Cisco Cisco Firepower Management Center 4000

User

The user of the host (

) where the malware event 

occurred.

For network-based malware events, this user is determined 
by network discovery. Because the user is associated with 
the destination host, users are not associated with malware 
events where the user uploaded a malware file.

For endpoint-based malware events, FireAMP Connectors 
determine user names. FireAMP users cannot be tied to 
user discovery or control. They do not appear in the Users 
table, nor can you view details for these users.

yes

yes

no

Event Type

The type of malware event. For a full list of event types, see 

yes

yes

yes

Event Subtype

The FireAMP action that led to malware detection, for 
example, 

Create

, 

Execute

, 

Move

, or 

Scan

.

no

yes

no

Threat Name

The name of the detected malware.

yes

yes

yes

File Name

The name of the malware file.

yes

yes

no

File Disposition

One of the following file dispositions:

Malware 

indicates that the cloud categorized the file as 

malware, or that the file’s threat score exceeded the 
malware threshold defined in the file policy.

Clean 

indicates that the cloud categorized the file as 

clean, or that a user added the file to the clean list.

Unknown 

indicates that a malware cloud lookup 

occurred before the cloud assigned a disposition. The 
file is uncategorized.

Custom Detection

 indicates that a user added the file 

to the custom detection list.

Unavailable 

indicates that the Defense Center could 

not perform a malware cloud lookup.

Note that clean files appear in the malware table only if 
they were changed to clean; see 

yes

no

yes

File SHA256

The SHA-256 hash value of the file, as well as a network 
file trajectory icon representing the most recently detected 
file event and file disposition.

To view the network file trajectory, click the trajectory 
icon. For more information, see 

yes

yes

yes