Suspicious Activity Monitoring is a feature included in Malwarebytes Endpoint Detection and Response. It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint.
Suspicious Activity Monitoring uses machine learning models and cloud-based analysis to detect when questionable activity occurs. This article explains how to enable Suspicious Activity Monitoring in a policy.
Enable Suspicious Activity Monitoring in the policy
- Go to Settings > Policies.
- Select a policy.
- Select the Windows or Mac tab> Settings tab and scroll to the bottom.
- Switch Suspicious Activity Monitoring to ON. If you also want to monitor servers, switch Server Operating System Monitoring to ON.
- In the upper right, click SAVE.
Group and policy changes take effect the next time the endpoint checks in with the console.
Aggressive Mode (Windows only)
If Aggressive Mode is enabled, Malwarebytes uses a tighter threshold for flagging processes as suspicious and is more aggressive in its detections. Aggressive Mode helps protect your endpoints from additional unknown threats, but could increase False Positives. Enable Aggressive Mode for your most sensitive assets. By default, the toggle is set to OFF.
The Network Events toggle lets you allow or restrict the collection of network events to include in Flight Recorder searches. Toggling this setting ON increases the amount of traffic sent to the cloud. By default, the toggle is set to OFF.
Return to the Malwarebytes Nebula platform Administrator Guide.