Cisco Cisco Firepower Management Center 4000
34-19
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
Threat Score
The threat score most recently associated with this file:
•
Low
(
)
•
Medium
(
)
•
High
(
)
•
Very High
(
)
To view the Dynamic Analysis Summary report, click the
threat score icon.
threat score icon.
yes
no
no
File Path
The file path of the malware file, not including the file
name.
name.
no
yes
no
File Type
The file type of the malware file, for example,
HTML
or
MSEXE
.
yes
yes
no
File Type
Category
Category
The general categories of file type, for example:
Office
Documents
,
Archive
,
Multimedia
,
Executables
,
PDF
files
,
Encoded
,
Graphics
, or
System Files
.
yes
yes
no
File Timestamp
The time and date the malware file was created.
no
yes
no
File Size (KB)
The size of the malware file, in kilobytes.
yes
yes
no
File URI
The originating URI of the malware file, for example, the
URL where a user downloaded it.
URL where a user downloaded it.
yes
no
no
Application File
Name
Name
The client application accessing the malware file when
detection occurred. These applications are not tied to
network discovery or application control.
detection occurred. These applications are not tied to
network discovery or application control.
no
yes
no
Application File
SHA256
SHA256
The SHA-256 hash value of the parent file accessing the
FireAMP-detected or quarantined file when detection
occurred.
FireAMP-detected or quarantined file when detection
occurred.
no
yes
no
Application
Protocol
Protocol
The application protocol used by the traffic in which a
managed device detected a malware file.
managed device detected a malware file.
yes
no
no
Application
Protocol, Client,
or Web
Application
Category or Tag
Protocol, Client,
or Web
Application
Category or Tag
Criteria that characterize the application to help you
understand the application's function. For more
information, see the
understand the application's function. For more
information, see the
yes
no
yes
Client
The client application that runs on one host and relies on a
server to send a file.
server to send a file.
yes
no
yes
Web Application
The application that represents the content or requested
URL for HTTP traffic detected in the connection.
URL for HTTP traffic detected in the connection.
yes
no
yes
IOC
Whether the malware event triggered an indication of
compromise (IOC) against a host involved in the
connection. When endpoint-based malware detection
triggers an IOC rule, a full malware event is generated, with
the type
compromise (IOC) against a host involved in the
connection. When endpoint-based malware detection
triggers an IOC rule, a full malware event is generated, with
the type
FireAMP
IOC
. For more information on IOC, see
yes
yes
yes
Table 34-4
Malware Event Fields (continued)
Field
Description
Network
Endpoint
Retrospective
from Cloud