File and malware events, which you can view and search using
workflows, contain the fields listed in this section. Keep in mind that the
information available for any individual event can vary depending on how and
why it was generated.
Note
|
Files identified as malware by AMP for Networks generate both a file event and a malware event. Malware events generated by AMP for Endpoints do not have corresponding file
events, and file events do not have AMP for Endpoints-related fields.
|
Action
The action associated with file policy rule that detected the file, and any associated file rule action options.
AMP Cloud
The name of the AMP cloud where the AMP for Endpoints event originated.
Application File Name
The client application accessing the malware file when AMP for Endpoints detection occurred. These applications are not tied to network discovery or application control.
Application File SHA256
The SHA-256 hash value of the parent file accessing the AMP for Endpoints-detected or quarantined file when detection occurred.
Application Protocol
The application protocol used by the traffic in which a managed device detected the file.
Application Protocol Category or Tag
The criteria that characterize the application to help you understand the application's function.
Application Risk
The risk associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each
type of application detected in the connection has an associated risk; this field displays the highest of those.
Archive Depth
The level (if any) at which the file was nested in an archive file.
Archive Name
The name of the archive file (if any) which contained the malware file.
To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on the archive file’s table row to open the context menu, then click View Archive Contents.
Archive SHA256
The SHA-256 hash value of the archive file (if any) which contains the malware file.
To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on
that archive file’s table row to open the context menu, then click View Archive Contents.
Business Relevance
The business relevance associated with the application traffic detected in the connection: Very High, High, Medium, Low, or
Very Low. Each type of application detected in the connection has an associated business relevance; this field displays the
lowest (least relevant) of those.
Category / File Type Category
The general categories of file type, for example: Office Documents, Archive, Multimedia, Executables, PDF files, Encoded,
Graphics, or System Files.
Client
The client application that runs on one host and relies on a server to send a file.
Client Category or Tag
The criteria that characterize the application to help you understand the application's function.
Count
After you apply a constraint that creates two or more identical rows, the number of events that match the information in each
row.
Detection Name
The name of the detected malware.
Detector
The AMP for Endpoints detector that identified the malware, such as ClamAV, Spero, or SHA.
Device
For file events and for malware events generated by Firepower devices, the name of the device that detected the file.
For malware events generated by AMP for Endpoints and for retrospective malware events generated by the AMP cloud, the name
of the Firepower Management Center.
Disposition / File Disposition
The file’s disposition:
- Malware
-
Indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat
score exceeded the malware threshold defined in the file policy.
- Clean
-
Indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list. Clean files appear
in the malware table only if they were changed to clean.
- Unknown
-
Indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP
cloud has not categorized the file.
- Custom Detection
-
Indicates that a user added the file to the custom detection list.
- Unavailable
-
Indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this
is expected behavior.
- N/A
-
Indicates a Detect Files or Block Files rule handled the file and the Firepower Management Center did not query the AMP cloud.
File dispositions appear only for files for which the system queried the AMP cloud.
Domain
For file events and for malware events generated by Firepower devices, the domain of the device that detected the file. For
malware events generated by AMP for Endpoints and for retrospective malware events generated by the AMP cloud, the domain
associated with the AMP cloud connection that reported the event.
This field is only present
if you have ever configured the
Firepower Management Center
for multitenancy.
Event Subtype
The AMP for Endpoints action that led to malware detection, for example, Create, Execute, Move, or Scan.
Event Type
The sub-type of malware event.
File Name
The name of the file.
File Path
The file path of the malware file detected by AMP for Endpoints, not including the file name.
File Policy
The file policy that detected the file.
File Storage / Stored (Search Only)
The storage status of the file associated with the event:
- Stored
-
Returns all events where the associated file is currently stored.
- Stored in connection
-
Returns all events where the system captured and stored the associated file, regardless of whether the associated file is
currently stored.
- Failed
-
Returns all events where the system failed to store the associated file.
File Timestamp
The time and date that AMP for Endpoints detected the malware file was created.
HTTP Response Code
The HTTP status code sent in response to a client's HTTP request when a file is transferred.
IOC
Whether the malware event triggered an indication of compromise (IOC) against a host involved in the connection. When AMP
for Endpoints data triggers an IOC rule, a full malware event is generated, with the type AMP IOC.
Message
Additional information associated with a malware event. For file events and for malware events generated by Firepower devices,
this field is populated only for files whose disposition has changed, that is, that have an associated retrospective event.
Receiving Continent
The continent of the host receiving the file.
Receiving Country
The country of the host receiving the file.
Receiving Port
The destination port used by the traffic where the file was detected.
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note that the system only displays this
field when managing at least one ASA FirePOWER device that is running in multiple context mode.
Sending Continent
The continent of the host sending the file.
Sending Country
The country of the host sending the file.
Sending Port
The source port used by the traffic where the file was detected.
SHA256 / File SHA256
The SHA-256 hash value of the file.
To have a SHA256 value, the file must have been handled by one of:
-
a Detect Files file rule with Store files enabled
-
a Block Files file rule with Store files enabled
-
a Malware Cloud Lookup file rule
-
a Block Malware file rule
-
AMP for Endpoints
This column also displays a network file trajectory icon that represents the most recently detected file event and file disposition,
and that links to the network file trajectory.
Size (KB) / File Size (KB)
The size of the file, in kilobytes.
Note that if the system determines the file type of a file before the file is fully received, the file size may not be calculated. In this case, this field is blank.
SSL Actual Action (Search Only)
The action the system applied to encrypted traffic:
- Block or Block with reset
-
Represents blocked encrypted connections.
- Decrypt (Resign)
-
Represents an outgoing connection decrypted using a re-signed server certificate.
- Decrypt (Replace Key)
-
Represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.
- Decrypt (Known Key)
-
Represents an incoming connection decrypted using a known private key.
- Default Action
-
Indicates the connection was handled by the default action.
- Do not Decrypt
-
Represents a connection the system did not decrypt.
Field values are displayed in the SSL Status field on the search workflow pages.
SSL Certificate Information (Search Only)
The information stored on the public key certificate used to encrypt traffic, including:
-
Subject/Issuer Common Name
-
Subject/Issuer Organization
-
Subject/Issuer Organization Unit
-
Not Valid Before/After
-
Serial Number, Certificate Fingerprint
-
Public Key Fingerprint
SSL Failure Reason (Search Only)
The reason the system failed to decrypt encrypted traffic:
-
Unknown
-
No Match
-
Success
-
Uncached Session
-
Unknown Cipher Suite
-
Unsupported Cipher Suite
-
Unsupported SSL Version
-
SSL Compression Used
-
Session Undecryptable in Passive Mode
-
Handshake Error
-
Decryption Error
-
Pending Server Name Category Lookup
-
Pending Common Name Category Lookup
-
Internal Error
-
Network Parameters Unavailable
-
Invalid Server Certificate Handle
-
Server Certificate Fingerprint Unavailable
-
Cannot Cache Subject DN
-
Cannot Cache Issuer DN
-
Unknown SSL Version
-
External Certificate List Unavailable
-
External Certificate Fingerprint Unavailable
-
Internal Certificate List Invalid
-
Internal Certificate List Unavailable
-
Internal Certificate Unavailable
-
Internal Certificate Fingerprint Unavailable
-
Server Certificate Validation Unavailable
-
Server Certificate Validation Failure
-
Invalid Action
Field values are displayed in the SSL Status field on the search workflow pages.
SSL Status
The action associated with the SSL Actual Action (SSL rule, default action, or undecryptable traffic action) that logged the encrypted connection. The Lock icon links to TLS/SSL certificate details. If the certificate is unavailable (for example, for connections blocked due to TLS/SSL handshake error), the lock icon is grayed out.
If the system fails to decrypt an encrypted connection, it displays the SSL Actual Action (undecryptable traffic action) taken, as well as the SSL Failure Reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allows it without further inspection,
this field displays Do Not Decrypt (Unknown Cipher Suite).
When searching this field, type one or more of the SSL Actual Action and SSL Failure Reason values to view encrypted traffic the system handled or failed to decrypt.
SSL Subject/Issuer Country (Search Only)
The two-character ISO 3166-1 alpha-2 country code for the subject or issuer country associated with the encryption certificate.
Threat Name
The name of the detected malware.
Threat Score
The threat score most recently associated with this file. This is a value from 0 to 100 based on the potentially malicious
behaviors observed during dynamic analysis.
The threat score icon links to the Dynamic Analysis Summary report.
Time
The date and time the event was generated. This field is not searchable.
Type / File Type
The type of file, for example, HTML or MSEXE.
URI / File URI
The URI of the connection associated with the file transaction, for example, the URL from which a user downloaded the file.
User
The username associated with the IP address that initiated the connection. If this IP address is external to your network,
the associated username is typically unknown.
For file events and for malware events generated by Firepower devices, this field displays the username that was determined
by an identity policy or authoritative logins. In absence of an identity policy, it displays No Authentication Required.
For malware events generated by AMP for Endpoints, AMP for Endpoints determines user names. These users cannot be tied to user discovery or control. They do not appear in the Users table, nor can you view details for these users.
Web Application
The application that represents the content or requested URL for HTTP traffic detected in the connection.
Web Application Category or Tag
Criteria that characterize the application to help you understand the application's function.