Cisco Cisco Firepower Management Center 4000

Page of 1844
 
34-24
FireSIGHT System User Guide
 
Chapter 34      Analyzing Malware and File Activity 
  Working with Captured Files
Viewing Captured Files
License: 
Malware
The FireSIGHT System’s event viewer allows you to view captured files in a table, as well as manipulate 
the event view depending on the information relevant to your analysis.
The page you see when you access captured files differs depending on the workflow, which is simply a 
series of pages you can use to evaluate events by moving from a broad to a more focused view. The 
system is delivered with the following predefined workflows for captured files:
  •
Captured File Summary, the default, provides a breakdown of captured files based on type, category, 
and threat score.
  •
Dynamic Analysis Status provides a count of captured files based on whether they have been 
submitted for dynamic analysis.
You can also create a custom workflow that displays only the information that matches your specific 
needs. For information on specifying a different default workflow, including a custom workflow, see 
Using the event viewer, you can:
  •
search for, sort, and constrain events, as well as change the time range for displayed events
  •
specify the columns that appear (table view only)
  •
view events using different workflow pages within the same workflow
  •
view events using a different workflow altogether
  •
drill down page-to-page within a workflow, constraining on specific values
  •
bookmark the current page and constraints so you can return to the same data (assuming the data 
still exists) at a later time
  •
view a file’s trajectory
  •
add a file to a file list, download a file, submit a file for dynamic analysis, or view the full text of a 
file’s SHA-256 value
  •
view a file’s Dynamic Analysis Summary report, if available
  •
submit up to 25 files at a time for dynamic analysis
  •
create a report template using the current constraints
Note that neither Series 2 devices nor the DC500 Defense Center support network-based malware 
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only 
Series 2 devices cannot display captured files.
For detailed information on using the event viewer, including creating custom workflows, see 
To view file events:
Access: 
Admin/Any Security Analyst 
Step 1
Select 
Analysis > Files > Captured Files
.
The first page of your default file events workflow appears. For information on the columns that appear, 
see