Cisco Cisco Firepower Management Center 2000

The Defense Center logs records of the system’s file inspection and handling as captured files, file 
events, and malware events:

Captured files represent files that the system captured.

File events represent files that the system detected, and optionally blocked, in network traffic.

Malware events represent malware files detected, and optionally blocked, in network traffic by the 
system.

Retrospective malware events represent files whose malware file dispositions have changed.

When the system generates a malware event based on detection or blocking of malware in network 
traffic, it also generates a file event, because to detect malware in a file, the system must first detect the 
file itself. Note that endpoint-based malware events generated by FireAMP Connectors (see 

) do not have corresponding file events. Similarly, when 

the system captures a file in network traffic, it also generates a file event because the system first detected 
the file.

You can use the Defense Center to view, manipulate, and analyze captured files, file events, and malware 
events, then communicate your analysis to others. The Context Explorer, dashboards, event viewer, 
context menu, network file trajectory map, and reporting features can give you a deeper understanding 
of the files and malware detected, captured, and blocked. You can also use events to trigger correlation 
policy violations, or alert you via email, SMTP, or syslog. 

Because you cannot use a Malware license with a DC500, nor can you enable a Malware license on a 
Series 2 device, you cannot use those appliances to generate or analyze captured files, file events, and 
malware events associated with malware cloud lookups.

For more information, see:

For information on configuring your system to perform the malware protection and file control actions 
that produce the data discussed in this chapter, see