Cisco Cisco Firepower Management Center 2000
34-18
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
User
The user of the host (
Receiving IP
) where the malware event
occurred.
For network-based malware events, this user is determined
by network discovery. Because the user is associated with
the destination host, users are not associated with malware
events where the user uploaded a malware file.
by network discovery. Because the user is associated with
the destination host, users are not associated with malware
events where the user uploaded a malware file.
For endpoint-based malware events, FireAMP Connectors
determine user names. FireAMP users cannot be tied to
user discovery or control. They do not appear in the Users
table, nor can you view details for these users.
determine user names. FireAMP users cannot be tied to
user discovery or control. They do not appear in the Users
table, nor can you view details for these users.
yes
yes
no
Event Type
The type of malware event. For a full list of event types, see
yes
yes
yes
Event Subtype
The FireAMP action that led to malware detection, for
example,
example,
Create
,
Execute
,
Move
, or
Scan
.
no
yes
no
Threat Name
The name of the detected malware.
yes
yes
yes
File Name
The name of the malware file.
yes
yes
no
File Disposition
One of the following file dispositions:
•
Malware
indicates that the cloud categorized the file as
malware, or that the file’s threat score exceeded the
malware threshold defined in the file policy.
malware threshold defined in the file policy.
•
Clean
indicates that the cloud categorized the file as
clean, or that a user added the file to the clean list.
•
Unknown
indicates that a malware cloud lookup
occurred before the cloud assigned a disposition. The
file is uncategorized.
file is uncategorized.
•
Custom Detection
indicates that a user added the file
to the custom detection list.
•
Unavailable
indicates that the Defense Center could
not perform a malware cloud lookup.
Note that clean files appear in the malware table only if
they were changed to clean; see
they were changed to clean; see
yes
no
yes
File SHA256
The SHA-256 hash value of the file, as well as a network
file trajectory icon representing the most recently detected
file event and file disposition.
file trajectory icon representing the most recently detected
file event and file disposition.
To view the network file trajectory, click the trajectory
icon. For more information, see
icon. For more information, see
yes
yes
yes
Table 34-4
Malware Event Fields (continued)
Field
Description
Network
Endpoint
Retrospective
from Cloud