Cisco Cisco FirePOWER Appliance 8360
34-8
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with File Events
The FireSIGHT System’s event viewer allows you to view file events in a table, as well as manipulate
the event view depending on the information relevant to your analysis.
the event view depending on the information relevant to your analysis.
The page you see when you access file events differs depending on the workflow, which is simply a series
of pages you can use to evaluate events by moving from a broad to a more focused view. The system is
delivered with the following predefined workflows for file events:
of pages you can use to evaluate events by moving from a broad to a more focused view. The system is
delivered with the following predefined workflows for file events:
•
File Summary, the default, provides a quick breakdown of the different file event categories and
types, along with any associated malware file dispositions.
types, along with any associated malware file dispositions.
•
Hosts Receiving Files and Hosts Sending Files provide a list of hosts that have received or sent files,
grouped by the associated malware dispositions for those files.
grouped by the associated malware dispositions for those files.
Note
File dispositions appear only for files for which the system performed a malware cloud lookup; see
You can also create a custom workflow that displays only the information that matches your specific
needs. For information on specifying a different default workflow, including a custom workflow, see
needs. For information on specifying a different default workflow, including a custom workflow, see
Using the event viewer, you can:
•
search for, sort, and constrain events, as well as change the time range for displayed events
•
specify the columns that appear (table view only)
•
view the host profile associated with an IP address, or the user details and host history associated
with a user identity
with a user identity
•
view the connections where specific files were detected
•
view events using different workflow pages within the same workflow
•
view events using a different workflow altogether
•
drill down page-to-page within a workflow, constraining on specific values
•
bookmark the current page and constraints so you can return to the same data (assuming the data
still exists) at a later time
still exists) at a later time
•
view the sending and receiving countries and continents for routable IP addresses associated with a
file
file
•
view a file’s trajectory
•
add a file to a file list, download a file, submit a file for dynamic analysis, or view the full text of a
file’s SHA-256 value
file’s SHA-256 value
•
view a file’s Dynamic Analysis Summary report, if available
•
create a report template using the current constraints
•
delete events from the database
•
use the IP address context menu to whitelist, blacklist, or obtain additional available information
about a host or IP address associated with a file event
about a host or IP address associated with a file event
For detailed information on using the event viewer, including creating custom workflows, see
To view file events:
Access:
Admin/Any Security Analyst