Cisco Cisco Firepower Management Center 4000
34-7
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with File Events
If multiple reports exist, this summary is based on the most recent report matching the exact threat score.
If none match the exact threat score, then the report with the highest threat score is displayed. If more
than one report exists, you can select a threat score to view each separate report.
If none match the exact threat score, then the report with the highest threat score is displayed. If more
than one report exists, you can select a threat score to view each separate report.
The summary lists each component threat comprising the threat score. Each component threat is
expandable to list the VRT’s findings, as well as any processes related to this component threat.
expandable to list the VRT’s findings, as well as any processes related to this component threat.
The process tree shows the processes that started when the cloud attempted to run the file. This can help
identify whether a file that contains malware is attempting to access processes and system resources
beyond what is expected (for example, running a Word document opens Microsoft Word, then starts
Explorer, then starts Java).
identify whether a file that contains malware is attempting to access processes and system resources
beyond what is expected (for example, running a Word document opens Microsoft Word, then starts
Explorer, then starts Java).
Each listed process contains a process identifier and md5 checksum you can use to verify the actual
process. The process tree displays processes started as a result of parent processes as child nodes.
process. The process tree displays processes started as a result of parent processes as child nodes.
From the dynamic analysis summary, you can click
View Full Report
to view the VRT’s Analysis report,
detailing the VRT’s full analysis, including general file information, a more in-depth review of all
detected processes, a breakdown of the file analysis, and other relevant information.
detected processes, a breakdown of the file analysis, and other relevant information.
Working with File Events
License:
Protection
The system logs the file events generated when a managed device detects or blocks a file in network
traffic, according to the rules in currently applied file policies. Note that when the system generates a
file event, the system also logs the end of the associated connection to the Defense Center database,
regardless of the logging configuration of the invoking access control rule. For more information, see
traffic, according to the rules in currently applied file policies. Note that when the system generates a
file event, the system also logs the end of the associated connection to the Defense Center database,
regardless of the logging configuration of the invoking access control rule. For more information, see
.
Note
Files detected in network traffic and identified as malware by the FireSIGHT System generate both a file
event and a malware event. This is because to detect malware in a file, the system must first detect the
file itself. Endpoint-based malware events do not have corresponding file events. For more information,
see
event and a malware event. This is because to detect malware in a file, the system must first detect the
file itself. Endpoint-based malware events do not have corresponding file events. For more information,
see
and
.
You can use the Defense Center’s event viewer to view, search, and delete file events. Additionally, the
Files Dashboard provides an at-a-glance view of detailed information about the files (including malware
files) detected on your network, using charts and graphs. Network file trajectory offers a more in-depth
view of individual files, providing summary information about the file and how it has moved through the
network over time. Using file identification data, you can trigger correlation rules and create reports, the
latter using either the predefined Files Report template or a custom report template.
Files Dashboard provides an at-a-glance view of detailed information about the files (including malware
files) detected on your network, using charts and graphs. Network file trajectory offers a more in-depth
view of individual files, providing summary information about the file and how it has moved through the
network over time. Using file identification data, you can trigger correlation rules and create reports, the
latter using either the predefined Files Report template or a custom report template.
For more information, see:
•
•
•
•
Viewing File Events
License:
Protection