Cisco Cisco Firepower Management Center 4000
34-11
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with File Events
Searching for File Events
License:
Protection
Using the Defense Center’s Search page, you can search for specific file events, display the results in the
event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets, report
templates, and custom user roles can also use saved searches.
event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets, report
templates, and custom user roles can also use saved searches.
Keep in mind that your search results depend on the available data in the events you are searching. In
other words, depending on the available data, your search constraints may not apply. For example, the
other words, depending on the available data, your search constraints may not apply. For example, the
Disposition
and
SHA256
fields are populated only for files for which the Defense Center performed a
malware cloud lookup.
Note that because the DC500 does not support geolocation, searches using these fields from a DC500
return no results, regardless of whether geolocation information was detected.
return no results, regardless of whether geolocation information was detected.
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
Specify
n/a
in any field to identify events where information is not available for that field; use
!n/a
to identify the events where that field is populated.
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
Application Risk
The risk associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the connection has
an associated risk; this field displays the highest of those. For more information, see the
table.
Business Relevance
The business relevance associated with the application traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the
connection has an associated business relevance; this field displays the lowest (least
relevant) of those. For more information, see the
relevant) of those. For more information, see the
table.
Message
For files where a malware disposition has changed, that is, for files associated with
retrospective malware events, information about when and how the disposition changed.
retrospective malware events, information about when and how the disposition changed.
File Policy
The file policy that detected the file.
Device
The name of the device that detected the file.
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note
that the system only populates this field for ASA FirePOWER devices in multi-context
mode.
that the system only populates this field for ASA FirePOWER devices in multi-context
mode.
Count
The number of events that match the information in each row. This field appears after you
apply a constraint that creates two or more identical rows.
apply a constraint that creates two or more identical rows.
Table 34-2
File Event Fields (continued)
Field
Description