File/Malware Events and Network File Trajectory

The following topics provide an overview of file and malware events, local malware analysis, dynamic analysis, captured files, and network file trajectories.

About File/Malware Events and Network File Trajectory

File policies automatically generate file and malware events for matched traffic, and log captured file information. When a file policy generates a file or malware event, or captures a file, the system also automatically logs the end of the associated connection to the Firepower Management Center database. You can analyze this data to address any negative impacts and block future attacks.

Based on the file analysis results, you can review captured files and generated malware and file events using tables on pages available under the Analysis > Files menu. When available, you can examine a file's composition, disposition, threat score, and dynamic analysis summary report for further insight into the malware analysis.

To further target your analysis, you can use a malware file’s network file trajectory (a map of how the file traversed your network, passing among hosts, as well as various file properties) to track the spread of an individual threat across hosts over time, allowing you to concentrate outbreak control and prevention efforts where most useful.

If you configure local malware analysis or dynamic analysis in a file rule, the system preclassifies files matching the rule and generates a file composition report.

If your organization has deployed AMP for Endpoints and integrated that deployment with your Firepower Management Center, you can also import records of scans, malware detections, and quarantines, as well as indications of compromise (IOC) identified by that product. This data is displayed alongside event data gathered by Firepower for a more complete picture of malware on your network.

The Context Explorer, dashboards, and reporting features can also aid a deeper understanding of the files and malware detected, captured, and blocked. You can also use events to trigger correlation policy violations, or alert you via email, SMTP, or syslog.


Note


To configure your system to detect malware and generate file and malware events, see File Policies and Malware Protection.


File and Malware Events

The Firepower Management Center can log various types of file and malware events. The information available for any individual event can vary depending on how and why it was generated:

  • File events represent files, including malware, detected by the Firepower system (AMP for Networks.) File events do not contain AMP for Endpoints-related fields.

  • Malware events represent malware detected by either AMP for Networks or AMP for Endpoints; malware events can also record data other than threats from your AMP for Endpoints deployment, such as scans and quarantines.

  • Retrospective malware events represent files detected by AMP for Networks whose dispositions (whether the files are malware) have changed.


Note


  • Files identified as malware by AMP for Networks generate both a file event and a malware event. Malware events generated by AMP for Endpoints do not have corresponding file events.

  • File events generated by inspecting NetBIOS-ssn (SMB) traffic do not immediately generate connection events because the client and server establish a persistent connection. The system generates connection events after the client or server ends the session.

  • The Firepower System supports the display and input of file names that use Unicode (UTF-8) characters. However, Unicode file names appear in PDF reports in transliterated form. Additionally, the SMB protocol replaces unprintable characters in file names with periods.


File and Malware Event Types

File Events

The system logs the file events generated when a managed device detects or blocks a file in network traffic, according to the rules in currently deployed file policies.

When the system generates a file event, the system also logs the end of the associated connection to the Firepower Management Center database, regardless of the logging configuration of the invoking access control rule.

Malware Events

The Firepower system (specifically the AMP for Networks feature) generates malware events when it detects malware in network traffic as part of your overall access control configuration. Malware events contain the disposition of the resulting event and contextual data about how, where, and when the malware was detected.

Table 1. Malware Event Generation Scenarios

When the system detects a file and...

Disposition

successfully queries the AMP cloud (performs a malware cloud lookup) for the file’s disposition

Malware, Clean, or Unknown

queries the AMP cloud but cannot establish a connection or the cloud is otherwise unavailable

Unavailable

You may see a small percentage of events with this disposition; this is expected behavior.

the threat score associated with a file exceeds the malware threshold threat score defined in the file policy that detected the file, or local malware analysis identifies malware

Malware

it is on the custom detection list (manually marked as malware)

Custom Detection

it is on the on the clean list (manually marked as clean),

Clean

File Disposition and File Action in Malware Events

Each file rule has an associated action that determines how the system handles traffic that matches the conditions of the rule. If you select Block Malware or Malware Cloud Lookup as file rule action, the system queries the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats. Cloud lookup allows you to obtain and log the file's disposition based on its SHA-256 hash value.

The following table describes the file action that associates with the file disposition returned by the AMP cloud:

Table 2. File Disposition and File Action in Malware Events

File Rule Action Selected

File Disposition

File Action in the Malware Event

  • Block Malware

  • Malware Cloud Lookup

Malware

Block

  • Clean

  • Unknown

  • Unavailable

  • NA

Cloud Lookup

Note

 

Under the file policy editor Advanced Settings, you can set a threshold threat score for If AMP Cloud disposition is Unknown, override disposition based upon threat score option. If you set a threshold threat score, files with an AMP cloud verdict of Unknown are considered malware if their dynamic analysis score is equal to or worse than the threshold.

Retrospective Malware Events

For malware detected in network traffic, dispositions can change. For example, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean. When the disposition changes for a file you queried in the last week, the AMP cloud notifies the system. Then, two things happen:

  • The Firepower Management Center generates a new retrospective malware event.

    This new retrospective malware event represents a disposition change for all files detected in the last week that have the same SHA-256 hash value. For that reason, these events contain limited information: the date and time the Firepower Management Center was notified of the disposition change, the new disposition, the SHA-256 hash value of the file, and the threat name. They do not contain IP addresses or other contextual information.

  • The Firepower Management Center changes the file disposition for previously detected files with the retrospective event’s associated SHA-256 hash value.

    If a file’s disposition changes to Malware, the Firepower Management Center logs a new malware event to its database. Except for the new disposition, the information in this new malware event is identical to that in the file event generated when the file was initially detected.

    If a file’s disposition changes to Clean, the Firepower Management Center does not delete the malware event. Instead, the event reflects the change in disposition. This means that files with clean dispositions can appear in the malware table, but only if they were originally thought to be malware. Files that were never identified as malware appear only in the files table.

Malware Events Generated by AMP for Endpoints

If your organization uses AMP for Endpoints, individual users install lightweight connectors on endpoints: computers and mobile devices. Connectors can inspect files upon upload, download, execution, open, copy, move, and so on. These connectors communicate with the AMP cloud to determine if inspected files contain malware.

When a file is positively identified as malware, the AMP cloud sends the threat identification to the Firepower Management Center. The AMP cloud can also send other kinds of information to the Firepower Management Center, including data on scans, quarantines, blocked executions, and cloud recalls. The Firepower Management Center logs this information as malware events.


Note


The IP addresses reported in malware events generated by AMP for Endpoints may not be in your network map—and may not even be in your monitored network at all. Depending on your deployment, level of compliance, and other factors, endpoints in your organization monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks.


Malware Event Analysis with AMP for Endpoints

If your organization has deployed Cisco AMP for Endpoints:

  • You can configure the system to display malware events detected by AMP for Endpoints on Firepower Management Center event pages, alongside events detected by AMP for Networks.

  • If you are using the AMP public cloud, you can view file trajectory and other information about a particular SHA in AMP for Endpoints.

To configure the above functionality, see Integrate Firepower and AMP for Endpoints.

Event Data from AMP for Endpoints

If your organization has deployed AMP for Endpoints for malware protection, you can configure the system to let you work in FMC with file and malware data from AMP for Endpoints.

However, you should be aware of the differences between file and malware data from AMP for Endpoints and file and malware data from AMP for Networks (malware protection using the Firepower system.)

Because AMP for Endpoints malware detection is performed at the endpoint at download or execution time, while managed devices detect malware in network traffic, the information in the two types of malware events is different. For example, malware events detected by AMP for Endpoints ("endpoint-based malware") contain information on file path, invoking client application, and so on, while malware detections in network traffic contain port, application protocol, and originating IP address information about the connection used to transmit the file.

As another example, for malware events detected by AMP for Networks ("network-based malware events"), user information represents the user most recently logged into the host where the malware was destined, as determined by network discovery. But AMP for Endpoints-reported users represent the user currently logged into the endpoint where the malware was detected.


Note


Depending on your deployment, endpoints monitored by AMP for Endpoints may not be the same hosts as those monitored by AMP for Networks. For this reason, malware events generated by AMP for Endpoints do not add hosts to the network map. However, the system uses IP and MAC address data to tag monitored hosts with indications of compromise obtained from your AMP for Endpoints deployment. If two different hosts monitored by different AMP solutions have the same IP and MAC address, the system can incorrectly tag monitored hosts with AMP for Endpoints IOCs.


The following table summarizes the differences between the event data generated by Firepower when using a Malware license, and event data generated by AMP for Endpoints.

Table 3. Summary of Data Differences Between AMP Products

Feature

AMP for Networks

AMP for Endpoints

Events generated

File events, captured files, malware events, and retrospective malware events

Malware events

Information in malware events

Basic malware event information, plus connection data (IP address, port, and application protocol)

In-depth malware event information; no connection data

Network file trajectory

FMC-based

FMC and the AMP for Endpoints management console each have a network file trajectory. Both are useful.

Related Topics

Integrate Firepower and AMP for Endpoints

Using File and Malware Event Workflows

Use this procedure to view file and malware events in a table and to manipulate the event view depending on the information relevant to your analysis. The page you see when you access events differs depending on the workflow, which is simply a series of pages you can use to evaluate events by moving from a broad to a more focused view. You can also create a custom workflow that displays only the information that matches your specific needs.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

You must be an Admin or Security Analyst user to perform this task.

Procedure


Choose one of the following:

  • Analysis > Files > File Events
  • Analysis > Files > Malware Events

Tip

 

In the table view of events, several fields are hidden by default. To show a hidden field in an event view, expand the search constraints, then click the field name under Disabled Columns.

Tip

 

To quickly view the connections where specific files were detected, choose the files using the check boxes in the table, then choose Connections Events from the Jump to drop-down list.

Tip

 

Right-click an item in the table to see options. (Not every column offers options.)


File and Malware Event Fields

File and malware events, which you can view and search using workflows, contain the fields listed in this section. Keep in mind that the information available for any individual event can vary depending on how and why it was generated.


Note


Files identified as malware by AMP for Networks generate both a file event and a malware event. Malware events generated by AMP for Endpoints do not have corresponding file events, and file events do not have AMP for Endpoints-related fields.


Action

The action associated with file policy rule that detected the file, and any associated file rule action options.

AMP Cloud

The name of the AMP cloud where the AMP for Endpoints event originated.

Application File Name

The client application accessing the malware file when AMP for Endpoints detection occurred. These applications are not tied to network discovery or application control.

Application File SHA256

The SHA-256 hash value of the parent file accessing the AMP for Endpoints-detected or quarantined file when detection occurred.

Application Protocol

The application protocol used by the traffic in which a managed device detected the file.

Application Protocol Category or Tag

The criteria that characterize the application to help you understand the application's function.

Application Risk

The risk associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated risk; this field displays the highest of those.

Archive Depth

The level (if any) at which the file was nested in an archive file.

Archive Name

The name of the archive file (if any) which contained the malware file.

To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on the archive file’s table row to open the context menu, then click View Archive Contents.

Archive SHA256

The SHA-256 hash value of the archive file (if any) which contains the malware file.

To view the contents of an archive file, go to any table under Analysis > Files that lists the archive file, right-click on that archive file’s table row to open the context menu, then click View Archive Contents.

Business Relevance

The business relevance associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those.

Category / File Type Category

The general categories of file type, for example: Office Documents, Archive, Multimedia, Executables, PDF files, Encoded, Graphics, or System Files.

Client

The client application that runs on one host and relies on a server to send a file.

Client Category or Tag

The criteria that characterize the application to help you understand the application's function.

Count

After you apply a constraint that creates two or more identical rows, the number of events that match the information in each row.

Detection Name

The name of the detected malware.

Detector

The AMP for Endpoints detector that identified the malware, such as ClamAV, Spero, or SHA.

Device

For file events and for malware events generated by Firepower devices, the name of the device that detected the file.

For malware events generated by AMP for Endpoints and for retrospective malware events generated by the AMP cloud, the name of the Firepower Management Center.

Disposition / File Disposition

The file’s disposition:

Malware

Indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy.

Clean

Indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list. Clean files appear in the malware table only if they were changed to clean.

Unknown

Indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file.

Custom Detection

Indicates that a user added the file to the custom detection list.

Unavailable

Indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior.

N/A

Indicates a Detect Files or Block Files rule handled the file and the Firepower Management Center did not query the AMP cloud.

File dispositions appear only for files for which the system queried the AMP cloud.

Domain

For file events and for malware events generated by Firepower devices, the domain of the device that detected the file. For malware events generated by AMP for Endpoints and for retrospective malware events generated by the AMP cloud, the domain associated with the AMP cloud connection that reported the event.

This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Event Subtype

The AMP for Endpoints action that led to malware detection, for example, Create, Execute, Move, or Scan.

Event Type

The sub-type of malware event.

File Name

The name of the file.

File Path

The file path of the malware file detected by AMP for Endpoints, not including the file name.

File Policy

The file policy that detected the file.

File Storage / Stored (Search Only)

The storage status of the file associated with the event:

Stored

Returns all events where the associated file is currently stored.

Stored in connection

Returns all events where the system captured and stored the associated file, regardless of whether the associated file is currently stored.

Failed

Returns all events where the system failed to store the associated file.

File Timestamp

The time and date that AMP for Endpoints detected the malware file was created.

HTTP Response Code

The HTTP status code sent in response to a client's HTTP request when a file is transferred.

IOC

Whether the malware event triggered an indication of compromise (IOC) against a host involved in the connection. When AMP for Endpoints data triggers an IOC rule, a full malware event is generated, with the type AMP IOC.

Message

Additional information associated with a malware event. For file events and for malware events generated by Firepower devices, this field is populated only for files whose disposition has changed, that is, that have an associated retrospective event.

Receiving Continent

The continent of the host receiving the file.

Receiving Country

The country of the host receiving the file.

Receiving IP

For file events and for malware events generated by Firepower devices, the IP address of the host receiving the file.

See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.

For malware events generated by AMP for Endpoints, the IP address of the endpoint whose connector reported the event.

Receiving Port

The destination port used by the traffic where the file was detected.

Security Context

The metadata identifying the virtual firewall group through which the traffic passed. Note that the system only displays this field when managing at least one ASA FirePOWER device that is running in multiple context mode.

Sending Continent

The continent of the host sending the file.

Sending Country

The country of the host sending the file.

Sending IP

The IP address of the host sending the file.

See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.

Sending Port

The source port used by the traffic where the file was detected.

SHA256 / File SHA256

The SHA-256 hash value of the file.

To have a SHA256 value, the file must have been handled by one of:

  • a Detect Files file rule with Store files enabled

  • a Block Files file rule with Store files enabled

  • a Malware Cloud Lookup file rule

  • a Block Malware file rule

  • AMP for Endpoints

This column also displays a network file trajectory icon that represents the most recently detected file event and file disposition, and that links to the network file trajectory.

Size (KB) / File Size (KB)

The size of the file, in kilobytes.

Note that if the system determines the file type of a file before the file is fully received, the file size may not be calculated. In this case, this field is blank.

SSL Actual Action (Search Only)

The action the system applied to encrypted traffic:

Block or Block with reset

Represents blocked encrypted connections.

Decrypt (Resign)

Represents an outgoing connection decrypted using a re-signed server certificate.

Decrypt (Replace Key)

Represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.

Decrypt (Known Key)

Represents an incoming connection decrypted using a known private key.

Default Action

Indicates the connection was handled by the default action.

Do not Decrypt

Represents a connection the system did not decrypt.

Field values are displayed in the SSL Status field on the search workflow pages.

SSL Certificate Information (Search Only)

The information stored on the public key certificate used to encrypt traffic, including:

  • Subject/Issuer Common Name

  • Subject/Issuer Organization

  • Subject/Issuer Organization Unit

  • Not Valid Before/After

  • Serial Number, Certificate Fingerprint

  • Public Key Fingerprint

SSL Failure Reason (Search Only)

The reason the system failed to decrypt encrypted traffic:

  • Unknown

  • No Match

  • Success

  • Uncached Session

  • Unknown Cipher Suite

  • Unsupported Cipher Suite

  • Unsupported SSL Version

  • SSL Compression Used

  • Session Undecryptable in Passive Mode

  • Handshake Error

  • Decryption Error

  • Pending Server Name Category Lookup

  • Pending Common Name Category Lookup

  • Internal Error

  • Network Parameters Unavailable

  • Invalid Server Certificate Handle

  • Server Certificate Fingerprint Unavailable

  • Cannot Cache Subject DN

  • Cannot Cache Issuer DN

  • Unknown SSL Version

  • External Certificate List Unavailable

  • External Certificate Fingerprint Unavailable

  • Internal Certificate List Invalid

  • Internal Certificate List Unavailable

  • Internal Certificate Unavailable

  • Internal Certificate Fingerprint Unavailable

  • Server Certificate Validation Unavailable

  • Server Certificate Validation Failure

  • Invalid Action

Field values are displayed in the SSL Status field on the search workflow pages.

SSL Status

The action associated with the SSL Actual Action (SSL rule, default action, or undecryptable traffic action) that logged the encrypted connection. The Lock icon links to TLS/SSL certificate details. If the certificate is unavailable (for example, for connections blocked due to TLS/SSL handshake error), the lock icon is grayed out.

If the system fails to decrypt an encrypted connection, it displays the SSL Actual Action (undecryptable traffic action) taken, as well as the SSL Failure Reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allows it without further inspection, this field displays Do Not Decrypt (Unknown Cipher Suite).

When searching this field, type one or more of the SSL Actual Action and SSL Failure Reason values to view encrypted traffic the system handled or failed to decrypt.

SSL Subject/Issuer Country (Search Only)

The two-character ISO 3166-1 alpha-2 country code for the subject or issuer country associated with the encryption certificate.

Threat Name

The name of the detected malware.

Threat Score

The threat score most recently associated with this file. This is a value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

The threat score icon links to the Dynamic Analysis Summary report.

Time

The date and time the event was generated. This field is not searchable.

Type / File Type

The type of file, for example, HTML or MSEXE.

URI / File URI

The URI of the connection associated with the file transaction, for example, the URL from which a user downloaded the file.

User

The username associated with the IP address that initiated the connection. If this IP address is external to your network, the associated username is typically unknown.

For file events and for malware events generated by Firepower devices, this field displays the username that was determined by an identity policy or authoritative logins. In absence of an identity policy, it displays No Authentication Required.

For malware events generated by AMP for Endpoints, AMP for Endpoints determines user names. These users cannot be tied to user discovery or control. They do not appear in the Users table, nor can you view details for these users.

Web Application

The application that represents the content or requested URL for HTTP traffic detected in the connection.

Web Application Category or Tag

Criteria that characterize the application to help you understand the application's function.

Malware Event Sub-Types

The following table lists the malware event subtypes, whether a malware event generated by AMP for Networks (a "network-based malware event") or AMP for Endpoints (an "endpoint-based malware event") can have that subtype, and whether the system uses that subtype to build network file trajectories.

Table 4. Malware Event Types

Malware Event Subtype/Search Value

AMP for Networks

AMP for Endpoints

File Trajectory

Threat Detected in Network File Transfer

yes

no

yes

Threat Detected in Network File Transfer (retrospective)

yes

no

yes

Threat Detected

no

yes

yes

Threat Detected in Exclusion

no

yes

yes

Threat Quarantined

no

yes

yes

AMP IOC (Indications of compromise)

no

yes

no

Blocked Execution

no

yes

no

Cloud Recall Quarantine

no

yes

no

Cloud Recall Quarantine Attempt Failed

no

yes

no

Cloud Recall Quarantine Started

no

yes

no

Cloud Recall Restore from Quarantine

no

yes

no

Cloud Recall Restore from Quarantine Failed

no

yes

no

Cloud Recall Restore from Quarantine Started

no

yes

no

Quarantine Failure

no

yes

no

Quarantined Item Restored

no

yes

no

Quarantine Restore Failed

no

yes

no

Quarantine Restore Started

no

yes

no

Scan Completed, No Detections

no

yes

no

Scan Completed With Detections

no

yes

no

Scan Failed

no

yes

no

Scan Started

no

yes

no

Information Available in File and Malware Event Fields

The following table lists whether the system displays information for each file and malware event field.

If your organization has deployed AMP for Endpoints and integrated that product with your Firepower deployment:

  • Malware events and indications of compromise (IOCs) imported from your AMP for Endpoints deployment do not contain contextual connection information, but they do include information obtained at download or execution time, such as file path, invoking client application, and so on.

  • File event table views do not display AMP for Endpoints-related fields.

Table 5. Information Available in File and Malware Event Fields

Field

File Event

Malware Events Detected by the Firepower System

Retrospective Events Detected by the Firepower System

Malware Events Detected by AMP for Endpoints

Action

yes

yes

yes

no

AMP Cloud

no

no

no

yes

Application File Name

no

no

no

yes

Application File SHA256

no

no

no

yes

Application Protocol

yes

yes

no

no

Application Protocol Category or Tag

yes

yes

yes

no

Application Risk

yes

yes

yes

no

Archive Depth

yes

yes

no

yes

Archive Name

yes

yes

no

yes

Archive SHA256

yes

yes

no

yes

Business Relevance

yes

yes

yes

no

Category / File Type Category

yes

yes

no

yes

Client

yes

yes

yes

no

Client Category or Tag

yes

yes

yes

no

Count

yes

yes

yes

yes

Detection Name

no

yes

no

no

Detector

no

no

no

yes

Device

yes

yes

yes

yes

Disposition / File Disposition

yes

yes

yes

no

Domain

yes

yes

yes

yes

Event Subtype

no

no

no

yes

Event Type

no

yes

yes

yes

File Name

yes

yes

no

yes

File Path

no

no

no

yes

File Policy

yes

no

no

no

File Timestamp

no

no

no

yes

HTTP Response Code

yes

yes

no

no

IOC (Indication of Compromise)

no

yes

yes

yes

Message

yes

yes

no

yes

Receiving Continent

yes

yes

yes

no

Receiving Country

yes

yes

no

no

Receiving IP

yes

yes

no

yes

Receiving Port

yes

yes

no

no

Security Context

yes

yes

yes

yes

Sending Continent

yes

yes

yes

no

Sending Country

yes

yes

no

no

Sending IP

yes

yes

no

no

Sending Port

yes

yes

no

no

SHA256 / File SHA256

yes

yes

yes

yes

Size (KB) / File Size (KB)

yes

yes

no

yes

SSL Actual Action (search only)

yes

yes

no

no

SSL Certificate Information (search only)

yes

yes

no

no

SSL Failure Reason (search only)

yes

yes

no

no

SSL Status

yes

yes

no

no

SSL Subject/Issuer Country (search only)

yes

yes

no

no

File Storage / Stored (search only)

yes

yes

no

no

Threat Name

no

yes

yes

yes

Threat Score

yes

yes

no

no

Time

yes

yes

yes

yes

Type / File Type

yes

yes

no

yes

URI / File URI

yes

yes

no

no

User

yes

yes

no

yes

Web Application

yes

yes

yes

no

Web Application Category or Tag

yes

yes

yes

no

View Details About Analyzed Files


Tip


To see additional options, right-click a file SHA in a table on an event page. For information, see Event Investigation Using Web-Based Resources.


File Composition Report

If you configure local malware analysis or dynamic analysis, the system generates a file composition report after analyzing a file. This report allows you to further analyze files and determine whether they may carry embedded malware.

The file composition report lists file properties, any objects embedded in the file, and any detected viruses. The file composition report may also list additional information specific to that file type. When the system prunes stored files, it also prunes the associated file composition report.

To view file composition information, see Using a Network File Trajectory.

View File Details in AMP Private Cloud

If you have deployed an AMP private cloud, you can view additional details about analyzed files in your private cloud.

For more information, see the documentation for your private cloud.

Procedure


Sign in directly to your AMP private cloud console.


Threat Scores and Dynamic Analysis Summary Reports

Threat Scores

Table 6. Threat Score Ratings

Threat Score

Numeric Score

Icon

Low

0-24

Low

Medium

25-69

Medium

High

70-94

High

Very High

95-100

Very High

The Firepower Management Center caches a file’s threat score for the same amount of time as the file’s disposition. If the system later detects these files, it displays the cached threat scores instead of re-querying the Cisco Threat Grid cloud or an Cisco Threat Grid on-premises appliance. You can automatically assign a malware file disposition to any file with a threat score that exceeds the defined malware threshold threat score.

Dynamic Analysis Summary

If a dynamic analysis summary is available, you can click the threat score icon to view it. If multiple reports exist, this summary is based on the most recent report matching the exact threat score. If none match the exact threat score, the report with the highest threat score is displayed. If more than one report exists, you can select a threat score to view each separate report.

The summary lists each component threat comprising the threat score. Each component threat is expandable to list the AMP cloud findings, as well as any processes related to this component threat.

The process tree shows the processes that started when the Cisco Threat Grid cloud attempted to run the file. This can help identify whether a file that contains malware is attempting to access processes and system resources beyond what is expected (for example, running a Word document opens Microsoft Word, then starts Internet Explorer, then runs the Java Runtime Environment).

Each listed process contains a process identifier you can use to verify the actual process. Child nodes in the process tree represent processes started as a result of parent processes.

From the dynamic analysis summary, you can click View Full Report to view the full Analysis Report, detailing the AMP cloud’s full analysis, including general file information, a more in-depth review of all detected processes, a breakdown of the file analysis, and other relevant information.

Viewing Dynamic Analysis Results in the Cisco Threat Grid Public Cloud

Cisco Threat Grid offers more detailed reporting on analyzed files than is available in the Firepower Management Center. If your organization has an account in the Cisco Threat Grid public cloud, you can access the Cisco Threat Grid portal directly to view additional details about files sent for analysis from your managed devices.

Before you begin

  • Associate your Firepower Management Center with your Cisco Threat Grid public cloud account. See Enabling Access to Dynamic Analysis Results in the Public Cloud.

  • License requirement: Malware

  • You must be in the global domain for this task.

  • You must have one of the following user roles: Admin, Access Admin, Network Admin

Procedure


Step 1

Access the Cisco Threat Grid public cloud portal at the address provided in your Threat Grid documentation.

Step 2

Sign in with the account credentials that you used to create the association in the prerequisites to this task.

Step 3

View files submitted by your organization, or search for a particular file using its SHA.

If you have questions, see the Threat Grid documentation.


Using Captured File Workflows

When a managed device captures a file detected in network traffic, it logs an event.


Note


If a device captures a file containing malware, the device generates two events: a file event when it detects the file, and a malware event when it identifies malware.


Use this procedure to view a list of captured files in a table and manipulate the event view depending on the information relevant to your analysis. The page you see when you access captured files differs depending on the workflow, which is simply a series of pages you can use to evaluate events by moving from a broad to a more focused view. You can also create a custom workflow that displays only the information that matches your specific needs.

If the system recaptures a file after a configuration change, such as an updated file policy, it updates existing information for that file.

For example, if you configure a file policy to capture files with a Malware Cloud Lookup action, the system stores the file disposition and threat score along with the file. Then, if you update your file policy, and the system recaptures the same file due to a new Detect Files action, the system updates the file's Last Changed value. However, the system does not remove the existing disposition and threat score, even though you did not perform another malware cloud lookup.

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Before you begin

You must be an Admin or Security Analyst user to perform this task.

Procedure


Choose Analysis > Files > Captured Files.

Tip

 

In the table view of events, several fields are hidden by default. To show a hidden field in an event view, expand the search constraints, then click the field name under Disabled Columns.


Captured File Fields

The table view of captured files, which is the final page in predefined captured file workflows, and which you can add to custom workflows, includes a column for each field in the captured files table.

When searching this table keep in mind that your search results depend on the available data in the events you are searching; depending on the available data, your search constraints may not apply. For example, if a file has never been submitted for dynamic analysis, it may not have an associated threat score.

Table 7. Captured File Fields

Field

Description

Archive Inspection Status

For archive files, the status of archive inspection:

  • Pending indicates that the system is still inspecting the archive file and its contents. If the file passes through your system again, complete information becomes available.

  • Extracted indicates that the system was able to extract and inspect the archive’s contents.

  • Failed may, in rare cases, occur if the system is unable to process an extraction.

  • Depth Exceeded indicates that the archive contains further nested archive files beyond the maximum allowed depth.

  • Encrypted indicates that the archive file’s contents are encrypted and could not be inspected.

  • Not Inspectable indicates that the system did not extract and inspect the archive’s contents. Policy rule actions, policy configuration, and corrupted files are three major reasons for this status.

To view the contents of an archive file, right-click on its row in the table to bring up the context menu, then choose View Archive Contents.

Category

The general categories of file type, for example: Office Documents, Archive, Multimedia, Executables, PDF files, Encoded, Graphics, or System Files.

Detection Name

The name of the detected malware.

Disposition

The file’s AMP for Networks disposition:

  • Malware indicates that local malware analysis identified malware, the AMP cloud categorized the file as malware, or that the file’s threat score exceeded the malware threshold defined in the file policy.

  • Clean indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list.

  • Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file.

  • Custom Detection indicates that a user added the file to the custom detection list.

  • Unavailable indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior.

  • N/A indicates a Detect Files or Block Files rule handled the file and the Firepower Management Center did not query the AMP cloud.

Domain

The domain where the captured file was detected. This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Dynamic Analysis Status

One or more of the following values indicating whether the file was submitted for dynamic analysis:

  • Analysis Complete — file submitted for dynamic analysis that received a threat score and dynamic analysis summary report

  • Capacity Handled — file stored because it could not be submitted currently

  • Capacity Handled (Network Issue) — file stored because it could not be submitted due to a network connectivity issue

  • Capacity Handled (Rate Limit) — file stored because it could not be submitted due to the maximum number of submissions reached

  • Device Not Activated — file not submitted because the device is not activated on the on-premises Cisco Threat Grid appliance. If you see this status, contact Support.

  • Failure (Analysis Timeout) — file submitted for which the AMP cloud has yet to return a result

  • Failure (Cannot Run File) — file submitted that the AMP cloud could not run in the test environment

  • Failure (Network Issue) — file that did not get submitted due to a network connectivity failure

  • Not Sent for Analysis — file not submitted

  • Not Suspicious (Not Sent For Analysis) — file pre-classified as non-malware

  • Previously Analyzed — file with a cached threat score, indicating that it has been previously sent

  • Sent for Analysis — file pre-classified as malware and queued for dynamic analysis

Dynamic Analysis Status Changed

The last time the file's dynamic analysis status changed.

File Name

The most recently detected file name associated with the file’s SHA-256 hash value.

Last Changed

The last time the information associated with this file was updated.

Last Sent

The time the file was most recently submitted to the AMP cloud for dynamic analysis.

Local Malware Analysis Status

One of the following values indicating whether the system performed local malware analysis on a file:

  • Analysis Complete — the system inspected the file using local malware analysis and pre-classified the file

  • Analysis Failed — the system attempted to inspect the file using local malware analysis and failed

  • Manual Request Submitted — a user submitted a file for local malware analysis

  • Not Analyzed — the system did not inspect the file with local malware analysis

SHA256

The SHA-256 hash value of the file, as well as a network file trajectory icon representing the most recently detected file event and file disposition. To view the network file trajectory, click the trajectory icon.

Storage Status

Indicates whether the file is stored on a managed device:

  • File Stored

  • Not Stored (Disposition Was Pending)

Threat Score

The threat score most recently associated with this file.

To view the Dynamic Analysis Summary report, click the threat score icon.

Type

The type of file; for example, HTML or MSEXE.

Stored Files Download

Once a device stores a file, as long as the Firepower Management Center can communicate with that device and it has not deleted the file, you can download the file to a local host for long-term storage and analysis, and manually analyze the file. You can download a file from any associated file event, malware event, captured file view, or the file’s trajectory.

Because malware is harmful, by default, you must confirm every file download. However, you can disable the confirmation in your User Preferences.

Because files with a disposition of Unknown may contain malware, when you download a file, the system first archives the file in a .zip package. The .zip file name contains the file disposition and file type, if available, and SHA-256 hash value. You can password-protect the .zip file to prevent accidental unpacking. You can edit or remove the default .zip file password in your User Preferences.


Caution


Cisco strongly recommends you do not download malware, as it can cause adverse consequences. Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any necessary precautions to secure the download destination before downloading files.


Manually Submit Files for Analysis

When you manually submit files for analysis, the system runs local analysis, then submits these files to the cloud for dynamic analysis. However, if local analysis is not enabled in a file policy, and you manually submit a file for analysis, the file will only be sent for dynamic analysis.

In addition to executable files, you can also submit file types not eligible for automatic submission, such as .swf, .jar, and others. This allows you to more quickly analyze a broad range of files, regardless of disposition, and pinpoint the exact causes of an incident.


Note


The system checks the AMP cloud for updates (no more than once a day) to the list of file types eligible for dynamic analysis and the minimum and maximum file sizes you can submit.


Depending on the situation, there are two ways to submit files for analysis:

Before you begin

In order to manually submit captured files for analysis, one or more file rules must be configured to store files. For information, see File Policies and Malware Protection.

Procedure


Step 1

To submit a single file for analysis:

  1. Select one of the following:

    • Analysis > Files > File Events

    • Analysis > Files > Malware Events

    • Analysis > Files > Captured Files

  2. Click Table View of <Event type or files>.

  3. Right-click a file in the table and select Analyze File.

Step 2

To submit multiple captured files for analysis (up to 25 at a time):

  1. Select Analysis > Files > Captured Files

  2. Select the checkbox beside each file to analyze.

  3. Click Analyze.


Network File Trajectory

The network file trajectory feature maps how hosts transferred files, including malware files, across your network. A trajectory charts file transfer data, the disposition of the file, and if a file transfer was blocked or the file was quarantined. You can determine which hosts and users may have transferred malware, which hosts are at risk, and observe file transfer trends.

You can track the transmission of any file with a AMP cloud-assigned disposition. The system can use information related to detecting and blocking malware from both AMP for Networks and AMP for Endpoints to build the a trajectory.

Recently Detected Malware and Analyzed Trajectories

The Network File Trajectory List page displays the malware most recently detected on your network, as well as the files whose trajectory maps you have most recently viewed. From these lists, you can view when each file was most recently seen on the network, the file’s SHA-256 hash value, name, type, current file disposition, contents (for archive files), and the number of events associated with the file.

The page also contains a search box that lets you locate files, either based on SHA-256 hash value or file name, or by the IP address of the host that transferred or received a file. After you locate a file, you can click the File SHA256 value to view the detailed trajectory map.

Network File Trajectory Detailed View

You can trace a file through the network by viewing the detailed network file trajectory. Search for a file's SHA 256 value or click a File SHA 256 link in the Network File Trajectory list to view details about that file.

The network file trajectory details page has three parts:

  • Summary Information — A file’s trajectory page displays summary information about the file, including file identification information; when the file was first seen and most recently seen on the network, and by what user; the number of related events and hosts associated with the file; and the file’s current disposition. From this section, if the managed device stored the file, you can download it locally, submit the file for dynamic analysis, or add the file to a file list.

  • Trajectory Map — A file’s trajectory map visually tracks a file from the first detection on your network to the most recent. The map shows when hosts transferred or received the file, how often they transferred the file, and when the file was blocked or quarantined. Vertical lines between data points represent file transfers between hosts. Horizontal lines connecting the data points show a host’s file activity over time.

    The map also shows how often file events occurred for the file and when the system assigned the file a disposition or retrospective disposition. You can select a data point in the map and highlight a path that traces back to the first instance the host transferred that file; this path also intersects with every occurrence involving the host as either sender or receiver of the file, and identifies the user involved.

  • Related Events — The Events table lists event information for each data point in the map. Using the table and the map, you can pinpoint specific file events, hosts and users on the network that transferred or received this file, related events in the map, and other related events in a table constrained on selected values.

Network File Trajectory Summary Information

The following summary information appears at the top of the details page for a file that appears in the Network File Trajectory list.


Tip


To view related file events, click a field value link. The first page in the File Events default workflow opens in a new window, displaying all file events that also contain the selected value.


Table 8. Network File Trajectory Summary Information Fields

Name

Description

Archive Contents

For inspected archive files, the number of files the archive contains.

Current Disposition

One of the following AMP for Networks file dispositions:

  • Malware indicates that the AMP cloud categorized the file as malware, local malware analysis identified malware, or the file’s threat score exceeded the malware threshold defined in the file policy.

  • Clean indicates that the AMP cloud categorized the file as clean, or that a user added the file to the clean list.

  • Unknown indicates that the system queried the AMP cloud, but the file has not been assigned a disposition; in other words, the AMP cloud has not categorized the file.

  • Custom Detection indicates that a user added the file to the custom detection list.

  • Unavailable indicates that the system could not query the AMP cloud. You may see a small percentage of events with this disposition; this is expected behavior.

  • N/A indicates a Detect Files or Block Files rule handled the file and the Firepower Management Center did not query the AMP cloud.

Detection Name

Name of the malware detected by local malware analysis.

Event Count

The number of events seen on the network associated with the file, and the number of events displayed in the map if there are more than 250 detected events.

File Category

The general categories of file type, for example, Office Documents or System Files.

File Names

The names of the file associated with the event, as seen on the network.

If multiple file names are associated with a SHA-256 hash value, the most recent detected file name is listed. You can expand this to view the remaining file names by clicking more.

File SHA256

The SHA-256 hash value of the file.

The hash is displayed by default in a condensed format. To view the full hash value, hover your pointer over it. If multiple SHA-256 hash values are associated with a file name, hover your pointer over the link to view all of the hash values.

File Size (KB)

The size of the file, in kilobytes.

File Type

The file type of the file, for example, HTML or MSEXE.

First Seen

The first time AMP for Networks or AMP for Endpoints detected the file, as well as the IP address of the host that first uploaded the file and identifying information for the user involved.

Last Seen

The most recent time AMP for Networks or AMP for Endpoints detected the file, as well as the IP address of the host that last downloaded the file and identifying information for the user involved.

Parent Application

The client application accessing the malware file when detection occurred by AMP for Endpoints. These applications are not tied to network discovery or application control.

Seen On

The number of hosts that either sent or received the file. Because one host can upload and download a file at different times, the total number of hosts may not match the total number of senders plus the total number of receivers in the Seen On Breakdown field.

Seen On Breakdown

The number of hosts that sent the file, followed by the number of hosts that received the file.

Threat Name

Name of the threat associated with the detected malware by AMP for Endpoints.

Threat Score

The file’s threat score.

Network File Trajectory Map and Related Events List

The file trajectory map’s y-axis contains a list of all host IP addresses that have interacted with the file. The IP addresses are listed in descending order based on when the system first detected the file on that host. Each row contains all events associated with that IP address, whether a single file event, file transfer, or retrospective event. The x-axis contains the date and time the system detected each event. The timestamps are listed in chronological order. If multiple events occurred within a minute, all are listed within the same column. You can scroll the map horizontally and vertically to view additional events and IP addresses.

The map displays up to 250 events associated with the file SHA-256 hash. If there are more than 250 events, the map displays the first 10, then truncates extra events with an Arrow. The map then displays the remaining 240 events.

The first page of the File Events default workflow appears in a new window with all the extra events constrained based on the file type. If malware events generated by AMP for Endpoints are not displayed, you must switch to the Malware Events table to view these.

Each data point represents an event plus the file disposition, as described in the legend below the map. For example, a Malware Block event icon combines the Malicious Disposition icon and the Block Event icon.

Malware events generated by AMP for Endpoints ("endpoint-based malware events") include one icon. A retrospective event displays an icon in the column for each host on which the file is detected. File transfer events always include two icons, one file send icon and one file receive icon, connected by a vertical line. Arrows indicate the file transfer direction from sender to receiver.

To track a file’s progress through the network, you can click any data point to highlight a path that includes all data points related to the selected data point. This includes data points associated with the following types of events:

  • any file transfers in which the associated IP address was either sender or receiver

  • any malware events generated by AMP for Endpoints ("endpoint-based malware events") involving the associated IP address

  • if another IP address was involved, all file transfers in which that associated IP address was either sender or receiver

  • if another IP address was involved, any malware events generated by AMP for Endpoints ("endpoint-based malware events") involving the other IP address

All IP addresses and timestamps associated with any highlighted data point are also highlighted. The corresponding event in the Events table is also highlighted. If a path includes truncated events, the path itself is highlighted with a dotted line. Truncated events might intersect the path, but are not displayed in the map.

Using a Network File Trajectory

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.


Tip


If your organization has deployed AMP for Endpoints, that product also has a network file trajectory feature. To pivot from FMC to AMP for Endpoints, see Work with Event Data in the AMP for Endpoints Console. For details about the file trajectory feature in AMP for Endpoints, see the AMP for Endpoints documentation.


Before you begin

If you are using AMP for Networks, you need the Malware license.

You must be an Admin or Security Analyst user to perform this task.

Procedure

Step 1

Choose Analysis > Files > Network File Trajectory.

Tip

 

You can also access a file’s trajectory from the Context Explorer, dashboard, or event views with file information.

Step 2

Click a File SHA 256 link in the list.

Step 3

Optionally, enter a complete SHA-256 hash value, the host IP address, or the name of a file you want to track into the search field, and press Enter.

Tip

 

If only one result matches, the Network File Trajectory page for that file appears.

Step 4

In the Summary Information section, you can:

  • Add a file to a file list — To add a file or remove a file from the clean list or custom detection list, click Edit (edit icon).

  • Download a file — To download a file, click Download (download icon), and if prompted, confirm you want to download the file. If the file is unavailable for download, this download file is dimmed.

  • Report — Click threat score to view the Dynamic Analysis Summary report.

  • Submit for dynamic analysis — Click AMP Cloud to submit the file for dynamic analysis. If the file is unavailable for submission or you cannot connect to the AMP cloud, this AMP cloud is dimmed.

  • View archive contents — To view information about an archive file’s contents, click View (view button).

  • View file composition — To view a file's composition, click File List. If the system has not generated a file composition report, this file list is dimmed.

  • View captured files with same threat score — Click the threat score link to view all captured files with that threat score.

Note

 

Cisco strongly recommends you do not download malware, as it can cause adverse consequences. Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any necessary precautions to secure the download destination before downloading files.

Step 5

On the trajectory map, you can:

  • Locate the first instance — Click an IP address to locate the first time a file event occurred involving an IP address. This highlights a path to that data point, as well as any intervening file events and IP addresses related to the first file event. The corresponding event in the Events table is also highlighted. The map scrolls to that data point if not currently visible.

  • Track — Click any data point to highlight a path that includes all data points related to the selected data point, tracking a file’s progress through the network.

  • View hidden events — Click arrow to view all events not displayed in the File Summary event view.

  • View matching file events — Hover your pointer over the Matching File Event to view summary information for the event. If you click any event summary information link, the first page of the File Events default workflow appears in a new window with all the extra events constrained based on the file type. The File Summary event view opens in a new window, displaying all file events that match on the criteria value you clicked.

Step 6

In the Events table, you can:

  • Highlight — Choose a table row to highlight a data point in the map. The map scrolls to display the selected file event if not currently visible.

  • Sort — Click the column headers to sort events in ascending or descending order.


Work with Event Data in the AMP for Endpoints Console

If your organization has deployed AMP for Endpoints, you can view malware event data in the AMP for Endpoints console, and use that application's global network file trajectory tool.


Tip


For information about using AMP for Endpoints and its console, see the online help in the console or other documentation available from https://www.cisco.com/c/en/us/support/security/fireamp-endpoints/tsd-products-support-series-home.html


To access the AMP for Endpoints console from the Firepower Management Center, do one of the following:

Before you begin

  • The connection to AMP for Endpoints must be configured (see Integrate Firepower and AMP for Endpoints) and Firepower Management Center must be able to connect to the AMP cloud.

  • You will need your AMP for Endpoints credentials.

  • You must be an Admin user to perform this task.

  • If you want to pivot from a malware event in FMC, ensure that the AMP for Endpoints contextual cross-launch options are properly enabled. See topics under Event Investigation Using Web-Based Resources.

Procedure


Step 1

Method 1:

  1. Choose AMP > AMP Management.

  2. Click the cloud name in the table.

Step 2

Method 2:

  1. Navigate to a malware event in a table under Analysis > Files.

  2. Right-click a file SHA and choose an AMP for Endpoints option.