Cisco Cisco Firepower Management Center 4000
34-21
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
An endpoint-based malware event can have any of the following types:
•
Blocked Execution
•
Cloud Recall Quarantine
•
Cloud Recall Quarantine Attempt Failed
•
Cloud Recall Quarantine Started
•
Cloud Recall Restore from Quarantine
•
Cloud Recall Restore from Quarantine Failed
•
Cloud Recall Restore from Quarantine Started
•
FireAMP IOC
•
Quarantine Failure
•
Quarantined Item Restored
•
Quarantine Restore Failed
•
Quarantine Restore Started
•
Scan Completed, No Detections
•
Scan Completed With Detections
•
Scan Failed
•
Scan Started
•
Threat Detected
•
Threat Detected in Exclusion
•
Threat Quarantined
If a file’s trajectory map contains malware events, the events are one of the following types: Threat
Detected in Network File Transfer, Threat Detected in Network File Transfer (retrospective), Threat
Detected, Threat Detected in Exclusion, and Threat Quarantined. See
Detected in Network File Transfer, Threat Detected in Network File Transfer (retrospective), Threat
Detected, Threat Detected in Exclusion, and Threat Quarantined. See
for more information.
Note that neither Series 2 devices nor the DC500 Defense Center support network-based malware
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only
Series 2 devices can display only endpoint-based malware events.
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only
Series 2 devices can display only endpoint-based malware events.
Searching for Malware Events
License:
Malware or Any
Using the Defense Center’s Search page, you can search for specific malware events, display the results
in the event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets,
report templates, and custom user roles can also use saved searches.
in the event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets,
report templates, and custom user roles can also use saved searches.
Searches delivered with the system, labeled with
(
Cisco
)
in the Saved Searches list, serve as examples.
Keep in mind that your search results depend on the available data in the events you are searching. In
other words, depending on the available data, your search constraints may not apply. For example,
because endpoint-based malware events are not generated as a result of managed devices inspecting
network traffic, they do not contain connection information (port, application protocol, and so on).
other words, depending on the available data, your search constraints may not apply. For example,
because endpoint-based malware events are not generated as a result of managed devices inspecting
network traffic, they do not contain connection information (port, application protocol, and so on).
Note that because the DC500 does not support geolocation, searches using these fields from a DC500
return no results.
return no results.