File and malware events, which you can view and search using
workflows, contain the fields listed in this section. Keep in mind that the
information available for any individual event can vary depending on how and
why it was generated.
Note
|
Files identified as malware by malware defense generate both a file event and a malware event. Malware events generated by Secure Endpoint do not have corresponding file events, and file events do not have Secure Endpoint-related fields.
|
Syslog messages are populated with initial values and do not update, even if the equivalent field in the management center web interface is updated, for example with a retrospective verdict.
Action (Syslog: FileAction)
The action associated with file policy rule that detected the file, and any associated file rule action options.
AMP Cloud
The name of the AMP cloud where the AMP for Endpoints event originated.
Application File Name
The client application accessing the malware file when AMP for Endpoints detection occurred. These applications are not tied to network discovery or application control.
Application File SHA256
The SHA-256 hash value of the parent file accessing the AMP for Endpoints-detected or quarantined file when detection occurred.
In the unified event viewer, this field appears as Application File SHA-256.
Application Protocol (Syslog: ApplicationProtocol)
The application protocol used by the traffic in which a managed device detected the file.
Application Protocol Category or Tag
The criteria that characterize the application to help you understand the application's function.
Application Risk
The risk associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each
type of application detected in the connection has an associated risk; this field displays the highest of those.
Archive Depth (Syslog: ArchiveDepth)
The level (if any) at which the file was nested in an archive file.
Archive Name (Syslog: ArchiveFileName)
The name of the archive file (if any) which contained the malware file.
To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on the archive file’s table row to open the context menu, then click View Archive Contents.
Archive SHA256 (Syslog: ArchiveSHA256)
The SHA-256 hash value of the archive file (if any) which contains the malware file.
To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on
that archive file’s table row to open the context menu, then click View Archive Contents.
ArchiveFileStatus (Syslog Only)
The status of an archive being inspected. Can have the following values:
-
Pending — Archive is being inspected
-
Extracted — Successfully inspected without any problems
-
Failed — Failed to inspect, insufficient system resources
-
Depth Exceeded — Successful, but archive exceeded the nested inspection depth
-
Encrypted — Partially successful, archive was or contains an archive that is encrypted
-
Not Inspectable — Partially successful, file is possibly malformed or corrupt
Business Relevance
The business relevance associated with the application traffic detected in the connection: Very High, High, Medium, Low, or
Very Low. Each type of application detected in the connection has an associated business relevance; this field displays the
lowest (least relevant) of those.
Category / File Type Category
The general categories of file type, for example: Office Documents, Archive, Multimedia, Executables, PDF files, Encoded,
Graphics, or System Files.
Client (Syslog: Client)
The client application that runs on one host and relies on a server to send a file.
Client Category or Tag
The criteria that characterize the application to help you understand the application's function.
Connection Counter (Syslog Only)
A counter that distinguishes one connection from another simultaneous connection. This field has no significance on its own.
The following fields collectively uniquely identify the connection event associated with a particular file or malware event:
DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.
Connection Instance ID (Syslog Only)
The Snort instance that processed the connection event. This field has no significance on its own.
The following fields collectively uniquely identify the connection event associated with a particular file or malware event:
DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.
Count
After you apply a constraint that creates two or more identical rows, the number of events that match the information in each
row.
Detection Name
The name of the detected malware.
Detector
The AMP for Endpoints detector that identified the malware, such as ClamAV, Spero, or SHA.
Device
For file events and for malware events generated by firewall devices, the name of the device that detected the file.
For malware events generated by AMP for Endpoints and for retrospective malware events generated by the AMP cloud, the name
of the management center.
DeviceUUID (Syslog Only)
The unique identifier of the firewall device that generated an event.
The following fields collectively uniquely identify the connection event associated with a particular file or malware event:
DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.
Disposition / File Disposition (Syslog: SHA_Disposition)
The file’s disposition:
- Malware
-
Indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat
score exceeded the malware threshold defined in the file policy.
- Clean
-
Indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list. Clean files appear
in the malware table only if they were changed to clean.
- Unknown
-
Indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP
cloud has not categorized the file.
- Custom Detection
-
Indicates that a user added the file to the custom detection list.
- Unavailable
-
Indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this
is expected behavior.
- N/A
-
Indicates a Detect Files or Block Files rule handled the file and the Secure Firewall Management Center did not query the AMP cloud.
File dispositions appear only for files for which the system queried the AMP cloud.
Syslog fields reflect only the initial disposition; they do not update to reflect retrospective verdicts.
Domain
For file events and for malware events generated by firewall devices, the domain of the device that detected the file. For malware events generated by AMP for Endpoints and for retrospective
malware events generated by the AMP cloud, the domain associated with the AMP cloud connection that reported the event.
This field is only present if you have ever configured the management center for multitenancy.
DstIP (Syslog Only)
The IP address of the host that responded to the connection. This may be the IP address of the sender or the recipient of
the file, depending on the value in the FileDirection field:
If FileDirection is Upload, then this is the IP address of the file recipient.
If FileDirection is Download, then this is the IP address of the file sender.
See also SrcIP.
See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.
DstPort (Syslog Only)
The port used in the connection described under DstIP.
Egress Virtual Router
In networks using virtual routing, the name of the virtual router through which traffic exited the network.
Event Subtype
The AMP for Endpoints action that led to malware detection, for example, Create, Execute, Move, or Scan.
Event Type
The sub-type of malware event.
File Name (Syslog: FileName)
The name of the file.
File Path
The file path of the malware file detected by AMP for Endpoints, not including the file name.
File Policy (Syslog: FilePolicy)
The file policy that detected the file.
File Storage / Stored (Syslog: FileStorageStatus)
The storage status of the file associated with the event:
- Stored
-
Returns all events where the associated file is currently stored.
- Stored in connection
-
Returns all events where the system captured and stored the associated file, regardless of whether the associated file is
currently stored.
- Failed
-
Returns all events where the system failed to store the associated file.
Syslog fields contain only the initial status; they do not update to reflect changed status.
File Timestamp
The time and date that AMP for Endpoints detected the malware file was created.
FileDirection (Syslog Only)
Whether the file was downloaded or uploaded during the connection. Possible values are:
FileSandboxStatus (Syslog Only)
Indicates whether the file was sent for dynamic analysis and if so, the status.
First Packet Time (Syslog Only)
The time the system encountered the first packet.
The following fields collectively uniquely identify the connection event associated with a particular file or malware event:
DeviceUUID, First Packet Time, Connection Instance ID, and Connection Counter.
FirstPacketSecond (Syslog Only)
The time at which the file download or upload flow started.
The time the event occurred is captured in the message header timestamp.
HTTP Response Code
The HTTP status code sent in response to a client's HTTP request when a file is transferred.
Ingress Virtual Router
In networks using virtual routing, the name of the virtual router through which traffic entered the network.
IOC
Whether the malware event triggered an indication of compromise (IOC) against a host involved in the connection. When AMP
for Endpoints data triggers an IOC rule, a full malware event is generated, with the type AMP IOC.
Message
Additional information associated with a malware event. For file events and for malware events generated by firewall devices, this field is populated only for files whose disposition has changed, that is, that have an associated retrospective
event.
MITRE
A count of techniques that you can click to bring up a modal, which shows the full list of MITRE tactics and techniques within
that hierarchy.
Protocol (Syslog Only)
The protocol used for the connection, for example TCP or UDP.
Receiving Continent
The continent of the host receiving the file.
Receiving Country
The country of the host receiving the file.
Receiving IP
In the management center web interface, for file events and for malware events generated by firewall devices, the IP address of the host receiving the file. See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.
For malware events generated by AMP for Endpoints, the IP address of the endpoint whose connector reported the event.
For syslog equivalents (events generated by firewall devices only), see DstIP and SrcIP.
Receiving Port
In the management center web interface, the destination port used by the traffic where the file was detected.
For syslog equivalents, see DstIP and SrcIP and DstPort and SrcPort.
Sending Continent
The continent of the host sending the file.
Sending Country
The country of the host sending the file.
Sending Port
In the management center web interface, the source port used by the traffic where the file was detected.
For syslog equivalents, see DstIP and SrcIP and DstPort and SrcPort.
SHA256 / File SHA256 (Syslog: FileSHA256)
The SHA-256 hash value of the file.
To have a SHA256 value, the file must have been handled by one of:
-
a Detect Files file rule with Store files enabled
-
a Block Files file rule with Store files enabled
-
a Malware Cloud Lookup file rule
-
a Block Malware file rule
-
AMP for Endpoints
This column also displays a network file trajectory icon that represents the most recently detected file event and file disposition,
and that links to the network file trajectory.
Size (KB) / File Size (KB) (Syslog: FileSize)
In the management center web interface, the size of the file, in kilobytes.
In syslog messages: The size of the file, in bytes.
Note that if the system determines the file type of a file before the file is fully received, the file size may not be calculated. In this case, this field is blank.
SperoDisposition (Syslog Only)
Indicates whether the SPERO signature was used in file analysis. Possible values:
SrcIP (Syslog Only)
The IP address of the host that initiated the connection. This may be the IP address of the sender or the recipient of the
file, depending on the value in the FileDirection field:
If FileDirection is Upload, this is the IP address of the file sender.
If FileDirection is Download, this is the IP address of the file recipient.
See also DstIP.
See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.
SrcPort (Syslog Only)
The port used in the connection described under SrcIP.
SSL Actual Action (Syslog: SSLActualAction)
The action the system applied to encrypted traffic:
- Block or Block with reset
-
Represents blocked encrypted connections.
- Decrypt (Resign)
-
Represents an outgoing connection decrypted using a re-signed server certificate.
- Decrypt (Replace Key)
-
Represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.
- Decrypt (Known Key)
-
Represents an incoming connection decrypted using a known private key.
- Default Action
-
Indicates the connection was handled by the default action.
- Do not Decrypt
-
Represents a connection the system did not decrypt.
Field values are displayed in the SSL Status field on the search workflow pages.
SSL Certificate Information
The information stored on the public key certificate used to encrypt traffic, including:
-
Subject/Issuer Common Name
-
Subject/Issuer Organization
-
Subject/Issuer Organization Unit
-
Not Valid Before/After
-
Serial Number, Certificate Fingerprint
-
Public Key Fingerprint
For syslog, see SSLCertificate.
SSL Failure Reason (Syslog: SSLFlowStatus)
The reason the system failed to decrypt encrypted traffic:
-
Unknown
-
No Match
-
Success
-
Uncached Session
-
Unknown Cipher Suite
-
Unsupported Cipher Suite
-
Unsupported SSL Version
-
SSL Compression Used
-
Session Undecryptable in Passive Mode
-
Handshake Error
-
Decryption Error
-
Pending Server Name Category Lookup
-
Pending Common Name Category Lookup
-
Internal Error
-
Network Parameters Unavailable
-
Invalid Server Certificate Handle
-
Server Certificate Fingerprint Unavailable
-
Cannot Cache Subject DN
-
Cannot Cache Issuer DN
-
Unknown SSL Version
-
External Certificate List Unavailable
-
External Certificate Fingerprint Unavailable
-
Internal Certificate List Invalid
-
Internal Certificate List Unavailable
-
Internal Certificate Unavailable
-
Internal Certificate Fingerprint Unavailable
-
Server Certificate Validation Unavailable
-
Server Certificate Validation Failure
-
Invalid Action
Field values are displayed in the SSL Status field on the search workflow pages.
SSL Status
The action associated with the SSL Actual Action (Decryption rule, default action, or undecryptable traffic action) that
logged the encrypted connection. The Lock icon links to TLS/SSL certificate details. If the certificate is unavailable (for example, for
connections blocked due to TLS/SSL handshake error), the lock icon is grayed out.
If the system fails to decrypt an encrypted connection, it displays the SSL Actual Action (undecryptable traffic action) taken, as well as the SSL Failure Reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allows it without further inspection,
this field displays Do Not Decrypt (Unknown Cipher Suite).
When searching this field, type one or more of the SSL Actual Action and SSL Failure Reason values to view encrypted traffic the system handled or failed to decrypt.
SSL Subject/Issuer Country
The two-character ISO 3166-1 alpha-2 country code for the subject or issuer country associated with the encryption certificate.
SSLCertificate (Syslog Only)
The certificate fingerprint of the TLS/SSL server.
Threat Name (Syslog: ThreatName)
The name of the detected malware.
Threat Score (Syslog: ThreatScore)
The threat score most recently associated with this file. This is a value from 0 to 100 based on the potentially malicious
behaviors observed during dynamic analysis.
The threat score icon links to the Dynamic Analysis Summary report.
Time
The date and time the event was generated. This field is not searchable.
In syslog messages, see FirstPacketSecond.
Type / File Type (Syslog: FileType)
The type of file, for example, HTML or MSEXE.
URI / File URI (Syslog: URI)
The URI of the connection associated with the file transaction, for example, the URL from which a user downloaded the file.
User (Syslog: User)
The username associated with the IP address that initiated the connection. If this IP address is external to your network,
the associated username is typically unknown.
If applicable, the username is preceded by <realm>\.
For file events and for malware events generated by firewall devices, this field displays the username that was determined by an identity policy or authoritative logins. In absence of
an identity policy, it displays No Authentication Required.
For malware events generated by AMP for Endpoints, AMP for Endpoints determines user
names. These users cannot be tied to user discovery or control. They do not
appear in the Users table, nor can you view details for these users.
Web Application (Syslog: WebApplication)
The application that represents the content or requested URL for HTTP traffic detected in the connection.
Web Application Category or Tag
Criteria that characterize the application to help you understand the application's function.