Suspicious Activity Monitoring provides a pre-emptive analysis of a potentially malicious threat on your site's managed endpoints. A suspicious activity is an abnormal behavior observed and analyzed using MITRE's adversary Tactics & Techniques. The severity of suspicious activities is automatically determined based on the affected security elements of the endpoint. This article provides an overview of the suspicious activity status screen.
The suspicious activity workflow includes the following steps:
- Suspicious activity is detected and automatically classified by Severity and summarized for review.
- Response and action taken on the detected threat. For more information, see Manage Suspicious Activity events in OneView.
From the Suspicious Activity screen, click the detected path under the Location column. This screen displays an analysis of the suspicious activity to help you understand what the file or process is doing and what actions to take.
Suspicious activity summary
The summary on the Suspicious Activity Details screen provides a simple overview of adversary behaviors and tactical goals aligned with the MITRE ATT&CK framework. Review the summary to understand when and where the activity occurred and what triggered it.
Incident timeline
The timeline of events is displayed chronologically to aid in understanding suspicious activity before further investigation. Each event is labeled with a severity to help you understand when the most severe actions occurred.
Rules Triggered
The Rules Triggered tile at the top of the suspicious activity status screen shows a list of suspicious files and processes found by OneView. Click the Show Summary button to expand details. Here, you can see all detection rules triggered by the suspicious activity and their mapping in MITRE ATT&CK. Click MITRE ATT&CK Framework at the top for more information.
MITRE Tactics Mapping categorizes suspicious activity detections based on the exhibited behaviors of the file or process. Color-coded detection rules are provided to show which rules triggered the suspicious activity detection.
The detection rules are color-coded by severity:
- Red: High Severity
- Orange: Medium Severity
- Yellow: Low Severity
Click on a triggered rule to display the context of the detection, a description, threat tactics, and techniques detected during analysis. Use this option to view important hash keys and process information for exclusion purposes.
To access a detailed overview of the suspicious activity events across all sites, click the site name on the Suspicious Activity page. The suspicious activity page in the site's Nebula console will open, and provide additional monitored information and tools to analyze each potential threat.
Process Graph
The Process Graph tile in the Suspicious Activity Details screen shows a visual representation of nodes indicating the relationships between the files or processes touched by a suspicious activity.
The process graph helps determine if suspicious activities are legitimate or a possible false positive. To investigate suspicious activity, review the detected nodes and analyze the rules triggered, severity, tactics, and techniques used.
The graph below represents a legitimate detection.
To investigate suspicious activity, review the following:
- The number of files and processes connected to the initial suspicious activity detection.
- The number of rules triggered within each node.
- The severity of the rules triggered.
Click the nodes that triggered a detection rule to display the Details panel. Use the Details panel to investigate individual files in the process graph, analyzing the following key components:
- MD5 Hash
- Activities
- Sandbox Analysis
Node icons
Within each process bubble, there are two rows of row icons that summarize each activity. Hover over an icon in the node for a description.
Top row
The top row of icons indicates the type of node, severity, number of triggered rules, and the sandbox analysis results.
Shows if the node is a process. | |
Shows if the node is a document such as an Office or PDF document. | |
Triggered Rules are colored by Severity. The number in the middle represents the count of all the rules triggered. Severity is a combination of the type of actions, the number of actions, and the impact on the security posture of the endpoint.
|
|
Sandbox analysis results. The colors of the icons represent:
|
Bottom row
The bottom row of icons identifies the type of activities that took place for the node. Grayed-out icons indicate no activity of that type occurred.
Shows whether the process performed outbound network activities. | |
Shows whether the process performed filesystem activities. | |
Shows whether the process performed registry activities. | |
Shows whether activities were detected via the Windows Antimalware Scan Interface (AMSI), which includes User Account Control (UAC), security elevation, and scripting activities. For more information, see Antimalware Scan Interface. | |
Shows whether the process performed suspicious Windows activities, for example, calling Windows Management Instrumentation (WMI) privileged functions. This is determined if there is code execution inside the process. |
Node details
Click on the node to view additional Details.
The following options are available:
Search in Flight Recorder Search. | |
Sandbox analysis results. Click to create a File Upload task or see the analysis report. | |
Check the sample in VirusTotal. |
Node Details show the following information:
User Account |
Click to go to Flight Recorder Search. |
Path |
|
Process ID |
Click to go to Flight Recorder Search. |
MD5 Hash |
Click to go to Flight Recorder Search. |
Activities |
See additional information below. |
Command line parameters |
|
Sandbox Analysis |
|
Activities
Some nodes contain raw activities performed by the file or process. Next to the Activity, there is a number associated with the File Write, File Read or Reg Set Value. Click this number to reveal a comprehensive list of raw activities executed by the file or process.
Raw activities can be:
- Antimalware scan: When scripted activities have been detected by Microsoft AMSI.
- File Writes: When the file or process attempted to write to the file system, including renaming of files. Common during a ransomware attack.
- Net Connect Outbound: When the endpoint has initiated outbound network communication with another host or device.
- Read Files: When the file or process attempts to read other files within the file system.
- Rename Files: When a file or process renames files
- Reg Set Values: When the file or process attempts to make changes to the Windows Registry.