Cisco Cisco Firepower Management Center 4000
34-17
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
The table view of malware events, which is the final page in predefined malware event workflows, and
which you can add to custom workflows, includes a column for each field in the files table. Some fields
in the table view of malware events are disabled by default. To enable a field for the duration of your
session, click the expand arrow (
which you can add to custom workflows, includes a column for each field in the files table. Some fields
in the table view of malware events are disabled by default. To enable a field for the duration of your
session, click the expand arrow (
) to expand the search constraints, then click the column name under
Disabled Columns
.
Keep in mind that not every field is populated for every event; the different types of malware event can
contain different information. For example, because FireAMP malware detection is performed at the
endpoint at download or execution time, endpoint-based malware events contain information on file
path, invoking client application, and so on. In contrast, because managed devices detect malware files
in network traffic, their associated malware events contain port, application protocol, and originating IP
address information about the connection used to transmit the file.
contain different information. For example, because FireAMP malware detection is performed at the
endpoint at download or execution time, endpoint-based malware events contain information on file
path, invoking client application, and so on. In contrast, because managed devices detect malware files
in network traffic, their associated malware events contain port, application protocol, and originating IP
address information about the connection used to transmit the file.
The following table lists each malware event field, and indicates whether the system displays
information in that field, depending on the malware event type. Note that the DC500 Defense Center
does not support sending or receiving continent or country geolocation information.
information in that field, depending on the malware event type. Note that the DC500 Defense Center
does not support sending or receiving continent or country geolocation information.
Table 34-4
Malware Event Fields
Field
Description
Network
Endpoint
Retrospective
from Cloud
Time
The date and time the event was generated.
yes
yes
yes
Action
The file rule action associated with the rule action for the
rule the file matched, and any associated file rule action
options.
rule the file matched, and any associated file rule action
options.
yes
no
yes
Sending IP
The IP address of the host sending detected malware.
yes
no
no
Sending
Continent
Continent
The continent of the host sending detected malware.
yes
no
yes
Sending Country
The country of the host sending detected malware.
yes
no
no
Receiving IP
For network-based malware events, the IP address of the
host receiving detected malware.
host receiving detected malware.
For endpoint-based malware events, the IP address of the
endpoint where the FireAMP Connector is installed and
where the malware event occurred.
endpoint where the FireAMP Connector is installed and
where the malware event occurred.
yes
yes
no
Receiving
Continent
Continent
The continent of the host receiving detected malware.
yes
no
yes
Receiving
Country
Country
The country of the host receiving detected malware.
yes
no
no
Sending Port
The source port used by the traffic in which a managed
device detected malware.
device detected malware.
yes
no
no
Receiving Port
The destination port used by the traffic in which a managed
device detected malware.
device detected malware.
yes
no
no