Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

1301

Working with Malware Protection and File Control

Working with Network File Trajectory

Chapter 31

a new window with all the extra events constrained based on the file type. If 

endpoint-based malware events are not displayed, you must switch to the 

Malware Events table to view these.
Each data point represents an event plus the file disposition, as described in the 

legend below the map. For example, a Malware Block event icon combines the 

Malicious Disposition icon and the Block Event icon. 
Endpoint-based malware events include one icon. A retrospective event displays 

an icon in the column for each host on which the file is detected. File transfer 

events always include two icons, one file send icon and one file receive icon, 

connected by a vertical line. Arrows indicate the file transfer direction from sender 

to receiver. 
You can view summary information from the event icon by hovering your pointer 
over the event icon (

). The displayed summary information matches the 

information displayed in the Events table. The following screenshot shows an 

event icon’s summary information:

If you click any event summary information link, the first page of the File Events 

default workflow appears in a new window with all the extra events constrained 

based on the file type the File Summary event view opens in a new window, 

displaying all file events that match on the criteria value you clicked.
To locate the first time a file event occurred involving an IP address, click the 

address. This highlights a path to that data point, as well as any intervening file 

events and IP addresses related to the first file event. The corresponding event in 

the Events table is also highlighted. The map scrolls to that data point if not 

currently visible. The following screenshot shows the path highlighted after 

clicking an IP address: