Suspicious Activity Monitoring is a feature included in Malwarebytes Endpoint Detection and Response. It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint.
Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs. This article explains how to remediate Suspicious Activity or close the incident as benign.
You can filter the suspicious activity table with the three drop-down boxes and a Search endpoints bar at the top-right part of the table:
- Suspicious Activity Found
- Pending Remediation
- Closed Incident
- OS Type
- Device Type
Remediate or close incident
- Log in to the Malwarebytes Nebula platform as an Administrator or Super Admin.
- In the left navigation pane, click Suspicious Activity.
- In the Suspicious Activity table, you can review suspicious activity details including machines with detections, severity of the threats, and date/time of the detections. You can take action on an item or drill down into the cause of the detection in Actions column. In the Status column, new items display as Suspicious Activity Found.
- In the Rules Triggered column, click Suspicious Activity Rule(s) icon ( ) to display the process graph view of the suspicious activity. A process graph displays associated activity, rules triggered by the detection, and additional context. The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs. To learn more, see Suspicious Activity Details in Malwarebytes Endpoint Detection and Response.
- In the Actions column, click the ellipsis icon ( ) to choose either of the following actions:
- Isolate Endpoint: Block network connections, processes, and/or user activity on the endpoint until the isolation is removed.
- Remediate. Remediate the suspicious activity found on the endpoint.
- Close Incident. When closing an incident, you have the option to create an exclusion for it. Exclusions prevent this item from triggering future Suspicious Activity events. If you want to reopen the incident, click the ellipses icon ( ) and choose Open Incident. You can choose one of the following exclusion options:
- Command Line. Exclude script and parameters run through Windows Command Line.
- MD5 Hash. Exclude files using their MD5 Hash value. If an MD5 Hash is not available, a File by Path exclusion is created instead through Nebula.
Return to the Malwarebytes Nebula platform Administrator Guide.