Cisco Cisco Firepower Management Center 4000
34-24
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Captured Files
Viewing Captured Files
License:
Malware
The FireSIGHT System’s event viewer allows you to view captured files in a table, as well as manipulate
the event view depending on the information relevant to your analysis.
the event view depending on the information relevant to your analysis.
The page you see when you access captured files differs depending on the workflow, which is simply a
series of pages you can use to evaluate events by moving from a broad to a more focused view. The
system is delivered with the following predefined workflows for captured files:
series of pages you can use to evaluate events by moving from a broad to a more focused view. The
system is delivered with the following predefined workflows for captured files:
•
Captured File Summary, the default, provides a breakdown of captured files based on type, category,
and threat score.
and threat score.
•
Dynamic Analysis Status provides a count of captured files based on whether they have been
submitted for dynamic analysis.
submitted for dynamic analysis.
You can also create a custom workflow that displays only the information that matches your specific
needs. For information on specifying a different default workflow, including a custom workflow, see
needs. For information on specifying a different default workflow, including a custom workflow, see
Using the event viewer, you can:
•
search for, sort, and constrain events, as well as change the time range for displayed events
•
specify the columns that appear (table view only)
•
view events using different workflow pages within the same workflow
•
view events using a different workflow altogether
•
drill down page-to-page within a workflow, constraining on specific values
•
bookmark the current page and constraints so you can return to the same data (assuming the data
still exists) at a later time
still exists) at a later time
•
view a file’s trajectory
•
add a file to a file list, download a file, submit a file for dynamic analysis, or view the full text of a
file’s SHA-256 value
file’s SHA-256 value
•
view a file’s Dynamic Analysis Summary report, if available
•
submit up to 25 files at a time for dynamic analysis
•
create a report template using the current constraints
Note that neither Series 2 devices nor the DC500 Defense Center support network-based malware
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only
Series 2 devices cannot display captured files.
protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only
Series 2 devices cannot display captured files.
For detailed information on using the event viewer, including creating custom workflows, see
To view file events:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Files > Captured Files
.