Cisco Cisco FirePOWER Appliance 8390
C H A P T E R
34-1
FireSIGHT System User Guide
34
Analyzing Malware and File Activity
The Defense Center logs records of the system’s file inspection and handling as captured files, file
events, and malware events:
events, and malware events:
•
Captured files represent files that the system captured.
•
File events represent files that the system detected, and optionally blocked, in network traffic.
•
Malware events represent malware files detected, and optionally blocked, in network traffic by the
system.
system.
•
Retrospective malware events represent files whose malware file dispositions have changed.
When the system generates a malware event based on detection or blocking of malware in network
traffic, it also generates a file event, because to detect malware in a file, the system must first detect the
file itself. Note that endpoint-based malware events generated by FireAMP Connectors (see
traffic, it also generates a file event, because to detect malware in a file, the system must first detect the
file itself. Note that endpoint-based malware events generated by FireAMP Connectors (see
) do not have corresponding file events. Similarly, when
the system captures a file in network traffic, it also generates a file event because the system first detected
the file.
the file.
You can use the Defense Center to view, manipulate, and analyze captured files, file events, and malware
events, then communicate your analysis to others. The Context Explorer, dashboards, event viewer,
context menu, network file trajectory map, and reporting features can give you a deeper understanding
of the files and malware detected, captured, and blocked. You can also use events to trigger correlation
policy violations, or alert you via email, SMTP, or syslog.
events, then communicate your analysis to others. The Context Explorer, dashboards, event viewer,
context menu, network file trajectory map, and reporting features can give you a deeper understanding
of the files and malware detected, captured, and blocked. You can also use events to trigger correlation
policy violations, or alert you via email, SMTP, or syslog.
Because you cannot use a Malware license with a DC500, nor can you enable a Malware license on a
Series 2 device, you cannot use those appliances to generate or analyze captured files, file events, and
malware events associated with malware cloud lookups.
Series 2 device, you cannot use those appliances to generate or analyze captured files, file events, and
malware events associated with malware cloud lookups.
For more information, see:
•
•
•
•
•
•
For information on configuring your system to perform the malware protection and file control actions
that produce the data discussed in this chapter, see
that produce the data discussed in this chapter, see