Cisco Cisco FirePOWER Appliance 7020
34-31
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Network File Trajectory
Table 34-9
Network File Trajectory Summary Information Fields
Name
Description
File SHA256
The SHA-256 hash value of the file.
The hash is displayed by default in a condensed format. To view the full hash value, hover your
pointer over it. If multiple SHA-256 hash values are associated with a file name, hover your
pointer over the link to view all of the hash values.
pointer over it. If multiple SHA-256 hash values are associated with a file name, hover your
pointer over the link to view all of the hash values.
Click the download file icon (
) to download the file to your local computer. If prompted,
confirm you want to download the file. Follow your browser’s prompts to save the file. If the file
is unavailable for download, this icon is grayed out.
is unavailable for download, this icon is grayed out.
Caution
Cisco strongly recommends you do not download malware, as it can cause adverse
consequences. Exercise caution when downloading any file, as it may contain malware.
Ensure you have taken any necessary precautions to secure the download destination
before downloading files.
consequences. Exercise caution when downloading any file, as it may contain malware.
Ensure you have taken any necessary precautions to secure the download destination
before downloading files.
File Names
The names of the file associated with the event, as seen on the network.
If multiple file names are associated with a SHA-256 hash value, the most recent detected file
name is listed. You can expand this to view the remaining file names by clicking
name is listed. You can expand this to view the remaining file names by clicking
more
.
File Type
The file type of the file, for example,
HTML
or
MSEXE
.
File Category
The general categories of file type, for example,
Office Documents
or
System Files
.
Parent Application
The client application accessing the malware file when detection occurred. These applications are
not tied to network discovery or application control.
not tied to network discovery or application control.
This field only appears for endpoint-based malware events.
First Seen
The first time a managed device or FireAMP Connector detected the file, and the IP address of the
host that first uploaded the file.
host that first uploaded the file.
Last Seen
The most recent time a managed device or FireAMP Connector detected the file, and the IP address
of the host that last downloaded the file.
of the host that last downloaded the file.
Event Count
The number of events seen on the network associated with the file, and the number of events
displayed in the map if there are more than 250 detected events.
displayed in the map if there are more than 250 detected events.
Seen On
The number of hosts that either sent or received the file. Because one host can upload and
download a file at different times, the total number of hosts may not match the total number of
senders plus the total number of receivers in the
download a file at different times, the total number of hosts may not match the total number of
senders plus the total number of receivers in the
Seen On Breakdown
field.
Seen On Breakdown
The number of hosts that sent the file, followed by the number of hosts that received the file.