Cisco Cisco Firepower Management Center 4000
34-34
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Network File Trajectory
You can view summary information from the event icon by hovering your pointer over the event icon
(
(
). The displayed summary information matches the information displayed in the Events table. The
following screenshot shows an event icon’s summary information:
If you click any event summary information link, the first page of the File Events default workflow
appears in a new window with all the extra events constrained based on the file type the File Summary
event view opens in a new window, displaying all file events that match on the criteria value you clicked.
appears in a new window with all the extra events constrained based on the file type the File Summary
event view opens in a new window, displaying all file events that match on the criteria value you clicked.
To locate the first time a file event occurred involving an IP address, click the address. This highlights a
path to that data point, as well as any intervening file events and IP addresses related to the first file
event. The corresponding event in the Events table is also highlighted. The map scrolls to that data point
if not currently visible. The following screenshot shows the path highlighted after clicking an IP address:
path to that data point, as well as any intervening file events and IP addresses related to the first file
event. The corresponding event in the Events table is also highlighted. The map scrolls to that data point
if not currently visible. The following screenshot shows the path highlighted after clicking an IP address:
To track a file’s progress through the network, you can click any data point to highlight a path that
includes all data points related to the selected data point. This includes data points associated with the
following types of events:
includes all data points related to the selected data point. This includes data points associated with the
following types of events:
•
any file transfers in which the associated IP address was either sender or receiver
•
any endpoint-based malware events involving the associated IP address
•
if another IP address was involved, all file transfers in which that associated IP address was either
sender or receiver
sender or receiver