write, File Read or Reg Set Value. Click this number to reveal a comprehensive list of raw activities executed by the file or process.
Raw activities can be:
- Antimalware scan: When scripted activities have been detected by Microsoft AMSI.
- File Writes: When the file or process attempted to write to the file system, including renaming of files. Common during a ransomware attack.
- Net Connect Outbound: When the endpoint has initiated outbound network communication with another host or device.
- Read Files: When the file or process attempts to read other files within the file system.
- Rename Files: When a file or process renames files
- Reg Set Values: When the file or process attempts to make changes to the Windows Registry.