Cisco Cisco FirePOWER Appliance 7020
34-22
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
General Search Syntax
The system displays examples of valid syntax next to each search field. When entering search criteria,
keep the following points in mind:
keep the following points in mind:
•
All fields accept negation (
!
).
•
All fields accept comma-separated lists. If you enter multiple criteria, the search returns only the
records that match all the criteria.
records that match all the criteria.
•
Many fields accept one or more asterisks (
*
) as wild cards.
•
Specify
n/a
in any field to identify events where information is not available for that field; use
!n/a
to identify the events where that field is populated.
•
Click the add object icon (
) that appears next to a search field to use an object as a search
criterion.
For detailed information on search syntax, including using objects in searches, see
.
Special Search Syntax for Malware Events
To supplement the general search syntax listed above, the following table describes some special search
syntax for malware events.
syntax for malware events.
To search for malware events:
Access:
Admin/Any Security Analyst
Step 1
Select
Analysis > Search
.
The Search page appears.
Step 2
From the
Table
drop-down list, select
Malware Events
.
The page reloads with the appropriate constraints.
Step 3
Optionally, if you want to save the search, enter a name for the search in the
Name
field.
Table 34-5
Malware Event Special Search Syntax
Search Criterion
Special Syntax
Sending/Receiving IP
The system returns all events where either the
Sending IP
or the
Receiving IP
matches the IP
address you specify.
Event Type
When searching for events with a specific malware event type (see
), enclose the event type in quotation marks, for example,
"Scan Completed With
Detection"
. Otherwise, the system performs a partial match. That is, if you search using the
same string but do not use quotation marks, the system returns events with the following types:
•
Scan Completed, No Detections
•
Scan Completed With Detection
Initiator/Responder
Continent
Continent
The system returns all events where either the
Initiator Continent
or the
Responder Continent
matches the continent you specify.
Initiator/Responder
Country
Country
The system returns all events where either the
Initiator Country
or the
Responder Country
matches
the country you specify.
URI or Message
The system performs a partial match, that is, you can search for all or part of the field contents
without using asterisks.
without using asterisks.