Cisco Cisco FirePOWER Appliance 8250

Página de 1844
FireSIGHT System User Guide
Chapter 34      Analyzing Malware and File Activity
  Working with Malware Events
An endpoint-based malware event can have any of the following types:
Blocked Execution
Cloud Recall Quarantine
Cloud Recall Quarantine Attempt Failed
Cloud Recall Quarantine Started
Cloud Recall Restore from Quarantine
Cloud Recall Restore from Quarantine Failed
Cloud Recall Restore from Quarantine Started
Quarantine Failure
Quarantined Item Restored
Quarantine Restore Failed
Quarantine Restore Started
Scan Completed, No Detections
Scan Completed With Detections
Scan Failed
Scan Started
Threat Detected
Threat Detected in Exclusion
Threat Quarantined
If a file’s trajectory map contains malware events, the events are one of the following types: Threat 
Detected in Network File Transfer, Threat Detected in Network File Transfer (retrospective), Threat 
Detected, Threat Detected in Exclusion, and Threat Quarantined. See 
 for more information.
Note that neither Series 2 devices nor the DC500 Defense Center support network-based malware 
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only 
Series 2 devices can display only endpoint-based malware events.
Searching for Malware Events
Malware or Any
Using the Defense Center’s Search page, you can search for specific malware events, display the results 
in the event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets, 
report templates, and custom user roles can also use saved searches.
Searches delivered with the system, labeled with 
 in the Saved Searches list, serve as examples.
Keep in mind that your search results depend on the available data in the events you are searching. In 
other words, depending on the available data, your search constraints may not apply. For example, 
because endpoint-based malware events are not generated as a result of managed devices inspecting 
network traffic, they do not contain connection information (port, application protocol, and so on).
Note that because the DC500 does not support geolocation, searches using these fields from a DC500 
return no results.