Cisco Cisco FirePOWER Appliance 7030
34-16
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
•
view events using different workflow pages within the same workflow
•
view events using a different workflow altogether
•
drill down page-to-page within a workflow, constraining on specific values
•
bookmark the current page and constraints so you can return to the same data (assuming the data
still exists) at a later time
still exists) at a later time
•
view geolocation information for routable IP addresses associated with a file
•
view a file’s trajectory
•
create a report template using the current constraints
•
delete events from the database
•
add a file to a file list, download a file, submit a file for dynamic analysis, or view the full text of a
file’s SHA-256 value
file’s SHA-256 value
•
view a file’s Dynamic Analysis Summary report, if available
•
use the IP address context menu to whitelist, blacklist, or obtain additional available information
about a host or IP address associated with a malware event
about a host or IP address associated with a malware event
Note that neither Series 2 devices nor the DC500 Defense Center support network-based malware
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only
Series 2 devices can display only endpoint-based malware events.
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only
Series 2 devices can display only endpoint-based malware events.
For detailed information on using the event viewer, including creating custom workflows, see
To view malware events:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Files > Malware Events
.
The first page of your default malware events workflow appears. For information on the columns that
appear, see
appear, see
Understanding the Malware Events Table
License:
Malware or Any
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
The system logs malware events to the Defense Center database when a FireAMP Connector installed
on an endpoint in your organization detects a threat, or a managed device detects a file in network traffic
that is then identified as malware by a malware cloud lookup. The system also logs retrospective
malware events when it learns that a file’s malware disposition has changed. Note that neither Series 2
devices nor the DC500 Defense Center support network-based malware protection, which can affect the
data displayed. For example, a Series 3 Defense Center managing only Series 2 devices can display only
endpoint-based malware events. For more information, see
on an endpoint in your organization detects a threat, or a managed device detects a file in network traffic
that is then identified as malware by a malware cloud lookup. The system also logs retrospective
malware events when it learns that a file’s malware disposition has changed. Note that neither Series 2
devices nor the DC500 Defense Center support network-based malware protection, which can affect the
data displayed. For example, a Series 3 Defense Center managing only Series 2 devices can display only
endpoint-based malware events. For more information, see
and