FireSIGHT System User Guide Version 5.4.1

Understanding Captured File Storage

License: Malware

Supported Devices: 8000 Series

Based on your file policy configuration, your device may store a substantial amount of file data to the hard drive. You can install a malware storage pack in the device; the system stores files to the malware storage pack, allowing more room on the primary hard drive to store events and configuration files. The system periodically deletes older files.

Without a malware storage pack installed, when you configure a device to store files, it allocates a set portion of the primary hard drive’s space solely to captured file storage. When you install a malware storage pack in a device and configure the device to store files, the device instead allocates the entire malware storage pack for storing captured files. The device cannot store any other information on the malware storage pack.

When the allocated space for captured file storage fills to capacity, the system deletes the oldest stored files until the allocated space reaches a system-defined threshold. Based on the number of files stored, you may see a substantial drop in disk usage after the system deletes files.

If a device has already stored files when you install a malware storage pack, the next time you restart the device, any captured files stored on the primary hard drive are moved to the malware storage pack. Any future files the device stores are stored to the malware storage pack. If the device’s primary hard drive does not have enough available space nor an installed malware storage pack, you cannot store files.

Note that you cannot include stored files in system backup files. For more information, see Creating Backup Files.

Downloading Stored Files to Another Location

License: Malware

Supported Devices: Any except Series 2 or X-Series

Supported Defense Centers: Any except DC500

Once a device stores a file, as long as the Defense Center can communicate with that device and it has not deleted the file, you can download the file. You can manually analyze the file, or download it to a local host for long-term storage and analysis. You can download a file from any associated file event, malware event, captured file view, or the file’s trajectory. For more information, see Using the Context Menu and Summary Information.

Because malware is harmful, by default, you must confirm every file download. However, you can disable the confirmation in the file download prompt. To re-enable the confirmation, see File Preferences.

Because files with a disposition of Unknown may contain malware, when you download a file, the system first archives the file in a .zip package. The .zip file name contains the file disposition and file type, if available, and SHA-256 value. You can password-protect the .zip file to prevent accidental unpacking. To edit or remove the default .zip file password, see File Preferences.

Understanding Spero Analysis

License: Malware

Supported Devices: Any except Series 2 or X-Series

Supported Defense Centers: Any except DC500

Spero analysis supplements analysis of SHA-256 hashes, allowing for more complete identification of malware in executable files. Spero analysis involves the device examining file structural characteristics such as metadata and header information. After generating a Spero signature based on this information, the device submits it to the Spero heuristic engine in the Cisco cloud. Based on the Spero signature, the Spero engine returns whether the file is malware. If so, and the file currently has an unknown file disposition, the system assigns a Malware file disposition. For more information on file dispositions, see Understanding Malware Protection and File Control.

Note that you can only submit executable files for Spero analysis upon detection; you cannot manually submit them later. You can submit the file for Spero analysis without also submitting it for dynamic analysis. For more information, see Working with File Rules.

Submitting Files for Dynamic Analysis

License: Malware

Supported Devices: Any except Series 2 or X-Series

Supported Defense Centers: Any except DC500

From the event viewer context menu or network file trajectory, you can manually submit a file for dynamic analysis. In addition to executable files, you can also submit file types not eligible for automatic submission, such as PDFs, Microsoft Office documents, and others. See Using the Context Menu and Summary Information for more information.

To analyze multiple files after an incident, regardless of file disposition, you can manually submit up to 25 files (of specific types) at a time from the captured file view. This allows you to more quickly analyze a broad range of files and pinpoint the exact causes of the incident. For more information, see Working with Captured Files and Selecting Rows on a Workflow Page.

Reviewing the Threat Score and Dynamic Analysis Summary

License: Malware

Supported Devices: Any except Series 2 or X-Series

Supported Defense Centers: Any except DC500

After you submit a file for dynamic analysis, the Cisco cloud analyzes a file’s signatures and returns both a threat score and a dynamic analysis summary. These can help you more closely analyze potential malware threats and fine tune your detection strategy.

Threat Scores

Files fall into one of four threat score ratings that correspond with the likelihood the file is malicious:

The Defense Center caches a file’s threat score locally for the same amount of time as the file’s disposition. If the system later detects these files, it displays the cached threat scores to the user instead of again querying the Cisco cloud. Based on your file policy configuration, you can automatically assign a malware file disposition to any file with a threat score that exceeds the defined malware threshold threat score. For more information, see Creating a File Policy.

Dynamic Analysis Summary

If a dynamic analysis summary is available, you can click the threat score icon to view it. The dynamic analysis summary describes the various component ratings that comprise the overall threat score assigned by the Vulnerability Research Team (VRT) file analysis, as well as other processes started when the cloud attempted to run the file.

If multiple reports exist, this summary is based on the most recent report matching the exact threat score. If none match the exact threat score, then the report with the highest threat score is displayed. If more than one report exists, you can select a threat score to view each separate report.

The summary lists each component threat comprising the threat score. Each component threat is expandable to list the VRT’s findings, as well as any processes related to this component threat.

The process tree shows the processes that started when the cloud attempted to run the file. This can help identify whether a file that contains malware is attempting to access processes and system resources beyond what is expected (for example, running a Word document opens Microsoft Word, then starts Explorer, then starts Java).

Each listed process contains a process identifier and md5 checksum you can use to verify the actual process. The process tree displays processes started as a result of parent processes as child nodes.

From the dynamic analysis summary, you can click View Full Report to view the VRT’s Analysis report, detailing the VRT’s full analysis, including general file information, a more in-depth review of all detected processes, a breakdown of the file analysis, and other relevant information.

Viewing File Events

License: Protection

The FireSIGHT System’s event viewer allows you to view file events in a table, as well as manipulate the event view depending on the information relevant to your analysis. Note that the information available for any individual file event depends on several factors, including licenses. For more information, see Service Subscriptions.

The page you see when you access file events differs depending on the workflow, which is simply a series of pages you can use to evaluate events by moving from a broad to a more focused view. The system is delivered with the following predefined workflows for file events:

• File Summary , the default, provides a quick breakdown of the different file event categories and types, along with any associated malware file dispositions.
• Hosts Receiving Files and Hosts Sending Files provide a list of hosts that have received or sent files, grouped by the associated malware dispositions for those files.

Note File dispositions appear only for files for which the system performed a malware cloud lookup; see File Rule Actions and Evaluation Order.

You can also create a custom workflow that displays only the information that matches your specific needs. For information on specifying a different default workflow, including a custom workflow, see Configuring Event View Settings.

The FireSIGHT System supports the display and input of file names that use Unicode (UTF-8) characters in all areas of the web interface, including the event viewer, event search, dashboard, Context Explorer, and so on. Note, however, that reports you generate in PDF format do not support Unicode; Unicode file names appear in the PDF report in transliterated form. For more information, see Generating and Viewing Reports. Note also that the SMB protocol converts Unicode file names to printable characters; files you detect over SMB that have Unicode file names appear with periods ( . ) in place of any unprintable characters.

Using the event viewer, you can:

• search for, sort, and constrain events, as well as change the time range for displayed events
• specify the columns that appear (table view only)
• view the host profile associated with an IP address, or the user details and host history associated with a user identity
• view the connections where specific files were detected
• view events using different workflow pages within the same workflow
• view events using a different workflow altogether
• drill down page-to-page within a workflow, constraining on specific values
• bookmark the current page and constraints so you can return to the same data (assuming the data still exists) at a later time
• view the sending and receiving countries and continents for routable IP addresses associated with a file
• view a file’s trajectory
• add a file to a file list, download a file, submit a file for dynamic analysis, or view the full text of a file’s SHA-256 value
• view a file’s Dynamic Analysis Summary report, if available
• view nested files inside an archive file
• create a report template using the current constraints
• delete events from the database
• use the IP address context menu to whitelist, blacklist, or obtain additional available information about a host or IP address associated with a file event

For detailed information on using the event viewer, including creating custom workflows, see Understanding and Using Workflows.

To quickly view the connections where specific files were detected, select the files using the check boxes in the event viewer, then select Connections Events from the Jump to drop-down list. For more information, see Navigating Between Workflows.

To view file events:

Access: Admin/Any Security Analyst

Step 1 Select Analysis > Files > File Events .

The first page of your default file events workflow appears. For information on the columns that appear, see Understanding the File Events Table.

Understanding the File Events Table

License: Protection

The Defense Center logs a file event when a managed device detects or blocks a file being transmitted in monitored network traffic, according to the settings in an applied file policy.

The table view of file events, which is the final page in predefined file event workflows, and which you can add to custom workflows, includes a column for each field in the files table. Some fields in the table view of file events are disabled by default. To enable a field for the duration of your session, click the expand arrow ( ) to expand the search constraints, then click the column name under Disabled Columns .

Keep in mind that the information available for any individual file event depends on several factors, including licenses. For example, although you can perform file control with only a Protection license, a Malware license allows you to perform advanced malware protection for certain file types and track files transferred on your network.

The following table describes the file event fields.

Searching for File Events

License: Protection

Using the Defense Center’s Search page, you can search for specific file events, display the results in the event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets, report templates, and custom user roles can also use saved searches.

Keep in mind that your search results depend on the available data in the events you are searching. In other words, depending on the available data, your search constraints may not apply. For example, the Disposition and SHA256 fields are populated only for files for which the Defense Center performed a malware cloud lookup.

General Search Syntax

The system displays examples of valid syntax next to each search field. When entering search criteria, keep the following points in mind:

• All fields accept negation ( ! ).
• All fields accept comma-separated lists of search values. Records that contain any of the listed values in the specified field match that search criteria.
• All fields accept comma-separated lists enclosed in quotation marks as search values.

– For fields that may contain only a single value, records with the specified field containing the exact string specified within the quotation marks match the search criteria. For instance, a search for A, B, "C, D, E" will match records where the specified field contains "A" or "B" or "C, D, E" . This permits matching on fields that include the comma in possible values.

– For fields that may contain multiple values at the same time, records with the specified fields containing all of the values in the quote-enclosed comma-separated list match that search criteria.

– For fields that may contain multiple values at the same time, search criteria may include single values as well as quote-enclosed comma-separated lists. For instance, a search for A, B, "C, D, E" on a field that may contain one of more of these letters matches records where the specified field contains A or B , or all of C , D , and E .

• Searches return only records that match the search criteria specified for all fields.
• Many fields accept one or more asterisks ( * ) as wild cards.
• Specify n/a in any field to identify events where information is not available for that field; use !n/a to identify the events where that field is populated.
• Use the device field to search for specific devices as well as devices in groups, stacks, or clusters. For more information on how the FireSIGHT System treats the device field in searches, see Specifying Devices in Searches.
• Click the add object icon (
) that appears next to a search field to use an object as a search criterion.

For detailed information on search syntax, including using objects in searches, see Searching for Events.

Special Search Syntax for File Events

To supplement the general search syntax listed above, the following list describes some special search syntax for file events.

Sending/Receiving Continent

The system returns all events where either the Sending Continent or the Receiving Continent matches the continent you specify.

Sending/Receiving Country

The System returns all events where either the Sending Country or the Receiving Country matches the country you specify.

Sending/Receiving IP

The system returns all events where either the Sending IP or the Receiving IP matches the IP address you specify.

URI or Message

The system performs a partial match, that is, you can search for all or part of the field contents without using asterisks.

File Storage

Type one or more of the following:

– Stored returns all events where the associated file is currently stored.

– Stored in connection returns all events where the system captured and stored the associated file, regardless of whether the associated file is currently stored.

– Failed returns all events where the system failed to store the associated file.

The SSL Actual Action taken

Type any of the following keywords to view file events for encrypted traffic to which the system applied the action specified:

– Do Not Decrypt represents connections the system did not decrypt.

– Block and Block with Reset represent blocked encrypted connections.

– Decrypt (Known Key) represents incoming connections decrypted using a known private key.

– Decrypt (Replace Key) represents outgoing connections decrypted using a self-signed server certificate with a substituted public key.

– Decrypt (Resign) represents outgoing connections decrypted using a re-signed server certificate.

This column does not appear in the file events table view.

The SSL Failure Reason

Type any of the following keywords to view file events for encrypted traffic that the system failed to decrypt for the reason specified:

– Unknown

– No Match

– Success

– Uncached Session

– Unknown Cipher Suite

– Unsupported Cipher Suite

– Unsupported SSL Version

– SSL Compression Used

– Session Undecryptable in Passive Mode

– Handshake Error

– Decryption Error

– Pending Server Name Category Lookup

– Pending Common Name Category Lookup

– Internal Error

– Network Parameters Unavailable

– Invalid Server Certificate Handle

– Server Certificate Fingerprint Unavailable

– Cannot Cache Subject DN

– Cannot Cache Issuer DN

– Unknown SSL Version

– External Certificate List Unavailable

– External Certificate Fingerprint Unavailable

– Internal Certificate List Invalid

– Internal Certificate List Unavailable

– Internal Certificate Unavailable

– Internal Certificate Fingerprint Unavailable

– Server Certificate Validation Unavailable

– Server Certificate Validation Failure

– Invalid Action

This column does not appear in the file events table view.

The SSL Subject Country

Type a two-character ISO 3166-1 alpha-2 country code to view file events for encrypted traffic associated with the country of a certificate subject.

This column does not appear in the file events table view.

The SSL Issuer Country

Type a two-character ISO 3166-1 alpha-2 country code to view file events for encrypted traffic associated with the country of a certificate issuer.

This column does not appear in the file events table view.

SSL Certificate Fingerprint

Type or paste the SHA hash value used to authenticate a certificate to view file events for traffic associated with that certificate.

This column does not appear in the file events table view.

SSL Public Key Fingerprint

Type or paste the SHA hash value used to authenticate the public key contained within a certificate to view file events for traffic associated with that certificate.

This column does not appear in the file events table view.

To search for file events:

Access: Admin/Any Security Analyst

Step 1 Select Analysis > Search .

The Search page appears.

Step 2 Select File Events from the table drop-down list.

The page updates with the appropriate constraints.

Step 3 Enter your search criteria in the appropriate fields as described in the following sections:

• See the File Event Fields table for information on the fields in the file events table.
• See Special Search Syntax for File Events for special search syntax for file events.
• See Viewing the Certificate Associated with an Encrypted Connection for fields related to public key certificates.

Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.

Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.

Step 5 Optionally, you can save the search to be used again in the future. You have the following options:

• Click Save to save the search criteria.

For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.

• Click Save as New to save a new search or assign a name to a search you created by altering a previously-saved search.

A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.

Step 6 Click Search to start the search.

Your search results appear in your default file events workflow, constrained by the current time range.

Viewing Malware Events

License: Malware or Any

The FireSIGHT System’s event viewer allows you to view malware events in a table, as well as manipulate the event view depending on the information relevant to your analysis. Note that the information available for any individual malware event depends on several factors, including licenses. For more information, see Service Subscriptions.

The page you see when you access malware events differs depending on the workflow, which is simply a series of pages you can use to evaluate events by moving from a broad to a more focused view. The system is delivered with the following predefined workflows for malware events:

• Malware Summary , the default, provides a list of detected malware, grouped by individual threat.
• Malware Event Summary provides a quick breakdown of the different malware event types and subtypes.
• Hosts Receiving Malware and Hosts Sending Malware provide a list of hosts that have received or sent malware, grouped by the associated malware dispositions for those files. Note that dispositions appear only for files detected as the result of Malware Cloud Lookup or Block Malware file rules.
• Applications Introducing Malware provides a list of the client applications that accessed or executed the malware detected on endpoints in your organization. From this list, you can drill down into the individual malware files accessed by each parent client.

You can also create a custom workflow that displays only the information that matches your specific needs. For information on specifying a different default workflow, including a custom workflow, see Configuring Event View Settings.

The FireSIGHT System supports the display and input of Unicode (UTF-8) file names in all areas of the web interface, including the event viewer, event search, dashboard, Context Explorer, and so on. Note, however, that reports you generate in PDF format do not support Unicode; Unicode file names appear in the PDF report in transliterated form. For more information, see Generating and Viewing Reports.

Using the event viewer, you can:

• search for, sort, and constrain events, as well as change the time range for displayed events
• specify the columns that appear (table view only)
• view the host profile associated with an IP address, or the user details and host history associated with a user identity
• view the connections where specific malware was detected (for network-based malware events only)
• view events using different workflow pages within the same workflow
• view events using a different workflow altogether
• drill down page-to-page within a workflow, constraining on specific values
• bookmark the current page and constraints so you can return to the same data (assuming the data still exists) at a later time
• view geolocation information for routable IP addresses associated with a file
• view a file’s trajectory
• view nested files inside an archive file
• create a report template using the current constraints
• delete events from the database
• add a file to a file list, download a file, submit a file for dynamic analysis, or view the full text of a file’s SHA-256 value
• view a file’s Dynamic Analysis Summary report, if available
• use the IP address context menu to whitelist, blacklist, or obtain additional available information about a host or IP address associated with a malware event

Note that Series 2 devices, Cisco NGIPS for Blue Coat X-Series, and the DC500 Defense Center do not support network-based malware protection or archive file inspection, which can affect the data displayed. For example, a Series 3 Defense Center managing only Series 2 devices can display only endpoint-based malware events.

For detailed information on using the event viewer, including creating custom workflows, see Understanding and Using Workflows.

To view malware events:

Access: Admin/Any Security Analyst

Step 1 Select Analysis > Files > Malware Events .

The first page of your default malware events workflow appears. For information on the columns that appear, see Understanding the Malware Events Table.

Understanding the Malware Events Table

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

The system logs malware events to the Defense Center database when a FireAMP Connector installed on an endpoint in your organization detects a threat, or a managed device detects a file in network traffic that is then identified as malware by a malware cloud lookup. The system also logs retrospective malware events when it learns that a file’s malware disposition has changed. Note that Series 2 devices, Cisco NGIPS for Blue Coat X-Series, and the DC500 Defense Center do not support network-based malware protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only Series 2 devices can display only endpoint-based malware events. For more information, see Understanding Malware Protection and File Control and Working with Malware Events.

The table view of malware events, which is the final page in predefined malware event workflows, and which you can add to custom workflows, includes a column for each field in the files table. Some fields in the table view of malware events are disabled by default. To enable a field for the duration of your session, click the expand arrow ( ) to expand the search constraints, then click the column name under Disabled Columns .

Keep in mind that not every field is populated for every event; the different types of malware event can contain different information. For example, because FireAMP malware detection is performed at the endpoint at download or execution time, endpoint-based malware events contain information on file path, invoking client application, and so on. In contrast, because managed devices detect malware files in network traffic, their associated malware events contain port, application protocol, and originating IP address information about the connection used to transmit the file.

The following table lists each malware event field, and indicates whether the system displays information in that field, depending on the malware event type. Note that the DC500 Defense Center does not support sending or receiving continent or country geolocation information.

Malware Event Types

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

For network-based malware events, the event type can be one of:

• Threat Detected in Network File Transfer
• Threat Detected in Network File Transfer (retrospective)

An endpoint-based malware event can have any of the following types:

• Blocked Execution
• Cloud Recall Quarantine
• Cloud Recall Quarantine Attempt Failed
• Cloud Recall Quarantine Started
• Cloud Recall Restore from Quarantine
• Cloud Recall Restore from Quarantine Failed
• Cloud Recall Restore from Quarantine Started
• FireAMP IOC
• Quarantine Failure
• Quarantined Item Restored
• Quarantine Restore Failed
• Quarantine Restore Started
• Scan Completed, No Detections
• Scan Completed With Detections
• Scan Failed
• Scan Started
• Threat Detected
• Threat Detected in Exclusion
• Threat Quarantined

If a file’s trajectory map contains malware events, the events are one of the following types: Threat Detected in Network File Transfer, Threat Detected in Network File Transfer (retrospective), Threat Detected, Threat Detected in Exclusion, and Threat Quarantined. See Working with Network File Trajectory for more information.

Note that Series 2 devices, Cisco NGIPS for Blue Coat X-Series, and the DC500 Defense Center do not support network-based malware protection, which can affect the data displayed. For example, a Series 3 Defense Center managing only Series 2 devices can display only endpoint-based malware events.

Searching for Malware Events

License: Malware or Any

Using the Defense Center’s Search page, you can search for specific malware events, display the results in the event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets, report templates, and custom user roles can also use saved searches.

Searches delivered with the system, labeled with ( Cisco ) in the Saved Searches list, serve as examples.

Keep in mind that your search results depend on the available data in the events you are searching. In other words, depending on the available data, your search constraints may not apply. For example, because endpoint-based malware events are not generated as a result of managed devices inspecting network traffic, they do not contain connection information (port, application protocol, and so on).

General Search Syntax

The system displays examples of valid syntax next to each search field. When entering search criteria, keep the following points in mind:

• All fields accept negation ( ! ).
• All fields accept comma-separated lists of search values. Records that contain any of the listed values in the specified field match that search criteria.
• All fields accept comma-separated lists enclosed in quotation marks as search values.

– For fields that may contain only a single value, records with the specified field containing the exact string specified within the quotation marks match the search criteria. For instance, a search for A, B, "C, D, E" will match records where the specified field contains "A" or "B" or "C, D, E" . This permits matching on fields that include the comma in possible values.

– For fields that may contain multiple values at the same time, records with the specified fields containing all of the values in the quote-enclosed comma-separated list match that search criteria.

– For fields that may contain multiple values at the same time, search criteria may include single values as well as quote-enclosed comma-separated lists. For instance, a search for A, B, "C, D, E" on a field that may contain one of more of these letters matches records where the specified field contains A or B , or all of C , D , and E .

• Searches return only records that match the search criteria specified for all fields.
• Many fields accept one or more asterisks ( * ) as wild cards.
• Specify n/a in any field to identify events where information is not available for that field; use !n/a to identify the events where that field is populated.
• Use the device field to search for specific devices as well as devices in groups, stacks, or clusters. For more information on how the FireSIGHT System treats the device field in searches, see Specifying Devices in Searches.
• Click the add object icon (
) that appears next to a search field to use an object as a search criterion.

For detailed information on search syntax, including using objects in searches, see Searching for Events.

Special Search Syntax for Malware Events

To supplement the general search syntax listed above, the following list describes some special search syntax for malware events.

Sending/Receiving IP

The system returns all events where either the Sending IP or the Receiving IP matches the IP address you specify.

Event Type

When searching for events with a specific malware event type (see Malware Event Types), enclose the event type in quotation marks, for example, "Scan Completed With Detection" . Otherwise, the system performs a partial match. That is, if you search using the same string but do not use quotation marks, the system returns events with the following types:

– Scan Completed, No Detections

– Scan Completed With Detection

Initiator/Responder Continent

The system returns all events where either the Initiator Continent or the Responder Continent matches the continent you specify.

Initiator/Responder Country

The system returns all events where either the Initiator Country or the Responder Country matches the country you specify.

URI or Message

The system performs a partial match, that is, you can search for all or part of the field contents without using asterisks.

The SSL Actual Action taken

Type any of the following keywords to view malware events for encrypted traffic to which the system applied the action specified:

– Do Not Decrypt represents connections the system did not decrypt.

– Block and Block with Reset represent blocked encrypted connections.

– Decrypt (Known Key) represents incoming connections decrypted using a known private key.

– Decrypt (Replace Key) represents outgoing connections decrypted using a self-signed server certificate with a substituted public key.

– Decrypt (Resign) represents outgoing connections decrypted using a re-signed server certificate.

This column does not appear in the malware events table view.

The SSL Failure Reason

Type any of the following keywords to view malware events for encrypted traffic that the system failed to decrypt for the reason specified:

– Unknown

– No Match

– Success

– Uncached Session

– Unknown Cipher Suite

– Unsupported Cipher Suite

– Unsupported SSL Version

– SSL Compression Used

– Session Undecryptable in Passive Mode

– Handshake Error

– Decryption Error

– Pending Server Name Category Lookup

– Pending Common Name Category Lookup

– Internal Error

– Network Parameters Unavailable

– Invalid Server Certificate Handle

– Server Certificate Fingerprint Unavailable

– Cannot Cache Subject DN

– Cannot Cache Issuer DN

– Unknown SSL Version

– External Certificate List Unavailable

– External Certificate Fingerprint Unavailable

– Internal Certificate List Invalid

– Internal Certificate List Unavailable

– Internal Certificate Unavailable

– Internal Certificate Fingerprint Unavailable

– Server Certificate Validation Unavailable

– Server Certificate Validation Failure

– Invalid Action

This column does not appear in the malware events table view.

The SSL Subject Country

Type a two-character ISO 3166-1 alpha-2 country code to view malware events for encrypted traffic associated with the country of a certificate subject.

This column does not appear in the malware events table view.

The SSL Issuer Country

Type a two-character ISO 3166-1 alpha-2 country code to view encrypted traffic associated with the country of a certificate issuer.

This column does not appear in the malware events table view.

SSL Certificate Fingerprint

Type or paste the SHA hash value used to authenticate a certificate to view traffic associated with that certificate.

This column does not appear in the malware events table view.

SSL Public Key Fingerprint

Type or paste the SHA hash value used to authenticate the public key contained within a certificate to view traffic associated with that certificate.

This column does not appear in the malware events table view.

To search for malware events:

Access: Admin/Any Security Analyst

Step 1 Select Analysis > Search .

The Search page appears.

Step 2 Select Malware Events from the table drop-down list.

The page updates with the appropriate constraints.

Step 3 Enter your search criteria in the appropriate fields as described in the following sections:

• See the Malware Event Fields table for information on the fields in the malware events table.
• See Special Search Syntax for Malware Events for special search syntax for malware events.
• See Viewing the Certificate Associated with an Encrypted Connection for fields related to public key certificates.

Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the checkbox clear to save the search for all users.

Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.

Step 5 Optionally, you can save the search to be used again in the future. You have the following options:

• Click Save to save the search criteria.

For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.

• Click Save as New to save a new search or assign a name to a search you created by altering a previously-saved search.

A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.

Step 6 Click Search to start the search.

Your search results appear in your default malware events workflow, constrained by the current time range.

Viewing Captured Files

License: Malware

The FireSIGHT System’s event viewer allows you to view captured files in a table, as well as manipulate the event view depending on the information relevant to your analysis.

The page you see when you access captured files differs depending on the workflow, which is simply a series of pages you can use to evaluate events by moving from a broad to a more focused view. The system is delivered with the following predefined workflows for captured files:

• Captured File Summary , the default, provides a breakdown of captured files based on type, category, and threat score.
• Dynamic Analysis Status provides a count of captured files based on whether they have been submitted for dynamic analysis.

You can also create a custom workflow that displays only the information that matches your specific needs. For information on specifying a different default workflow, including a custom workflow, see Configuring Event View Settings.

The FireSIGHT System supports the display and input of Unicode (UTF-8) file names in all areas of the web interface, including the event viewer, event search, dashboard, Context Explorer, and so on. Note, however, that reports you generate in PDF format do not support Unicode; Unicode file names appear in the PDF report in transliterated form. For more information, see Generating and Viewing Reports.

Using the event viewer, you can:

• search for, sort, and constrain events, as well as change the time range for displayed events
• specify the columns that appear (table view only)
• view events using different workflow pages within the same workflow
• view events using a different workflow altogether
• drill down page-to-page within a workflow, constraining on specific values
• bookmark the current page and constraints so you can return to the same data (assuming the data still exists) at a later time
• view a file’s trajectory
• view the contents and inspection status of an archive file
• add a file to a file list, download a file, submit a file for dynamic analysis, or view the full text of a file’s SHA-256 value
• view a file’s Dynamic Analysis Summary report, if available
• submit up to 25 files at a time for dynamic analysis
• create a report template using the current constraints

Note that Series 2 devices, Cisco NGIPS for Blue Coat X-Series, and the DC500 Defense Center do not support network-based malware protection or archive file inspection, which can affect the data displayed. For example, a Series 3 Defense Center managing only Series 2 devices cannot display captured files.

For detailed information on using the event viewer, including creating custom workflows, see Understanding and Using Workflows.

To view file events:

Access: Admin/Any Security Analyst

Step 1 Select Analysis > Files > Captured Files .

The first page of your default file events workflow appears. For information on the columns that appear, see Understanding the Captured Files Table.

Understanding the Captured Files Table

License: Malware

The Defense Center logs when a managed device captures a file being transmitted in monitored network traffic, according to the settings in an applied file policy.

The table view of captured files, which is the final page in predefined captured file workflows, and which you can add to custom workflows, includes a column for each field in the captured files table. Some fields in the table view of captured files are disabled by default. To enable a field for the duration of your session, click the expand arrow ( ) to expand the search constraints, then click the column name under Disabled Columns . The following table describes the captured file fields.

Searching for Captured Files

License: Malware

Using the Defense Center’s Search page, you can search for specific captured files, display the results in the event viewer, and save your search criteria to reuse later. Custom Analysis dashboard widgets, report templates, and custom user roles can also use saved searches.

Keep in mind that your search results depend on the available data in the events you are searching. In other words, depending on the available data, your search constraints may not apply. For example, if a file has never been submitted for dynamic analysis, it may not have an associated threat score.

General Search Syntax

The system displays examples of valid syntax next to each search field. When entering search criteria, keep the following points in mind:

• All fields accept negation ( ! ).
• All fields accept comma-separated lists of search values. Records that contain any of the listed values in the specified field match that search criteria.
• All fields accept comma-separated lists enclosed in quotation marks as search values.

– For fields that may contain only a single value, records with the specified field containing the exact string specified within the quotation marks match the search criteria. For instance, a search for A, B, "C, D, E" will match records where the specified field contains "A" or "B" or "C, D, E" . This permits matching on fields that include the comma in possible values.

– For fields that may contain multiple values at the same time, records with the specified fields containing all of the values in the quote-enclosed comma-separated list match that search criteria.

– For fields that may contain multiple values at the same time, search criteria may include single values as well as quote-enclosed comma-separated lists. For instance, a search for A, B, "C, D, E" on a field that may contain one of more of these letters matches records where the specified field contains A or B , or all of C , D , and E .

• Searches return only records that match the search criteria specified for all fields.
• Many fields accept one or more asterisks ( * ) as wild cards.
• Specify n/a in any field to identify events where information is not available for that field; use !n/a to identify the events where that field is populated.
• Click the add object icon (
) that appears next to a search field to use an object as a search criterion.

For detailed information on search syntax, including using objects in searches, see Searching for Events.

Special Search Syntax for Captured Files

To supplement the general search syntax listed above, the following table describes some special search syntax for captured files.

To search for captured files:

Access: Admin/Any Security Analyst

Step 1 Select Analysis > Search .

The Search page appears.

Step 2 Select Captured Files from the table drop-down list.

The page updates with the appropriate constraints.

Step 3 Enter your search criteria in the appropriate fields.

See the Captured File Fields table for information on the fields in the captured files table.

Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.

Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.

Step 5 Optionally, you can save the search to be used again in the future. You have the following options:

• Click Save to save the search criteria.

For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.

• Click Save as New to save a new search or assign a name to a search you created by altering a previously-saved search.

A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.

Step 6 Click Search to start the search.

Your search results appear in your default captured file workflow, constrained by the current time range.

Reviewing Network File Trajectory

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

As you review captured files, file events, and malware events, you can view a file’s trajectory map from the Context Explorer, properly configured dashboard widgets, and various event views. You can also review the most recently viewed network file trajectories and the most recently detected malware from the Network File Trajectory List page.

For more information, see the following sections:

• Viewing the Top File Names Graph
• Drilling Down on Context Explorer Data
• Understanding the Custom Analysis Widget
• Configuring Archive File Inspection Options
• Understanding the File Events Table
• Understanding the Malware Events Table
• Understanding the Captured Files Table
• Information Available in Connection and Security Intelligence Events
• Accessing Network File Trajectory

Accessing Network File Trajectory

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

The Network File Trajectory List page allows you to locate files that have a SHA-256 hash value, whether to analyze the most recently detected malware, or to track a specific threat.

The page displays the malware most recently detected on your network, as well as the files whose trajectory maps you have most recently viewed. From these lists, you can view when the file was most recently seen on the network, the file’s SHA-256 hash value, name, type, current file disposition, contents (for archive files), and the number of events associated with the file. For more information on the fields, see Understanding the File Events Table.

The page also contains a search box that lets you locate files, either based on SHA-256 hash value or file name, or by the IP address of the host that transferred or received a file. After you locate a file, you can click the File SHA256 value to view the detailed trajectory map. See Analyzing Network File Trajectory for more information.

The FireSIGHT System supports the display and input of Unicode (UTF-8) file names in all areas of the web interface, including the event viewer, event search, dashboard, Context Explorer, and so on. Note, however, that reports you generate in PDF format do not support Unicode; Unicode file names appear in the PDF report in transliterated form. For more information, see Generating and Viewing Reports.

Note that because you cannot use a Malware license with a DC500, nor can you enable a Malware license on a Series 2 device or Cisco NGIPS for Blue Coat X-Series, you cannot use those appliances to view file trajectories for files for which you conduct a malware cloud lookup.

To locate a file from the Network File Trajectory List page:

Access: Any

Step 1 Select Analysis > Files > Network File Trajectory .

The Network File Trajectory List page appears, displaying the lists of recently viewed files and recent malware.

Step 2 Optionally, you can type a complete SHA-256 hash value, host IP address, or file name of a file you want to track into the search field and press Enter.

The Query Results page appears listing all files that match the search. If only one result matches, the Network File Trajectory page for that file appears.

Analyzing Network File Trajectory

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

You can trace a file through the network by viewing the detailed network file trajectory. The file’s trajectory presents summary information about a file, displays the map charting data points over time, and also lists the event data tied to the data points in a table. Using the table and the map, you can pinpoint specific file events, hosts on the network that transferred or received this file, related events in the map, and other related events in a table constrained on selected values.

Note that because you cannot use a Malware license with a DC500, nor can you enable a Malware license on a Series 2 device or Cisco NGIPS for Blue Coat X-Series, you cannot use those appliances to view file trajectories for files for which you conduct a malware cloud lookup.

For more information, see the following sections:

• Summary Information
• Trajectory Map
• Events Table

Summary Information

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

A file’s trajectory page displays basic information about the file, including file identification information, when the file was first seen and most recently seen on the network, the number of related events and hosts associated with the file, and the file’s current disposition. From this section, if the managed device stored the file, you can download it locally, submit the file for dynamic analysis, or add the file to a file list.

Tip To view related file events, click a field value link. The first page in the File Events default workflow opens in a new window, displaying all file events that also contain the selected value.

The following table describes the summary information fields.

Table 40-7 Network File Trajectory Summary Information Fields

Name	Description
File SHA256	The SHA-256 hash value of the file. The hash is displayed by default in a condensed format. To view the full hash value, hover your pointer over it. If multiple SHA-256 hash values are associated with a file name, hover your pointer over the link to view all of the hash values. Click the download file icon ( ) to download the file to your local computer. If prompted, confirm you want to download the file. Follow your browser’s prompts to save the file. If the file is unavailable for download, this icon is grayed out. Caution Cisco strongly recommends you do not download malware, as it can cause adverse consequences. Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any necessary precautions to secure the download destination before downloading files.
File Names	The names of the file associated with the event, as seen on the network. If multiple file names are associated with a SHA-256 hash value, the most recent detected file name is listed. You can expand this to view the remaining file names by clicking more .
File Type	The file type of the file, for example, HTML or MSEXE .
File Category	The general categories of file type, for example, Office Documents or System Files .
Parent Application	The client application accessing the malware file when detection occurred. These applications are not tied to network discovery or application control. This field only appears for endpoint-based malware events.
First Seen	The first time a managed device or FireAMP Connector detected the file, and the IP address of the host that first uploaded the file.
Last Seen	The most recent time a managed device or FireAMP Connector detected the file, and the IP address of the host that last downloaded the file.
Event Count	The number of events seen on the network associated with the file, and the number of events displayed in the map if there are more than 250 detected events.
Seen On	The number of hosts that either sent or received the file. Because one host can upload and download a file at different times, the total number of hosts may not match the total number of senders plus the total number of receivers in the Seen On Breakdown field.
Seen On Breakdown	The number of hosts that sent the file, followed by the number of hosts that received the file.
Current Disposition	One of the following file dispositions: Malware indicates that the cloud categorized the file as malware, or that the file’s threat score exceeded the malware threshold defined in the file policy. Clean indicates that the cloud categorized the file as clean, or that a user added the file to the clean list. Unknown indicates that a malware cloud lookup occurred before the cloud assigned a disposition. The file is uncategorized. Custom Detection indicates that a user added the file to the custom detection list. Unavailable indicates that the Defense Center could not perform a malware cloud lookup. You may see a small percentage of events with this disposition; this is expected behavior. N/A indicates a Detect Files or Block Files rule handled the file and the Defense Center did not perform a malware cloud lookup. Click the edit icon ( ) to add the file to or remove the file from the clean list or custom detection list. This field only appears for network-based malware events.
Archive Contents	For inspected archive files, the number of files the archive contains. Click the view icon ( ) to view information about content files in the Archive Contents window. For more information about archive file inspection, see Configuring Archive File Inspection Options.
Threat Name	Name of the malware threat associated with the file. This field only appears for endpoint-based malware events.
Threat Score	The file’s threat score: Low ( ) Medium ( ) High ( ) Very High ( ). Click the threat score icon to view the Dynamic Analysis Summary report, click the threat score icon. Click the threat score link to view all captured files with that threat score. Click the cloud icon ( ) to submit the file to the cloud for dynamic analysis. If the file is unavailable for submission or you cannot connect to the cloud, this icon is grayed out.

Trajectory Map

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

A file’s trajectory map visually tracks a file from the first detection on your network to the most recent. The map shows when hosts transferred or received the file, how often they transferred the file, and when the file was blocked or quarantined. The map also shows how often file events occurred for the file and when the system assigned the file a disposition or retrospective disposition. You can select a data point in the map and highlight a path that traces back to the first instance the host transferred that file; this path also intersects with every occurrence involving the host as either sender or receiver of the file. The following graphic shows an example trajectory map:

 

The map’s y-axis contains a list of all host IP addresses that have interacted with the file. The IP addresses are listed in descending order based on when the system first detected the file on that host. Each row contains all events associated with that IP address, whether a single file event, file transfer, or retrospective event. The x-axis contains the date and time the system detected each event. The timestamps are listed in chronological order. If multiple events occurred within a minute, all are listed within the same column. You can scroll the map horizontally and vertically to view additional events and IP addresses.

The map displays up to 250 events associated with the file SHA-256 hash. If there are more than 250 events, the map displays the first 10, then truncates extra events with an arrow icon ( ). The map then displays the remaining 240 events. The following graphic shows events truncated with the arrow icon:

 

You can view all events not displayed in the File Summary event view by clicking the arrow icon ( ). The first page of the File Events default workflow appears in a new window with all the extra events constrained based on the file type. If endpoint-based malware events are not displayed, you must switch to the Malware Events table to view these.

Each data point represents an event plus the file disposition, as described in the legend below the map. For example, a Malware Block event icon combines the Malicious Disposition icon and the Block Event icon.

Endpoint-based malware events include one icon. A retrospective event displays an icon in the column for each host on which the file is detected. File transfer events always include two icons, one file send icon and one file receive icon, connected by a vertical line. Arrows indicate the file transfer direction from sender to receiver.

You can view summary information from the event icon by hovering your pointer over the event icon ( ). The displayed summary information matches the information displayed in the Events table. The following graphic shows an event icon’s summary information:

 

If you click any event summary information link, the first page of the File Events default workflow appears in a new window with all the extra events constrained based on the file type the File Summary event view opens in a new window, displaying all file events that match on the criteria value you clicked.

To locate the first time a file event occurred involving an IP address, click the address. This highlights a path to that data point, as well as any intervening file events and IP addresses related to the first file event. The corresponding event in the Events table is also highlighted. The map scrolls to that data point if not currently visible. The following graphic shows the path highlighted after clicking an IP address:

 

To track a file’s progress through the network, you can click any data point to highlight a path that includes all data points related to the selected data point. This includes data points associated with the following types of events:

• any file transfers in which the associated IP address was either sender or receiver
• any endpoint-based malware events involving the associated IP address
• if another IP address was involved, all file transfers in which that associated IP address was either sender or receiver
• if another IP address was involved, any endpoint-based malware events involving the other IP address

The following graphic shows the path highlighted after clicking an event icon:

 

All IP addresses and timestamps associated with any highlighted data point are also highlighted. The corresponding event in the Events table is also highlighted. If a path includes truncated events, the path itself is highlighted with a dotted line. Truncated events might intersect the path, but are not displayed in the map.

Events Table

License: Malware or Any

Supported Devices: feature dependent

Supported Defense Centers: feature dependent

The Events table lists event information for each data point in the map. You can sort events in ascending or descending order by clicking the column headers. You can highlight a data point in the map by selecting the table row. The map scrolls to display the selected file event if not currently visible. For more information on the fields, see Understanding the File Events Table.