Cisco Cisco Firepower Management Center 4000
34-15
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
In either case, the malware event’s
Message
indicates how and when the disposition changed, for
example:
Retrospective Event, Mon Oct 1 20:44:00 2012 (UTC), Old Disp: Unknown, New Disp:
Malware
Using Malware Events
You can use the Defense Center’s event viewer to view, search, and delete malware events. Additionally,
the Files Dashboard and Context Explorer provide an at-a-glance view of detailed information about the
files (including malware files) detected on your network, using charts and graphs. Network file trajectory
offers a more in-depth view of individual malware files, providing summary information about the file
and how it has moved through the network over time. Using malware detection data, you can trigger
correlation rules and create reports, the latter using either the predefined Malware Report template or a
custom report template.
the Files Dashboard and Context Explorer provide an at-a-glance view of detailed information about the
files (including malware files) detected on your network, using charts and graphs. Network file trajectory
offers a more in-depth view of individual malware files, providing summary information about the file
and how it has moved through the network over time. Using malware detection data, you can trigger
correlation rules and create reports, the latter using either the predefined Malware Report template or a
custom report template.
For more information, see:
•
•
•
Viewing Malware Events
License:
Malware or Any
The FireSIGHT System’s event viewer allows you to view malware events in a table, as well as
manipulate the event view depending on the information relevant to your analysis.
manipulate the event view depending on the information relevant to your analysis.
The page you see when you access malware events differs depending on the workflow, which is simply
a series of pages you can use to evaluate events by moving from a broad to a more focused view. The
system is delivered with the following predefined workflows for malware events:
a series of pages you can use to evaluate events by moving from a broad to a more focused view. The
system is delivered with the following predefined workflows for malware events:
•
Malware Summary, the default, provides a list of detected malware, grouped by individual threat.
•
Malware Event Summary provides a quick breakdown of the different malware event types and
subtypes.
subtypes.
•
Hosts Receiving Malware and Hosts Sending Malware provide a list of hosts that have received or
sent malware, grouped by the associated malware dispositions for those files. Note that dispositions
appear only for files detected as the result of Malware Cloud Lookup or Block Malware file rules.
sent malware, grouped by the associated malware dispositions for those files. Note that dispositions
appear only for files detected as the result of Malware Cloud Lookup or Block Malware file rules.
•
Applications Introducing Malware provides a list of the client applications that accessed or executed
the malware detected on endpoints in your organization. From this list, you can drill down into the
individual malware files accessed by each parent client.
the malware detected on endpoints in your organization. From this list, you can drill down into the
individual malware files accessed by each parent client.
You can also create a custom workflow that displays only the information that matches your specific
needs. For information on specifying a different default workflow, including a custom workflow, see
needs. For information on specifying a different default workflow, including a custom workflow, see
.
Using the event viewer, you can:
•
search for, sort, and constrain events, as well as change the time range for displayed events
•
specify the columns that appear (table view only)
•
view the host profile associated with an IP address, or the user details and host history associated
with a user identity
with a user identity
•
view the connections where specific malware was detected (for network-based malware events only)