Suspicious Activity Monitoring is a feature included in Malwarebytes Endpoint Detection and Response. It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint.
Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs. This article explains how to remediate Suspicious Activity or close the incident as benign.
- Log into the Malwarebytes Nebula platform as a Super Administrator.
- In the left navigation pane, click Suspicious Activity.
- In the Suspicious Activity table, you can review suspicious activity details including machines with detections, severity of the threats, and date/time of the detections. You can take action on an item or drill down into the cause of the detection in Actions column. In the Status column, new items display as Suspicious Activity Found.
- In the Rules Triggered column, click an icon to drill down on the suspicious activity item and learn about the cause of the detection. A process graph displays associated activity, rules triggered by the detection, and additional context. The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs. To learn more, see Suspicious Activity Details in Malwarebytes Endpoint Detection and Response.
- In the Actions column, click the ellipsis icon ( ) to choose either of the following actions:
- Remediate. Remediate the suspicious activity found on the endpoint.
- Close Incident. When closing an incident, you have the option to create an exclusion for it. Exclusions prevent this item from triggering future Suspicious Activity events. If you want to reopen the incident, click the ellipses icon ( ) and choose Open Incident.
Return to the Malwarebytes Nebula platform Administrator Guide