Cisco Cisco Firepower Management Center 2000
34-23
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Captured Files
If you do not enter a name, one is created automatically when you save the search.
Step 4
Enter your search criteria in the appropriate fields.
See the
table for information on the fields in the malware events table.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search as private.
If you want to use the search as a data restriction for a custom user role, you must save it as a private
search.
search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in your default malware events workflow, constrained by the current time
range.
range.
•
Click
Save
if you are modifying an existing search and want to save your changes.
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
).
Working with Captured Files
License:
Malware
Supported Devices:
Any except Series 2
Supported Defense Centers:
Any except DC500
The system logs when a managed device captures a file detected in network traffic according to the rules
in currently applied file policies. From the event viewer, you can view information associated with the
captured file, such as the most recent file name associated with the SHA-256 value, the file disposition
and threat score, the file storage status, and whether the file was manually submitted for dynamic
analysis.
in currently applied file policies. From the event viewer, you can view information associated with the
captured file, such as the most recent file name associated with the SHA-256 value, the file disposition
and threat score, the file storage status, and whether the file was manually submitted for dynamic
analysis.
Note
Files captured by a device containing malware generate both a file event and a malware event, as
malware must be detected before it is captured. For more information, see
malware must be detected before it is captured. For more information, see
and
You can use the Defense Center’s event viewer to view and search captured files, as well as submit
captured files for dynamic analysis. Additionally, the Files Dashboard provides an at-a-glance view of
detailed information about the files (including malware files) detected on your network, using charts and
graphs.
captured files for dynamic analysis. Additionally, the Files Dashboard provides an at-a-glance view of
detailed information about the files (including malware files) detected on your network, using charts and
graphs.
For more information, see:
•
•
•