File/Malware Events and Network File Trajectory
About File/Malware Events and Network File Trajectory
File and Malware Events
View Details About Analyzed Files
Using Captured File Workflows
- Captured File Fields
- Stored Files Download
Manually Submit Files for Analysis
Network File Trajectory
History for File and Malware Events and Network File Trajectory

File/Malware Events and Network File Trajectory

The following topics provide an overview of file and malware events, local malware analysis, dynamic analysis, captured files, and network file trajectories.

About File/Malware Events and Network File Trajectory

File policies automatically generate file and malware events for matched traffic, and log captured file information. When a file policy generates a file or malware event, or captures a file, the system also automatically logs the end of the associated connection to the Firepower Management Center database. You can analyze this data to address any negative impacts and block future attacks.

Based on the file analysis results, you can review captured files and generated malware and file events using tables on pages available under the Analysis > Files menu. When available, you can examine a file's composition, disposition, threat score, and dynamic analysis summary report for further insight into the malware analysis.

To further target your analysis, you can use a malware file’s network file trajectory (a map of how the file traversed your network, passing among hosts, as well as various file properties) to track the spread of an individual threat across hosts over time, allowing you to concentrate outbreak control and prevention efforts where most useful.

If you configure local malware analysis or dynamic analysis in a file rule, the system preclassifies files matching the rule and generates a file composition report.

If your organization has deployed AMP for Endpoints and integrated that deployment with your Firepower Management Center, you can also import records of scans, malware detections, and quarantines, as well as indications of compromise (IOC) identified by that product. This data is displayed alongside event data gathered by Firepower for a more complete picture of malware on your network.

The Context Explorer, dashboards, and reporting features can also aid a deeper understanding of the files and malware detected, captured, and blocked. You can also use events to trigger correlation policy violations, or alert you via email, SMTP, or syslog.

Note

To configure your system to detect malware and generate file and malware events, see Network Malware Protection and File Policies in the Firepower Management Center Device Configuration Guide.

File and Malware Events

The Firepower Management Center can log various types of file and malware events. The information available for any individual event can vary depending on how and why it was generated:

File events represent files, including malware, detected by the system (AMP for Networks.) File events do not contain AMP for Endpoints-related fields.
Malware events represent malware detected by either AMP for Networks or AMP for Endpoints; malware events can also record data other than threats from your AMP for Endpoints deployment, such as scans and quarantines.
Retrospective malware events represent files detected by AMP for Networks whose dispositions (whether the files are malware) have changed.

Note

Files identified as malware by AMP for Networks generate both a file event and a malware event. Malware events generated by AMP for Endpoints do not have corresponding file events.
File events generated by inspecting NetBIOS-ssn (SMB) traffic do not immediately generate connection events because the client and server establish a persistent connection. The system generates connection events after the client or server ends the session.
The system supports the display and input of file names that use Unicode (UTF-8) characters. However, Unicode file names appear in PDF reports in transliterated form. Additionally, the SMB protocol replaces unprintable characters in file names with periods.

File and Malware Event Types

File Events

The system logs the file events generated when a managed device detects or blocks a file in network traffic, according to the rules in currently deployed file policies.

When the system generates a file event, the system also logs the end of the associated connection to the Firepower Management Center database, regardless of the logging configuration of the invoking access control rule.

Malware Events

The system (specifically the AMP for Networks feature) generates malware events when it detects malware in network traffic as part of your overall access control configuration. Malware events contain the disposition of the resulting event and contextual data about how, where, and when the malware was detected.

Table 1. Malware Event Generation Scenarios
When the system detects a file and...	Disposition
successfully queries the AMP cloud (performs a malware cloud lookup) for the file’s disposition	Malware, Clean, or Unknown
queries the AMP cloud but cannot establish a connection or the cloud is otherwise unavailable	Unavailable You may see a small percentage of events with this disposition; this is expected behavior.
the threat score associated with a file exceeds the malware threshold threat score defined in the file policy that detected the file, or local malware analysis identifies malware	Malware
it is on the custom detection list (manually marked as malware)	Custom Detection
it is on the on the clean list (manually marked as clean),	Clean

File Disposition and File Action in Malware Events

Each file rule has an associated action that determines how the system handles traffic that matches the conditions of the rule. If you select Block Malware or Malware Cloud Lookup as file rule action, the system queries the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats. Cloud lookup allows you to obtain and log the file's disposition based on its SHA-256 hash value.

The following table describes the file action that associates with the file disposition returned by the AMP cloud:

Table 2. File Disposition and File Action in Malware Events

File Rule Action Selected

File Disposition

File Action in the Malware Event

Block Malware
Malware Cloud Lookup

Malware

Block

Clean
Unknown
Unavailable
NA

Cloud Lookup

Note

Under the file policy editor Advanced Settings, you can set a threshold threat score for If AMP Cloud disposition is Unknown, override disposition based upon threat score option. If you set a threshold threat score, files with an AMP cloud verdict of Unknown are considered malware if their dynamic analysis score is equal to or worse than the threshold.

Retrospective Malware Events

For malware detected in network traffic, dispositions can change. For example, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean. When the disposition changes for a file you queried in the last week, the AMP cloud notifies the system. Then, two things happen:

The Firepower Management Center generates a new retrospective malware event.

This new retrospective malware event represents a disposition change for all files detected in the last week that have the same SHA-256 hash value. For that reason, these events contain limited information: the date and time the Firepower Management Center was notified of the disposition change, the new disposition, the SHA-256 hash value of the file, and the threat name. They do not contain IP addresses or other contextual information.

The Firepower Management Center changes the file disposition for previously detected files with the retrospective event’s associated SHA-256 hash value.

If a file’s disposition changes to Malware, the Firepower Management Center logs a new malware event to its database. Except for the new disposition, the information in this new malware event is identical to that in the file event generated when the file was initially detected.

If a file’s disposition changes to Clean, the Firepower Management Center does not delete the malware event. Instead, the event reflects the change in disposition. This means that files with clean dispositions can appear in the malware table, but only if they were originally thought to be malware. Files that were never identified as malware appear only in the files table.

Malware Events Generated by AMP for Endpoints

If your organization uses AMP for Endpoints, individual users install lightweight connectors on endpoints: computers and mobile devices. Connectors can inspect files upon upload, download, execution, open, copy, move, and so on. These connectors communicate with the AMP cloud to determine if inspected files contain malware.

When a file is positively identified as malware, the AMP cloud sends the threat identification to the Firepower Management Center. The AMP cloud can also send other kinds of information to the Firepower Management Center, including data on scans, quarantines, blocked executions, and cloud recalls. The Firepower Management Center logs this information as malware events.

Note

The IP addresses reported in malware events generated by AMP for Endpoints may not be in your network map—and may not even be in your monitored network at all. Depending on your deployment, level of compliance, and other factors, endpoints in your organization monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks.

Malware Event Analysis with AMP for Endpoints

If your organization has deployed Cisco AMP for Endpoints:

You can configure the system to display malware events detected by AMP for Endpoints on FMC event pages, alongside events detected by AMP for Networks.
If you are using the AMP public cloud, you can view file trajectory and other information about a particular SHA in AMP for Endpoints.

To configure the above functionality, see Integrate Firepower and AMP for Endpoints in the Firepower Management Center Device Configuration Guide.

Event Data from AMP for Endpoints

If your organization has deployed AMP for Endpoints for malware protection, you can configure the system to let you work in FMC with file and malware data from AMP for Endpoints.

However, you should be aware of the differences between file and malware data from AMP for Endpoints and file and malware data from the system's AMP for Networks feature.

Because AMP for Endpoints malware detection is performed at the endpoint at download or execution time, while managed devices detect malware in network traffic, the information in the two types of malware events is different. For example, malware events detected by AMP for Endpoints ("endpoint-based malware") contain information on file path, invoking client application, and so on, while malware detections in network traffic contain port, application protocol, and originating IP address information about the connection used to transmit the file.

As another example, for malware events detected by AMP for Networks ("network-based malware events"), user information represents the user most recently logged into the host where the malware was destined, as determined by network discovery. But AMP for Endpoints-reported users represent the user currently logged into the endpoint where the malware was detected.

Note

Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks. For this reason, malware events generated by AMP for Endpoints do not add hosts to the network map. However, the system uses IP and MAC address data to tag monitored hosts with indications of compromise obtained from your AMP for Endpoints deployment. If two different hosts monitored by different malware solutions have the same IP and MAC address, the system can incorrectly tag monitored hosts with AMP for Endpoints IOCs.

The following table summarizes the differences between the event data generated by Firepower when using a Malware license, and event data generated by AMP for Endpoints.

Table 3. Summary of Data Differences Between AMP Products
Feature	AMP for Networks	AMP for Endpoints
Events generated	File events, captured files, malware events, and retrospective malware events	Malware events
Information in malware events	Basic malware event information, plus connection data (IP address, port, and application protocol)	In-depth malware event information; no connection data
Network file trajectory	FMC-based	FMC and the AMP for Endpoints management console each have a network file trajectory. Both are useful.

Using File and Malware Event Workflows

Use this procedure to view file and malware events in a table and to manipulate the event view depending on the information relevant to your analysis. The page you see when you access events differs depending on the workflow, which is simply a series of pages you can use to evaluate events by moving from a broad to a more focused view. You can also create a custom workflow that displays only the information that matches your specific needs.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

You must be an Admin or Security Analyst user to perform this task.

Procedure

Choose one of the following:

Analysis > Files > File Events
Analysis > Files > Malware Events

Tip

In the table view of events, several fields are hidden by default. To show a hidden field in an event view, expand the search constraints, then click the field name under Disabled Columns.

Tip

To quickly view the connections where specific files were detected, choose the files using the check boxes in the table, then choose Connections Events from the Jump to drop-down list.

Tip

Right-click an item in the table to see options. (Not every column offers options.)

File and Malware Event Fields

File and malware events, which you can view and search using workflows, contain the fields listed in this section. Keep in mind that the information available for any individual event can vary depending on how and why it was generated.

Note

Files identified as malware by AMP for Networks generate both a file event and a malware event. Malware events generated by AMP for Endpoints do not have corresponding file events, and file events do not have AMP for Endpoints-related fields.

Syslog messages are populated with initial values and do not update, even if the equivalent field in the FMC web interface is updated, for example with a retrospective verdict.

Action (Syslog: FileAction)

The action associated with file policy rule that detected the file, and any associated file rule action options.

AMP Cloud

The name of the AMP cloud where the AMP for Endpoints event originated.

Application File Name

The client application accessing the malware file when AMP for Endpoints detection occurred. These applications are not tied to network discovery or application control.

Application File SHA256

The SHA-256 hash value of the parent file accessing the AMP for Endpoints-detected or quarantined file when detection occurred.

In the unified event viewer, this field appears as Application File SHA-256.

Application Protocol (Syslog: ApplicationProtocol)

The application protocol used by the traffic in which a managed device detected the file.

Application Protocol Category or Tag

The criteria that characterize the application to help you understand the application's function.

Application Risk

The risk associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated risk; this field displays the highest of those.

Archive Depth (Syslog: ArchiveDepth)

The level (if any) at which the file was nested in an archive file.

Archive Name (Syslog: ArchiveFileName)

The name of the archive file (if any) which contained the malware file.

To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on the archive file’s table row to open the context menu, then click View Archive Contents.

Archive SHA256 (Syslog: ArchiveSHA256)

The SHA-256 hash value of the archive file (if any) which contains the malware file.

To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on that archive file’s table row to open the context menu, then click View Archive Contents.

ArchiveFileStatus (Syslog Only)

The status of an archive being inspected. Can have the following values:

Pending — Archive is being inspected
Extracted — Successfully inspected without any problems
Failed — Failed to inspect, insufficient system resources
Depth Exceeded — Successful, but archive exceeded the nested inspection depth
Encrypted — Partially successful, archive was or contains an archive that is encrypted
Not Inspectable — Partially successful, file is possibly malformed or corrupt

Business Relevance

The business relevance associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those.

Category / File Type Category

The general categories of file type, for example: Office Documents, Archive, Multimedia, Executables, PDF files, Encoded, Graphics, or System Files.

Client (Syslog: Client)

The client application that runs on one host and relies on a server to send a file.

Client Category or Tag

The criteria that characterize the application to help you understand the application's function.

Connection Counter (Syslog Only)

A counter that distinguishes one connection from another simultaneous connection. This field has no significance on its own.

The following fields collectively uniquely identify the connection event associated with a particular file or malware event: DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.

Connection Instance ID (Syslog Only)

The Snort instance that processed the connection event. This field has no significance on its own.

Count

After you apply a constraint that creates two or more identical rows, the number of events that match the information in each row.

Detection Name

The name of the detected malware.

Detector

The AMP for Endpoints detector that identified the malware, such as ClamAV, Spero, or SHA.

Device

For file events and for malware events generated by Firepower devices, the name of the device that detected the file.

For malware events generated by AMP for Endpoints and for retrospective malware events generated by the AMP cloud, the name of the FMC.

DeviceUUID (Syslog Only)

The unique identifier of the Firepower device that generated an event.

Disposition / File Disposition (Syslog: SHA_Disposition)

The file’s disposition:

Malware: Indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy.
Clean: Indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list. Clean files appear in the malware table only if they were changed to clean.
Unknown: Indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file.
Custom Detection: Indicates that a user added the file to the custom detection list.
Unavailable: Indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior.
N/A: Indicates a Detect Files or Block Files rule handled the file and the Firepower Management Center did not query the AMP cloud.

File dispositions appear only for files for which the system queried the AMP cloud.

Syslog fields reflect only the initial disposition; they do not update to reflect retrospective verdicts.

Domain

For file events and for malware events generated by Firepower devices, the domain of the device that detected the file. For malware events generated by AMP for Endpoints and for retrospective malware events generated by the AMP cloud, the domain associated with the AMP cloud connection that reported the event.

This field is only present if you have ever configured the FMC for multitenancy.

DstIP (Syslog Only)

The IP address of the host that responded to the connection. This may be the IP address of the sender or the recipient of the file, depending on the value in the FileDirection field:

If FileDirection is Upload, then this is the IP address of the file recipient.

If FileDirection is Download, then this is the IP address of the file sender.

DstPort (Syslog Only)

The port used in the connection described under DstIP.

Egress Virtual Router

In networks using virtual routing, the name of the virtual router through which traffic exited the network.

Event Subtype

The AMP for Endpoints action that led to malware detection, for example, Create, Execute, Move, or Scan.

Event Type

The sub-type of malware event.

File Name (Syslog: FileName)

The name of the file.

File Path

The file path of the malware file detected by AMP for Endpoints, not including the file name.

File Policy (Syslog: FilePolicy)

The file policy that detected the file.

File Storage / Stored (Syslog: FileStorageStatus)

The storage status of the file associated with the event:

Stored: Returns all events where the associated file is currently stored.
Stored in connection: Returns all events where the system captured and stored the associated file, regardless of whether the associated file is currently stored.
Failed: Returns all events where the system failed to store the associated file.

Syslog fields contain only the initial status; they do not update to reflect changed status.

File Timestamp

The time and date that AMP for Endpoints detected the malware file was created.

FileDirection (Syslog Only)

Whether the file was downloaded or uploaded during the connection. Possible values are:

Download — the file was transferred from the DstIP to the SrcIP.
Upload — the file was transferred from the SrcIP to the DstIP.

FileSandboxStatus (Syslog Only)

Indicates whether the file was sent for dynamic analysis and if so, the status.

First Packet Time (Syslog Only)

The time the system encountered the first packet.

FirstPacketSecond (Syslog Only)

The time at which the file download or upload flow started.

The time the event occurred is captured in the message header timestamp.

HTTP Response Code

The HTTP status code sent in response to a client's HTTP request when a file is transferred.

Ingress Virtual Router

In networks using virtual routing, the name of the virtual router through which traffic entered the network.

IOC

Whether the malware event triggered an indication of compromise (IOC) against a host involved in the connection. When AMP for Endpoints data triggers an IOC rule, a full malware event is generated, with the type AMP IOC.

Message

Additional information associated with a malware event. For file events and for malware events generated by Firepower devices, this field is populated only for files whose disposition has changed, that is, that have an associated retrospective event.

Protocol (Syslog Only)

The protocol used for the connection, for example TCP or UDP.

Receiving Continent

The continent of the host receiving the file.

Receiving Country

The country of the host receiving the file.

Receiving IP

In the FMC web interface, for file events and for malware events generated by Firepower devices, the IP address of the host receiving the file. See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.

For malware events generated by AMP for Endpoints, the IP address of the endpoint whose connector reported the event.

For syslog equivalents (events generated by Firepower devices only), see DstIP and SrcIP.

Receiving Port

In the FMC web interface, the destination port used by the traffic where the file was detected.

For syslog equivalents, see DstIP and SrcIP and DstPort and SrcPort.

Security Context (Syslog: Context)

The metadata identifying the virtual firewall group through which the traffic passed. Note that the system only displays this field when managing at least one ASA FirePOWER device that is running in multiple context mode.

Sending Continent

The continent of the host sending the file.

Sending Country

The country of the host sending the file.

Sending IP

In the FMC web interface, the IP address of the host sending the file. See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.

For syslog equivalents, see DstIP and SrcIP.

Sending Port

In the FMC web interface, the source port used by the traffic where the file was detected.

For syslog equivalents, see DstIP and SrcIP and DstPort and SrcPort.

SHA256 / File SHA256 (Syslog: FileSHA256)

The SHA-256 hash value of the file.

To have a SHA256 value, the file must have been handled by one of:

a Detect Files file rule with Store files enabled
a Block Files file rule with Store files enabled
a Malware Cloud Lookup file rule
a Block Malware file rule
AMP for Endpoints

This column also displays a network file trajectory icon that represents the most recently detected file event and file disposition, and that links to the network file trajectory.

Size (KB) / File Size (KB) (Syslog: FileSize)

In the FMC web interface, the size of the file, in kilobytes.

In syslog messages: The size of the file, in bytes.

Note that if the system determines the file type of a file before the file is fully received, the file size may not be calculated. In this case, this field is blank.

SperoDisposition (Syslog Only)

Indicates whether the SPERO signature was used in file analysis. Possible values:

Spero detection performed on file
Spero detection not performed on file

SrcIP (Syslog Only)

The IP address of the host that initiated the connection. This may be the IP address of the sender or the recipient of the file, depending on the value in the FileDirection field:

If FileDirection is Upload, this is the IP address of the file sender.

If FileDirection is Download, this is the IP address of the file recipient.

SrcPort (Syslog Only)

The port used in the connection described under SrcIP.

SSL Actual Action (Syslog: SSLActualAction)

The action the system applied to encrypted traffic:

Block or Block with reset: Represents blocked encrypted connections.
Decrypt (Resign): Represents an outgoing connection decrypted using a re-signed server certificate.
Decrypt (Replace Key): Represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.
Decrypt (Known Key): Represents an incoming connection decrypted using a known private key.
Default Action: Indicates the connection was handled by the default action.
Do not Decrypt: Represents a connection the system did not decrypt.

Field values are displayed in the SSL Status field on the search workflow pages.

SSL Certificate Information

The information stored on the public key certificate used to encrypt traffic, including:

Subject/Issuer Common Name
Subject/Issuer Organization
Subject/Issuer Organization Unit
Not Valid Before/After
Serial Number, Certificate Fingerprint
Public Key Fingerprint

For syslog, see SSLCertificate.

SSL Failure Reason (Syslog: SSLFlowStatus)

The reason the system failed to decrypt encrypted traffic:

Unknown
No Match
Success
Uncached Session
Unknown Cipher Suite
Unsupported Cipher Suite
Unsupported SSL Version
SSL Compression Used
Session Undecryptable in Passive Mode
Handshake Error
Decryption Error
Pending Server Name Category Lookup
Pending Common Name Category Lookup
Internal Error
Network Parameters Unavailable
Invalid Server Certificate Handle
Server Certificate Fingerprint Unavailable
Cannot Cache Subject DN
Cannot Cache Issuer DN
Unknown SSL Version
External Certificate List Unavailable
External Certificate Fingerprint Unavailable
Internal Certificate List Invalid
Internal Certificate List Unavailable
Internal Certificate Unavailable
Internal Certificate Fingerprint Unavailable
Server Certificate Validation Unavailable
Server Certificate Validation Failure
Invalid Action

Field values are displayed in the SSL Status field on the search workflow pages.

SSL Status

The action associated with the SSL Actual Action (SSL rule, default action, or undecryptable traffic action) that logged the encrypted connection. The Lock icon links to TLS/SSL certificate details. If the certificate is unavailable (for example, for connections blocked due to TLS/SSL handshake error), the lock icon is grayed out.

If the system fails to decrypt an encrypted connection, it displays the SSL Actual Action (undecryptable traffic action) taken, as well as the SSL Failure Reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allows it without further inspection, this field displays Do Not Decrypt (Unknown Cipher Suite).

When searching this field, type one or more of the SSL Actual Action and SSL Failure Reason values to view encrypted traffic the system handled or failed to decrypt.

SSL Subject/Issuer Country

The two-character ISO 3166-1 alpha-2 country code for the subject or issuer country associated with the encryption certificate.

SSLCertificate (Syslog Only)

The certificate fingerprint of the TLS/SSL server.

Threat Name (Syslog: ThreatName)

The name of the detected malware.

Threat Score (Syslog: ThreatScore)

The threat score most recently associated with this file. This is a value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

The threat score icon links to the Dynamic Analysis Summary report.

Time

The date and time the event was generated. This field is not searchable.

In syslog messages, see FirstPacketSecond.

Type / File Type (Syslog: FileType)

The type of file, for example, HTML or MSEXE.

URI / File URI (Syslog: URI)

The URI of the connection associated with the file transaction, for example, the URL from which a user downloaded the file.

User (Syslog: User)

The username associated with the IP address that initiated the connection. If this IP address is external to your network, the associated username is typically unknown.

If applicable, the username is preceded by <realm>\.

For file events and for malware events generated by Firepower devices, this field displays the username that was determined by an identity policy or authoritative logins. In absence of an identity policy, it displays No Authentication Required.

For malware events generated by AMP for Endpoints, AMP for Endpoints determines user names. These users cannot be tied to user discovery or control. They do not appear in the Users table, nor can you view details for these users.

Web Application (Syslog: WebApplication)

The application that represents the content or requested URL for HTTP traffic detected in the connection.

Web Application Category or Tag

Criteria that characterize the application to help you understand the application's function.

Malware Event Sub-Types

The following table lists the malware event subtypes, whether a malware event generated by AMP for Networks (a "network-based malware event") or AMP for Endpoints (an "endpoint-based malware event") can have that subtype, and whether the system uses that subtype to build network file trajectories.

Table 4. Malware Event Types
Malware Event Subtype/Search Value	AMP for Networks	AMP for Endpoints	File Trajectory
Threat Detected in Network File Transfer	yes	no	yes
Threat Detected in Network File Transfer (retrospective)	yes	no	yes
Threat Detected	no	yes	yes
Threat Detected in Exclusion	no	yes	yes
Threat Quarantined	no	yes	yes
AMP IOC (Indications of compromise)	no	yes	no
Blocked Execution	no	yes	no
Cloud Recall Quarantine	no	yes	no
Cloud Recall Quarantine Attempt Failed	no	yes	no
Cloud Recall Quarantine Started	no	yes	no
Cloud Recall Restore from Quarantine	no	yes	no
Cloud Recall Restore from Quarantine Failed	no	yes	no
Cloud Recall Restore from Quarantine Started	no	yes	no
Quarantine Failure	no	yes	no
Quarantined Item Restored	no	yes	no
Quarantine Restore Failed	no	yes	no
Quarantine Restore Started	no	yes	no
Scan Completed, No Detections	no	yes	no
Scan Completed With Detections	no	yes	no
Scan Failed	no	yes	no
Scan Started	no	yes	no

Information Available in File and Malware Event Fields

The following table lists whether the system displays information for each file and malware event field.

If your organization has deployed AMP for Endpoints and integrated that product with your Firepower deployment:

Malware events and indications of compromise (IOCs) imported from your AMP for Endpoints deployment do not contain contextual connection information, but they do include information obtained at download or execution time, such as file path, invoking client application, and so on.
File event table views do not display AMP for Endpoints-related fields.

Table 5. Information Available in File and Malware Event Fields
Field	File Event	Malware Events Detected by the System	Retrospective Events Detected by the System	Malware Events Detected by AMP for Endpoints
Action	yes	yes	yes	no
AMP Cloud	no	no	no	yes
Application File Name	no	no	no	yes
Application File SHA256	no	no	no	yes
Application Protocol	yes	yes	no	no
Application Protocol Category or Tag	yes	yes	yes	no
Application Risk	yes	yes	yes	no
Archive Depth	yes	yes	no	yes
Archive Name	yes	yes	no	yes
Archive SHA256	yes	yes	no	yes
Business Relevance	yes	yes	yes	no
Category / File Type Category	yes	yes	no	yes
Client	yes	yes	yes	no
Client Category or Tag	yes	yes	yes	no
Count	yes	yes	yes	yes
Detection Name	no	yes	no	no
Detector	no	no	no	yes
Device	yes	yes	yes	yes
Disposition / File Disposition	yes	yes	yes	no
Domain	yes	yes	yes	yes
Event Subtype	no	no	no	yes
Event Type	no	yes	yes	yes
File Name	yes	yes	no	yes
File Path	no	no	no	yes
File Policy	yes	no	no	no
File Timestamp	no	no	no	yes
HTTP Response Code	yes	yes	no	no
IOC (Indication of Compromise)	no	yes	yes	yes
Message	yes	yes	no	yes
Receiving Continent	yes	yes	yes	no
Receiving Country	yes	yes	no	no
Receiving IP	yes	yes	no	yes
Receiving Port	yes	yes	no	no
Security Context	yes	yes	yes	yes
Sending Continent	yes	yes	yes	no
Sending Country	yes	yes	no	no
Sending IP	yes	yes	no	no
Sending Port	yes	yes	no	no
SHA256 / File SHA256	yes	yes	yes	yes
Size (KB) / File Size (KB)	yes	yes	no	yes
SSL Actual Action (search only)	yes	yes	no	no
SSL Certificate Information (search only)	yes	yes	no	no
SSL Failure Reason (search only)	yes	yes	no	no
SSL Status	yes	yes	no	no
SSL Subject/Issuer Country (search only)	yes	yes	no	no
File Storage / Stored (search only)	yes	yes	no	no
Threat Name	no	yes	yes	yes
Threat Score	yes	yes	no	no
Time	yes	yes	yes	yes
Type / File Type	yes	yes	no	yes
URI / File URI	yes	yes	no	no
User	yes	yes	no	yes
Web Application	yes	yes	yes	no
Web Application Category or Tag	yes	yes	yes	no

View Details About Analyzed Files

Tip

To see additional options, right-click a file SHA in a table on an event page. For information, see Event Investigation Using Web-Based Resources.

File Composition Report

If you configure local malware analysis or dynamic analysis, the system generates a file composition report after analyzing a file. This report allows you to further analyze files and determine whether they may carry embedded malware.

The file composition report lists file properties, any objects embedded in the file, and any detected viruses. The file composition report may also list additional information specific to that file type. When the system prunes stored files, it also prunes the associated file composition report.

To view file composition information, see Using a Network File Trajectory.

View File Details in AMP Private Cloud

If you have deployed an AMP private cloud, you can view additional details about analyzed files in your private cloud.

For more information, see the documentation for your private cloud.

Procedure

Threat Scores and Dynamic Analysis Summary Reports

Threat Scores

Table 6. Threat Score Ratings
Threat Score	Numeric Score	Icon
`Low`	0-24	Low
`Medium`	25-69	Medium
`High`	70-94	High
`Very High`	95-100	Very High

The Firepower Management Center caches a file’s threat score for the same amount of time as the file’s disposition. If the system later detects these files, it displays the cached threat scores instead of re-querying the Secure Malware Analytics Cloud or Secure Malware Analytics Appliance. You can automatically assign a malware file disposition to any file with a threat score that exceeds the defined malware threshold threat score.

Dynamic Analysis Summary

If a dynamic analysis summary is available, you can click the threat score icon to view it. If multiple reports exist, this summary is based on the most recent report matching the exact threat score. If none match the exact threat score, the report with the highest threat score is displayed. If more than one report exists, you can select a threat score to view each separate report.

The summary lists each component threat comprising the threat score. Each component threat is expandable to list the AMP cloud findings, as well as any processes related to this component threat.

The process tree shows the processes that started when the Secure Malware Analytics Cloud attempted to run the file. This can help identify whether a file that contains malware is attempting to access processes and system resources beyond what is expected (for example, running a Word document opens Microsoft Word, then starts Internet Explorer, then runs the Java Runtime Environment).

Each listed process contains a process identifier you can use to verify the actual process. Child nodes in the process tree represent processes started as a result of parent processes.

From the dynamic analysis summary, you can click View Full Report to view the full Analysis Report, detailing the AMP cloud’s full analysis, including general file information, a more in-depth review of all detected processes, a breakdown of the file analysis, and other relevant information.

Viewing Dynamic Analysis Results in the Cisco Secure Malware Analytics Cloud

Secure Malware Analytics offers more detailed reporting on analyzed files than is available in the FMC. If your organization has a Secure Malware Analytics Cloud account, you can access the Secure Malware Analytics portal directly to view additional details about files sent for analysis from your managed devices.

Before you begin

Associate your FMC with your Secure Malware Analytics Cloud account. See Enabling Access to Dynamic Analysis Results in the Public Cloud in the Firepower Management Center Device Configuration Guide.
License requirement: Malware
You must be in the global domain for this task.
You must have one of the following user roles: Admin, Access Admin, Network Admin

Procedure

Step 1

Access the Secure Malware Analytics Cloud portal at the address provided in your Secure Malware Analytics documentation.

Step 2

Step 3

View files submitted by your organization, or search for a particular file using its SHA.

If you have questions, see the Secure Malware Analytics documentation.

Using Captured File Workflows

When a managed device captures a file detected in network traffic, it logs an event.

Note

If a device captures a file containing malware, the device generates two events: a file event when it detects the file, and a malware event when it identifies malware.

Use this procedure to view a list of captured files in a table and manipulate the event view depending on the information relevant to your analysis. The page you see when you access captured files differs depending on the workflow, which is simply a series of pages you can use to evaluate events by moving from a broad to a more focused view. You can also create a custom workflow that displays only the information that matches your specific needs.

If the system recaptures a file after a configuration change, such as an updated file policy, it updates existing information for that file.

For example, if you configure a file policy to capture files with a Malware Cloud Lookup action, the system stores the file disposition and threat score along with the file. Then, if you update your file policy, and the system recaptures the same file due to a new Detect Files action, the system updates the file's Last Changed value. However, the system does not remove the existing disposition and threat score, even though you did not perform another malware cloud lookup.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Before you begin

You must be an Admin or Security Analyst user to perform this task.

Procedure

Choose Analysis > Files > Captured Files.

Tip

In the table view of events, several fields are hidden by default. To show a hidden field in an event view, expand the search constraints, then click the field name under Disabled Columns.

Captured File Fields

The table view of captured files, which is the final page in predefined captured file workflows, and which you can add to custom workflows, includes a column for each field in the captured files table.

When searching this table keep in mind that your search results depend on the available data in the events you are searching; depending on the available data, your search constraints may not apply. For example, if a file has never been submitted for dynamic analysis, it may not have an associated threat score.

Table 7. Captured File Fields
Field	Description
Archive Inspection Status	For archive files, the status of archive inspection: Pending indicates that the system is still inspecting the archive file and its contents. If the file passes through your system again, complete information becomes available. Extracted indicates that the system was able to extract and inspect the archive’s contents. Failed may, in rare cases, occur if the system is unable to process an extraction. Depth Exceeded indicates that the archive contains further nested archive files beyond the maximum allowed depth. Encrypted indicates that the archive file’s contents are encrypted and could not be inspected. Not Inspectable indicates that the system did not extract and inspect the archive’s contents. Policy rule actions, policy configuration, and corrupted files are three major reasons for this status. To view the contents of an archive file, right-click on its row in the table to bring up the context menu, then choose View Archive Contents.
Category	The general categories of file type, for example: Office Documents, Archive, Multimedia, Executables, PDF files, Encoded, Graphics, or System Files.
Detection Name	The name of the detected malware.
Disposition	The file’s AMP for Networks disposition: Malware indicates that local malware analysis identified malware, the AMP cloud categorized the file as malware, or that the file’s threat score exceeded the malware threshold defined in the file policy. Clean indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list. Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file. Custom Detection indicates that a user added the file to the custom detection list. Unavailable indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior. N/A indicates a Detect Files or Block Files rule handled the file and the Firepower Management Center did not query the AMP cloud.
Domain	The domain where the captured file was detected. This field is only present if you have ever configured the FMC for multitenancy.
Dynamic Analysis Status	One or more of the following values indicating whether the file was submitted for dynamic analysis: Analysis Complete — file submitted for dynamic analysis that received a threat score and dynamic analysis summary report Capacity Handled — file stored because it could not be submitted currently Capacity Handled (Network Issue) — file stored because it could not be submitted due to a network connectivity issue Capacity Handled (Rate Limit) — file stored because it could not be submitted due to the maximum number of submissions reached Device Not Activated — file not submitted because the device is not activated on the on-premises Secure Malware Analytics Appliance. If you see this status, contact Support. Failure (Analysis Timeout) — file submitted for which the AMP cloud has yet to return a result Failure (Cannot Run File) — file submitted that the AMP cloud could not run in the test environment Failure (Network Issue) — file that did not get submitted due to a network connectivity failure Not Sent for Analysis — file not submitted Not Suspicious (Not Sent For Analysis) — file pre-classified as non-malware Previously Analyzed — file with a cached threat score, indicating that it has been previously sent Rejected for Analysis — based on static analysis, the file is unlikely to pose a risk, for example because it includes no dynamic elements. Sent for Analysis — file pre-classified as malware and queued for dynamic analysis
Dynamic Analysis Status Changed	The last time the file's dynamic analysis status changed.
File Name	The most recently detected file name associated with the file’s SHA-256 hash value.
Last Changed	The last time the information associated with this file was updated.
Last Sent	The time the file was most recently submitted to the AMP cloud for dynamic analysis.
Local Malware Analysis Status	One of the following values indicating whether the system performed local malware analysis on a file: Analysis Complete — the system inspected the file using local malware analysis and pre-classified the file Analysis Failed — the system attempted to inspect the file using local malware analysis and failed Manual Request Submitted — a user submitted a file for local malware analysis Not Analyzed — the system did not inspect the file with local malware analysis
SHA256	The SHA-256 hash value of the file, as well as a network file trajectory icon representing the most recently detected file event and file disposition. To view the network file trajectory, click the trajectory icon.
Storage Status	Indicates whether the file is stored on a managed device: File Stored Not Stored (Disposition Was Pending)
Threat Score	The threat score most recently associated with this file. To view the Dynamic Analysis Summary report, click the threat score icon.
Type	The type of file; for example, HTML or MSEXE.

Stored Files Download

Once a device stores a file, as long as the Firepower Management Center can communicate with that device and it has not deleted the file, you can download the file to a local host for long-term storage and analysis, and manually analyze the file. You can download a file from any associated file event, malware event, captured file view, or the file’s trajectory.

Because malware is harmful, by default, you must confirm every file download. However, you can disable the confirmation in your User Preferences.

Because files with a disposition of Unknown may contain malware, when you download a file, the system first archives the file in a .zip package. The .zip file name contains the file disposition and file type, if available, and SHA-256 hash value. You can password-protect the .zip file to prevent accidental unpacking. You can edit or remove the default .zip file password in your User Preferences.

Caution

Cisco strongly recommends you do not download malware, as it can cause adverse consequences. Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any necessary precautions to secure the download destination before downloading files.

Manually Submit Files for Analysis

When you manually submit files for analysis, the system runs local analysis, then submits these files to the cloud for dynamic analysis. However, if local analysis is not enabled in a file policy, and you manually submit a file for analysis, the file will only be sent for dynamic analysis.

In addition to executable files, you can also submit file types not eligible for automatic submission, such as .swf, .jar, and others. This allows you to more quickly analyze a broad range of files, regardless of disposition, and pinpoint the exact causes of an incident.

Note

The system checks the AMP cloud for updates (no more than once a day) to the list of file types eligible for dynamic analysis and the minimum and maximum file sizes you can submit.

Depending on the situation, there are two ways to submit files for analysis:

Before you begin

In order to manually submit captured files for analysis, one or more file rules must be configured to store files. For information, see the Network Malware Protection and File Policies chapter in the Firepower Management Center Device Configuration Guide.

Procedure

Step 1

To submit a single file for analysis:

Select one of the following:
- Analysis > Files > File Events
- Analysis > Files > Malware Events
- Analysis > Files > Captured Files
Click Table View of <Event type or files>.
Right-click a file in the table and select Analyze File.

Step 2

To submit multiple captured files for analysis (up to 25 at a time):

Select Analysis > Files > Captured Files
Select the checkbox beside each file to analyze.
Click Analyze.

Network File Trajectory

The network file trajectory feature maps how hosts transferred files, including malware files, across your network. A trajectory charts file transfer data, the disposition of the file, and if a file transfer was blocked or the file was quarantined. You can determine which hosts and users may have transferred malware, which hosts are at risk, and observe file transfer trends.

You can track the transmission of any file with a AMP cloud-assigned disposition. The system can use information related to detecting and blocking malware from both AMP for Networks and AMP for Endpoints to build the a trajectory.

Recently Detected Malware and Analyzed Trajectories

The Network File Trajectory List page displays the malware most recently detected on your network, as well as the files whose trajectory maps you have most recently viewed. From these lists, you can view when each file was most recently seen on the network, the file’s SHA-256 hash value, name, type, current file disposition, contents (for archive files), and the number of events associated with the file.

The page also contains a search box that lets you locate files, either based on SHA-256 hash value or file name, or by the IP address of the host that transferred or received a file. After you locate a file, you can click the File SHA256 value to view the detailed trajectory map.

Network File Trajectory Detailed View

You can trace a file through the network by viewing the detailed network file trajectory. Search for a file's SHA 256 value or click a File SHA 256 link in the Network File Trajectory list to view details about that file.

The network file trajectory details page has three parts:

Summary Information — A file’s trajectory page displays summary information about the file, including file identification information; when the file was first seen and most recently seen on the network, and by what user; the number of related events and hosts associated with the file; and the file’s current disposition. From this section, if the managed device stored the file, you can download it locally, submit the file for dynamic analysis, or add the file to a file list.
Trajectory Map — A file’s trajectory map visually tracks a file from the first detection on your network to the most recent. The map shows when hosts transferred or received the file, how often they transferred the file, and when the file was blocked or quarantined. Vertical lines between data points represent file transfers between hosts. Horizontal lines connecting the data points show a host’s file activity over time.

The map also shows how often file events occurred for the file and when the system assigned the file a disposition or retrospective disposition. You can select a data point in the map and highlight a path that traces back to the first instance the host transferred that file; this path also intersects with every occurrence involving the host as either sender or receiver of the file, and identifies the user involved.
Related Events — The Events table lists event information for each data point in the map. Using the table and the map, you can pinpoint specific file events, hosts and users on the network that transferred or received this file, related events in the map, and other related events in a table constrained on selected values.

Network File Trajectory Summary Information

The following summary information appears at the top of the details page for a file that appears in the Network File Trajectory list.

Tip

To view related file events, click a field value link. The first page in the File Events default workflow opens in a new window, displaying all file events that also contain the selected value.

Table 8. Network File Trajectory Summary Information Fields
Name	Description
Archive Contents	For inspected archive files, the number of files the archive contains.
Current Disposition	One of the following AMP for Networks file dispositions: `Malware` indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy. `Clean` indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list. `Unknown` indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file. `Custom Detection`indicates that a user added the file to the custom detection list. `Unavailable` indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior. `N/A` indicates a Detect Files or Block Files rule handled the file and the Firepower Management Center did not query the AMP cloud.
Detection Name	Name of the malware detected by local malware analysis.
Event Count	The number of events seen on the network associated with the file, and the number of events displayed in the map if there are more than 250 detected events.
File Category	The general categories of file type, for example, `Office Documents` or `System Files`.
File Names	The names of the file associated with the event, as seen on the network. If multiple file names are associated with a SHA-256 hash value, the most recent detected file name is listed. You can expand this to view the remaining file names by clicking `more`.
File SHA256	The SHA-256 hash value of the file. The hash is displayed by default in a condensed format. To view the full hash value, hover your pointer over it. If multiple SHA-256 hash values are associated with a file name, hover your pointer over the link to view all of the hash values.
File Size (KB)	The size of the file, in kilobytes.
File Type	The file type of the file, for example, `HTML` or `MSEXE`.
First Seen	The first time AMP for Networks or AMP for Endpoints detected the file, as well as the IP address of the host that first uploaded the file and identifying information for the user involved.
Last Seen	The most recent time AMP for Networks or AMP for Endpoints detected the file, as well as the IP address of the host that last downloaded the file and identifying information for the user involved.
Parent Application	The client application accessing the malware file when detection occurred by AMP for Endpoints. These applications are not tied to network discovery or application control.
Seen On	The number of hosts that either sent or received the file. Because one host can upload and download a file at different times, the total number of hosts may not match the total number of senders plus the total number of receivers in the `Seen On Breakdown` field.
Seen On Breakdown	The number of hosts that sent the file, followed by the number of hosts that received the file.
Threat Name	Name of the threat associated with the detected malware by AMP for Endpoints.
Threat Score	The file’s threat score.

Network File Trajectory Map and Related Events List

The file trajectory map’s y-axis contains a list of all host IP addresses that have interacted with the file. The IP addresses are listed in descending order based on when the system first detected the file on that host. Each row contains all events associated with that IP address, whether a single file event, file transfer, or retrospective event. The x-axis contains the date and time the system detected each event. The timestamps are listed in chronological order. If multiple events occurred within a minute, all are listed within the same column. You can scroll the map horizontally and vertically to view additional events and IP addresses.

The map displays up to 250 events associated with the file SHA-256 hash. If there are more than 250 events, the map displays the first 10, then truncates extra events with an Arrow. The map then displays the remaining 240 events.

The first page of the File Events default workflow appears in a new window with all the extra events constrained based on the file type. If malware events generated by AMP for Endpoints are not displayed, you must switch to the Malware Events table to view these.

Each data point represents an event plus the file disposition, as described in the legend below the map. For example, a Malware Block event icon combines the Malicious Disposition icon and the Block Event icon.

Malware events generated by AMP for Endpoints ("endpoint-based malware events") include one icon. A retrospective event displays an icon in the column for each host on which the file is detected. File transfer events always include two icons, one file send icon and one file receive icon, connected by a vertical line. Arrows indicate the file transfer direction from sender to receiver.

To track a file’s progress through the network, you can click any data point to highlight a path that includes all data points related to the selected data point. This includes data points associated with the following types of events:

any file transfers in which the associated IP address was either sender or receiver
any malware events generated by AMP for Endpoints ("endpoint-based malware events") involving the associated IP address
if another IP address was involved, all file transfers in which that associated IP address was either sender or receiver
if another IP address was involved, any malware events generated by AMP for Endpoints ("endpoint-based malware events") involving the other IP address

All IP addresses and timestamps associated with any highlighted data point are also highlighted. The corresponding event in the Events table is also highlighted. If a path includes truncated events, the path itself is highlighted with a dotted line. Truncated events might intersect the path, but are not displayed in the map.

Using a Network File Trajectory

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Tip

If your organization has deployed AMP for Endpoints, that product also has a network file trajectory feature. To pivot from FMC to AMP for Endpoints, see Work with Event Data in the AMP for Endpoints Console. For details about the file trajectory feature in AMP for Endpoints, see the AMP for Endpoints documentation.

Before you begin

If you are using AMP for Networks, you need the Malware license.

You must be an Admin or Security Analyst user to perform this task.

Procedure

Step 1

Choose Analysis > Files > Network File Trajectory.

Tip

You can also access a file’s trajectory from the Context Explorer, dashboard, or event views with file information.

Step 2

Click a File SHA 256 link in the list.

Step 3

Optionally, enter a complete SHA-256 hash value, the host IP address, or the name of a file you want to track into the search field, and press Enter.

Tip

If only one result matches, the Network File Trajectory page for that file appears.

Step 4

In the Summary Information section, you can:

Add a file to a file list — To add a file or remove a file from the clean list or custom detection list, click Edit ().
Download a file — To download a file, click Download (), and if prompted, confirm you want to download the file. If the file is unavailable for download, this download file is dimmed.
Report — Click threat score to view the Dynamic Analysis Summary report.
Submit for dynamic analysis — Click AMP Cloud to submit the file for dynamic analysis. If the file is unavailable for submission or you cannot connect to the AMP cloud, this AMP cloud is dimmed.
View archive contents — To view information about an archive file’s contents, click View ().
View file composition — To view a file's composition, click File List. If the system has not generated a file composition report, this file list is dimmed.
View captured files with same threat score — Click the threat score link to view all captured files with that threat score.

Note

Step 5

On the trajectory map, you can:

Locate the first instance — Click an IP address to locate the first time a file event occurred involving an IP address. This highlights a path to that data point, as well as any intervening file events and IP addresses related to the first file event. The corresponding event in the Events table is also highlighted. The map scrolls to that data point if not currently visible.
Track — Click any data point to highlight a path that includes all data points related to the selected data point, tracking a file’s progress through the network.
View hidden events — Click arrow to view all events not displayed in the File Summary event view.
View matching file events — Hover your pointer over the Matching File Event to view summary information for the event. If you click any event summary information link, the first page of the File Events default workflow appears in a new window with all the extra events constrained based on the file type. The File Summary event view opens in a new window, displaying all file events that match on the criteria value you clicked.

Step 6

In the Events table, you can:

Highlight — Choose a table row to highlight a data point in the map. The map scrolls to display the selected file event if not currently visible.
Sort — Click the column headers to sort events in ascending or descending order.

Work with Event Data in the AMP for Endpoints Console

If your organization has deployed AMP for Endpoints, you can view malware event data in the AMP for Endpoints console, and use that application's global network file trajectory tool.

Tip

For information about using AMP for Endpoints and its console, see the online help in the console or other documentation available from https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/tsd-products-support-series-home.html

To access the AMP for Endpoints console from the Firepower Management Center, do one of the following:

Before you begin

The connection to AMP for Endpoints must be configured (see Integrate Firepower and AMP for Endpoints in the Firepower Management Center Device Configuration Guide) and Firepower Management Center must be able to connect to the AMP cloud.
You will need your AMP for Endpoints credentials.
You must be an Admin user to perform this task.
If you want to pivot from a malware event in FMC, ensure that the AMP for Endpoints contextual cross-launch options are properly enabled. See topics under Event Investigation Using Web-Based Resources.

Procedure

Step 1

Method 1:

Choose AMP > AMP Management.
Click the cloud name in the table.

Step 2

Method 2:

Navigate to a malware event in a table under Analysis > Files.
Right-click a file SHA and choose the AMP for Endpoints option.

History for File and Malware Events and Network File Trajectory


Feature	Minimum FMC	Minimum FTD	Details
Improved preclassification of files for dynamic analysis.	6.7	Any	Additional assessment avoids unnecessary sending of files for dynamic analysis. The new Dynamic Analysis Status for files not sent to the cloud based on this assessment is Rejected for Analysis. New/modified screens: Analysis > Captured Files > Table View of Captured Files
Unique identifier for connection events in syslogs.	6.4.0.4	Any	The following syslog fields collectively uniquely identify a connection event and appear in syslogs for file and malware events: DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.
Send file and malware events via syslog.	6.4	Any	Field descriptions in this chapter specify the fields included in syslog messages. For configuration information, see Configuration Locations for Syslogs for File and Malware Events.

Firepower Management Center Administration Guide, 7.1

Bias-Free Language

Results

Chapter: File/Malware Events and Network File Trajectory

File/Malware Events and Network File Trajectory

About File/Malware Events and Network File Trajectory

File and Malware Events

File and Malware Event Types

File Events

Malware Events

File Disposition and File Action in Malware Events

Retrospective Malware Events

Malware Events Generated by AMP for Endpoints

Malware Event Analysis with AMP for Endpoints

Event Data from AMP for Endpoints

Related Topics

Using File and Malware Event Workflows

Procedure

File and Malware Event Fields

Action (Syslog: FileAction)

AMP Cloud

Application File Name

Application File SHA256

Application Protocol (Syslog: ApplicationProtocol)

Application Protocol Category or Tag

Application Risk

Archive Depth (Syslog: ArchiveDepth)

Archive Name (Syslog: ArchiveFileName)

Archive SHA256 (Syslog: ArchiveSHA256)

ArchiveFileStatus (Syslog Only)

Business Relevance

Category / File Type Category

Client (Syslog: Client)

Client Category or Tag

Connection Counter (Syslog Only)

Connection Instance ID (Syslog Only)

Count

Detection Name

Detector

Device

DeviceUUID (Syslog Only)

Disposition / File Disposition (Syslog: SHA_Disposition)

Domain

DstIP (Syslog Only)

DstPort (Syslog Only)

Egress Virtual Router

Event Subtype

Event Type

File Name (Syslog: FileName)

File Path

File Policy (Syslog: FilePolicy)

File Storage / Stored (Syslog: FileStorageStatus)

File Timestamp

FileDirection (Syslog Only)

FileSandboxStatus (Syslog Only)

First Packet Time (Syslog Only)

FirstPacketSecond (Syslog Only)

HTTP Response Code

Ingress Virtual Router

IOC

Message

Protocol (Syslog Only)

Receiving Continent

Receiving Country

Receiving IP

Receiving Port

Security Context (Syslog: Context)

Sending Continent

Sending Country

Sending IP

Sending Port

SHA256 / File SHA256 (Syslog: FileSHA256)

Size (KB) / File Size (KB) (Syslog: FileSize)

SperoDisposition (Syslog Only)

SrcIP (Syslog Only)

SrcPort (Syslog Only)

SSL Actual Action (Syslog: SSLActualAction)

SSL Certificate Information

SSL Failure Reason (Syslog: SSLFlowStatus)

SSL Status