Cisco Cisco FirePOWER Appliance 7125
34-33
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Network File Trajectory
in the map and highlight a path that traces back to the first instance the host transferred that file; this path
also intersects with every occurrence involving the host as either sender or receiver of the file. The
following screenshot shows an example trajectory map:
also intersects with every occurrence involving the host as either sender or receiver of the file. The
following screenshot shows an example trajectory map:
The map’s y-axis contains a list of all host IP addresses that have interacted with the file. The IP
addresses are listed in descending order based on when the system first detected the file on that host.
Each row contains all events associated with that IP address, whether a single file event, file transfer, or
retrospective event. The x-axis contains the date and time the system detected each event. The
timestamps are listed in chronological order. If multiple events occurred within a minute, all are listed
within the same column. You can scroll the map horizontally and vertically to view additional events and
IP addresses.
addresses are listed in descending order based on when the system first detected the file on that host.
Each row contains all events associated with that IP address, whether a single file event, file transfer, or
retrospective event. The x-axis contains the date and time the system detected each event. The
timestamps are listed in chronological order. If multiple events occurred within a minute, all are listed
within the same column. You can scroll the map horizontally and vertically to view additional events and
IP addresses.
The map displays up to 250 events associated with the file SHA-256 hash. If there are more than 250
events, the map displays the first 10, then truncates extra events with an arrow icon (
events, the map displays the first 10, then truncates extra events with an arrow icon (
). The map then
displays the remaining 240 events. The following screenshot shows events truncated with the arrow icon:
You can view all events not displayed in the File Summary event view by clicking the arrow icon (
).
The first page of the File Events default workflow appears in a new window with all the extra events
constrained based on the file type. If endpoint-based malware events are not displayed, you must switch
to the Malware Events table to view these.
constrained based on the file type. If endpoint-based malware events are not displayed, you must switch
to the Malware Events table to view these.
Each data point represents an event plus the file disposition, as described in the legend below the map.
For example, a Malware Block event icon combines the Malicious Disposition icon and the Block Event
icon.
For example, a Malware Block event icon combines the Malicious Disposition icon and the Block Event
icon.
Endpoint-based malware events include one icon. A retrospective event displays an icon in the column
for each host on which the file is detected. File transfer events always include two icons, one file send
icon and one file receive icon, connected by a vertical line. Arrows indicate the file transfer direction
from sender to receiver.
for each host on which the file is detected. File transfer events always include two icons, one file send
icon and one file receive icon, connected by a vertical line. Arrows indicate the file transfer direction
from sender to receiver.