Cisco Cisco FirePOWER Appliance 7010
34-20
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
Malware Event Types
License:
Malware or Any
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
For network-based malware events, the event type can be one of:
•
Threat Detected in Network File Transfer
•
Threat Detected in Network File Transfer (retrospective)
Application Risk
The risk associated with the application traffic detected in
the connection:
the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
.
Each type of application detected in the connection has an
associated risk; this field displays the highest of those. For
more information, see the
associated risk; this field displays the highest of those. For
more information, see the
table.
yes
no
yes
Business
Relevance
Relevance
The business relevance associated with the application
traffic detected in the connection:
traffic detected in the connection:
Very High
,
High
,
Medium
,
Low
, or
Very Low
. Each type of application detected in the
connection has an associated business relevance; this field
displays the lowest (least relevant) of those. For more
information, see the
displays the lowest (least relevant) of those. For more
information, see the
yes
no
yes
Detector
The FireAMP detector that identified the malware, such as
ClamAV, Spero, or SHA.
ClamAV, Spero, or SHA.
no
yes
no
Message
Any additional information associated with the malware
event.
event.
For network-based malware events, this field is populated
only for files whose disposition has changed; see
only for files whose disposition has changed; see
yes
yes
no
FireAMP Cloud
The name of the FireAMP cloud where the event
originated.
originated.
no
yes
no
Device
For network-based malware events, the name of the device
that detected the malware file.
that detected the malware file.
For endpoint-based malware events and retrospective
malware events generated by the cloud, the name of the
Defense Center.
malware events generated by the cloud, the name of the
Defense Center.
yes
yes
yes
Security Context
The metadata identifying the virtual firewall group through
which the traffic passed. Note that the system only
populates this field for ASA FirePOWER devices in
multi-context mode.
which the traffic passed. Note that the system only
populates this field for ASA FirePOWER devices in
multi-context mode.
yes
yes
yes
Count
The number of events that match the information in each
row. This field appears after you apply a constraint that
creates two or more identical rows.
row. This field appears after you apply a constraint that
creates two or more identical rows.
n/a
n/a
n/a
Table 34-4
Malware Event Fields (continued)
Field
Description
Network
Endpoint
Retrospective
from Cloud