Suspicious Activity Monitoring is a feature included in Malwarebytes Endpoint Detection and Response. It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint.
Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs. This article explains how to remediate Suspicious Activity or close the incident as benign.
View and sort suspicious activity
The main area of the Suspicious Activity screen shows the list of all suspicious threat data. Each column can be filtered to narrow the results. You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Use the filters in the column headers to view specific data.
- Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns.
Remediate or close incident
- Log in to the Malwarebytes Nebula platform as an Administrator or Super Admin.
- In the left navigation pane, click Suspicious Activity.
- In the Suspicious Activity table, you can review suspicious activity details including machines with detections, severity of the threats, and date/time of the detections. You can take action on an item or drill down into the cause of the detection in Actions column. In the Status column, new items display as Suspicious Activity Found.
- In the Location column, click detected item to view additional details. A process graph displays associated activity, rules triggered by the detection, and additional context. The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs. To learn more, see Suspicious Activity Details in Malwarebytes Endpoint Detection and Response.
- In the Actions column, click the ellipsis icon ( ) to choose either of the following actions:
- Isolate Endpoint: Block network connections, processes, and/or user activity on the endpoint until the isolation is removed.
- Remediate. Remediate the suspicious activity found on the endpoint.
- Close Incident. When closing an incident, you have the option to create an exclusion for it. Exclusions prevent this item from triggering future Suspicious Activity events. If you want to reopen the incident, click the ellipses icon ( ) and choose Open Incident. You can choose one of the following exclusion options:
- Command Line. Exclude script and parameters run through Windows Command Line.
- MD5 Hash. Exclude files using their MD5 Hash value. If an MD5 Hash is not available, a File by Path exclusion is created instead through Nebula.
Return to the Malwarebytes Nebula platform Administrator Guide.