Suspicious Activity monitoring is a function of Malwarebytes Endpoint Detection and Response (EDR). It observes the behaviors of processes, registry, file system, and network activity on the endpoint using a heuristic algorithm looking for deviations.
View, sort, and perform actions on suspicious activity events directly from the OneView console. This article explains managing suspicious activity events across your sites and managed endpoints.
View and sort suspicious activities
The main area of the Suspicious Activity page shows the list of all suspicious threat information such as the site, location, severity, and status. Filter each column to narrow the page results. Customize your data and results in the following ways:
- Click Add / Remove Columns above the results list to choose which suspicious activity information to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- In the upper-right corner of the page, click Reset filters
to go back to the default filter settings. - Hover your cursor over a column header to reveal a hamburger icon
with options to pin and auto-size columns.
Perform actions
Performing actions on suspicious activity events in OneView allows you to manage multiple sites monitoring threats from one console. To perform actions on suspicious activity events, go to the Suspicious Activity page in OneView.
In the Location column, click a detected item to view the status and additional information. This information includes detected file paths, triggered rules, and a mapped layout of MITRE Tactics. To learn more, see Suspicious Activity Status in Malwarebytes OneView.
To perform bulk actions across multiple endpoints from different sites, select multiple incidents with the same Status.
On the top right, click Actions button 
and choose from the following actions in the table below.
| Action | Description |
| Isolate Endpoint | Block network connections, processes, and/or user activity on the endpoint until the isolation is removed. |
| Remove Isolation | Remove isolation on an endpoint. The endpoint will automatically reboot. |
| Remediate Endpoints(s) | Remediate the suspicious activity found on the endpoint. |
| Close Incident |
Closes the suspicious incident, you have the option when closing an incident to create an exclusion. Exclusions prevent this item from triggering future Suspicious Activity events. Choose one of the following exclusion options:
|
| Open Incident | Open a closed incident if further investigation is required. |
Return to the Malwarebytes OneView User Guide.