Cisco Cisco Firepower Management Center 4000
34-9
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with File Events
Step 1
Select
Analysis > Files > File Events
.
The first page of your default file events workflow appears. For information on the columns that appear,
see
see
Tip
To quickly view the connections where specific files were detected, select the files using the check boxes
in the event viewer, then select
in the event viewer, then select
Connections Events
from the
Jump to
drop-down list. For more information,
see
Understanding the File Events Table
License:
Protection
The Defense Center logs a file event when a managed device detects or blocks a file being transmitted
in monitored network traffic, according to the settings in an applied file policy.
in monitored network traffic, according to the settings in an applied file policy.
The table view of file events, which is the final page in predefined file event workflows, and which you
can add to custom workflows, includes a column for each field in the files table. Some fields in the table
view of file events are disabled by default. To enable a field for the duration of your session, click the
expand arrow (
can add to custom workflows, includes a column for each field in the files table. Some fields in the table
view of file events are disabled by default. To enable a field for the duration of your session, click the
expand arrow (
) to expand the search constraints, then click the column name under
Disabled Columns
.
Keep in mind that although you can perform file control with only a Protection license, a Malware
license allows you to perform advanced malware protection for certain file types and track files
transferred on your network.
license allows you to perform advanced malware protection for certain file types and track files
transferred on your network.
The following table describes the file event fields.
Table 34-2
File Event Fields
Field
Description
Time
The date and time the event was generated.
Action
The action associated with the file policy rule that detected the file, and any associated
file action options.
file action options.
Sending IP
The IP address of the host sending the detected file.
Sending Country
The country of the host sending the detected file.
Note that the DC500 Defense Center does not support this feature.
Receiving IP
The IP address of the host receiving the detected file.
Receiving Country
The country of the host receiving the detected file.
Note that the DC500 Defense Center does not support this feature.
Sending Port
The source port used by the traffic where the file was detected.
Receiving Port
The destination port used by the traffic where the file was detected.
User
The user logged into the host (
Receiving IP
) where the file was destined.
Note that because the user is associated with the destination host, users are not associated
with file events where the user uploaded a file.
with file events where the user uploaded a file.
File Name
The name of the file.