Cisco Cisco Firepower Management Center 2000
34-27
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Captured Files
To search for captured files:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
From the
Table
drop-down list, select
Captured Files
.
The page reloads with the appropriate constraints.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
If you do not enter a name, one is created automatically when you save the search.
Step 4
Enter your search criteria in the appropriate fields.
See the
table for information on the fields in the captured files table.
Step 5
If you want to save the search so that other users can access it, clear the
Save As Private
check box.
Otherwise, leave the check box selected to save the search as private.
If you want to use the search as a data restriction for a custom user role, you must save it as a private
search.
search.
Step 6
You have the following options:
•
Click
Search
to start the search.
Your search results appear in your default captured file workflow, constrained by the current time
range.
range.
•
Click
Save
if you are modifying an existing search and want to save your changes.
Table 34-7
Captured Files Special Search Syntax
Search Criterion
Special Syntax
Storage Status
Specify one or more of the following:
•
File Stored
- returns all captured files stored on the device
•
Unable to Store File
- returns all captured files not stored on the device
Dynamic Analysis Status
Specify one or more of the following:
•
Sent for Analysis
- returns all captured files queued for dynamic analysis
•
Not Sent for Analysis
- returns all captured files not submitted for dynamic analysis
•
Analysis Complete
- returns all captured files submitted for dynamic analysis that received
a threat score and dynamic analysis summary report
•
Previously Analyzed
- returns all files with a cached threat score that a user tried to submit
for dynamic analysis again
•
Failure (Analysis Timeout)
- returns all captured files submitted for dynamic analysis
for which the cloud has yet to return a result
•
Failure (Network Issue)
- returns all files that did not get submitted for dynamic analysis
due to a network connectivity failure
•
Failure (Cannot Run File)
- returns all files submitted for dynamic analysis that the cloud
could not run in the test environment