Cisco Cisco FirePOWER Appliance 7030
34-30
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Network File Trajectory
The Query Results page appears listing all files that match the search. If only one result matches, the
Network File Trajectory page for that file appears.
Network File Trajectory page for that file appears.
Analyzing Network File Trajectory
License:
Malware or Any
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
You can trace a file through the network by viewing the detailed network file trajectory. The file’s
trajectory presents summary information about a file, displays the map charting data points over time,
and also lists the event data tied to the data points in a table. Using the table and the map, you can
pinpoint specific file events, hosts on the network that transferred or received this file, related events in
the map, and other related events in a table constrained on selected values.
trajectory presents summary information about a file, displays the map charting data points over time,
and also lists the event data tied to the data points in a table. Using the table and the map, you can
pinpoint specific file events, hosts on the network that transferred or received this file, related events in
the map, and other related events in a table constrained on selected values.
Note that because you cannot use a Malware license with a DC500, nor can you enable a Malware license
on a Series 2 device, you cannot use those appliances to view file trajectories for files for which you
conduct a malware cloud lookup.
on a Series 2 device, you cannot use those appliances to view file trajectories for files for which you
conduct a malware cloud lookup.
For more information, see the following sections:
•
•
•
Summary Information
License:
Malware or Any
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
A file’s trajectory page displays basic information about the file, including file identification
information, when the file was first seen and most recently seen on the network, the number of related
events and hosts associated with the file, and the file’s current disposition. From this section, if the
managed device stored the file, you can download it locally, submit the file for dynamic analysis, or add
the file to a file list.
information, when the file was first seen and most recently seen on the network, the number of related
events and hosts associated with the file, and the file’s current disposition. From this section, if the
managed device stored the file, you can download it locally, submit the file for dynamic analysis, or add
the file to a file list.
Tip
To view related file events, click a field value link. The first page in the File Events default workflow
opens in a new window, displaying all file events that also contain the selected value.
opens in a new window, displaying all file events that also contain the selected value.
The following table describes the summary information fields.