Cisco Cisco Firepower Management Center 4000
34-28
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Network File Trajectory
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
).
Working with Network File Trajectory
License:
Malware or Any
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
The network file trajectory feature maps how hosts transferred files, including malware files, across your
network. You can use the map to determine which hosts may have transferred malware, which hosts are
at risk, and observe file transfer trends.
network. You can use the map to determine which hosts may have transferred malware, which hosts are
at risk, and observe file transfer trends.
The trajectory map charts file transfer data, the disposition of the file, and if a file transfer was blocked
or the file was quarantined. The data used to build the map can come from network-based malware events
(any file event for which the system performed a malware cloud lookup and returned a malware
disposition) and certain endpoint-based malware events related to detecting and blocking malware (any
Threat Detected or Threat Quarantined event type). Vertical lines between data points represent file
transfers between hosts. Horizontal lines connecting the data points show a host’s file activity over time.
or the file was quarantined. The data used to build the map can come from network-based malware events
(any file event for which the system performed a malware cloud lookup and returned a malware
disposition) and certain endpoint-based malware events related to detecting and blocking malware (any
Threat Detected or Threat Quarantined event type). Vertical lines between data points represent file
transfers between hosts. Horizontal lines connecting the data points show a host’s file activity over time.
You can track the transmission of any file type for which the system can perform a malware cloud
lookup. To directly access a file’s trajectory, you can use the Network File Trajectory List page (
lookup. To directly access a file’s trajectory, you can use the Network File Trajectory List page (
Analysis
> Files > Network File Trajectory
) and locate specific files. Additionally, if you are analyzing an intrusion
and want to review the trajectory for a related file, you can access the file’s trajectory from the Context
Explorer, dashboard, or event views of connection, file, or malware events.
Explorer, dashboard, or event views of connection, file, or malware events.
The data a single trajectory map displays depends on the licenses applied to your appliance. The
following table lists the licenses necessary to track different types of file trajectory.
following table lists the licenses necessary to track different types of file trajectory.
See
for more information.
Note that because you cannot use a Malware license with a DC500, nor enable a Malware license on a
Series 2 device, you cannot use those appliances to capture, store or block individual files, submit files
for dynamic analysis, or view file trajectories for files for which you conduct a malware cloud lookup.
You can, however, still view file trajectories for endpoint-based threat and quarantine tracking.
Series 2 device, you cannot use those appliances to capture, store or block individual files, submit files
for dynamic analysis, or view file trajectories for files for which you conduct a malware cloud lookup.
You can, however, still view file trajectories for endpoint-based threat and quarantine tracking.
For more information, see the following sections:
•
•
Reviewing Network File Trajectory
License:
Malware or Any
Table 34-8
License Requirements for Network File Trajectory
To view...
You need the following license...
network-based file and malware trajectories
Malware
endpoint-based threat and quarantine tracking
Any (you must have a FireAMP subscription)