Investigation: Examine Scan Files and Events in List Form

Document created by RSA Information Design and Development on Jul 22, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides instructions for viewing files associated with an event in the Security Analytics Malware Analysis Files List.

When viewing the Summary of Events in a Security Analytics Malware Analysis scan, you can click a file count or an event count to view the Files List or the Events List for the scan (see Begin a Malware Analysis Investigation). In the Files List and Events List, you can search for a file by filename or MD5 file hash, sort the list using two criteria and ascending or descending order, and download files. When you find an event or file of interest in the Events List or Files List, you can view many details about the event in the Event Details view.

104MwEventsList.png

For each event in the Events List, Security Analytics provides the following information:

  • Flagged as a High Confidence event, which is considered likely to contain Indicators of Compromise.
  • The numeric score for each scoring module: Static, Network, Community, and Sandbox.
  • Antivirus vendor scores.
  • The Influenced by customized rule flag.
  • The date the event was archived.
  • The session time.
  • The MD5 hash filter.
  • The number of files in the event.
  • The source IP address of the event.
  • The Identity.
  • The destination IP address.
  • The destination country.
  • The name of the alias host.
  • The event type, for example, Network.
  • The service used by the event.
  • The destination organization

104FilesList.png

For each file in the Files List, Security Analytics provides the following information:

  • Flagged as a High Confidence event, which is considered likely to contain Indicators of Compromise.
  • The numeric score for each scoring module: Static, Network, Community, and Sandbox.
  • Antivirus vendor scores.
  • The filename.
  • The file type.
  • The MD5 hash filter.
  • The source IP address of the event that contained the file.
  • The destination IP address.
  • The date the event that contained the file was archived.
  • The file size.

Sort the Files List or Events List

You can sort the Files List and Events List by column name in ascending and descending order. You can choose one or two columns.

To sort the list:

  1. In the first Sort By drop-down list, choose a column name and sort direction: SortDes.png for descending order or 104SrtAsc.png for ascending order.
  2. (Optional) In the second Sort By drop-down list, choose a column name, and sort direction, SortDes.png for descending order or 104SrtAsc.png for ascending order.
    The column titles reflect the selected sort order. In the following example, the Hash column is sorted in ascending order and the Size column is sorted in descending order.
    104FilesLstSorted.png

Filter the List by Filename or MD5 File Hash

You can filter the Files List and Events List by filename or file hash. With this feature, you can specify a limited subset of the original data based on the search criteria.

Note: When you perform a search, you search the scan that you are currently displaying, not all scans.

  1. Click ic-filtbutton.png.
    The Filter dialog is displayed.
  2. Enter a value in File Name or MD5 Hash and click Filter. The File Name and Hash field are not case sensitive. Wild card or regular expressions are not supported. The filter is based on exact matches. You can drag across a filename or hash to select from the Files list or Events list, then copy and paste it in the dialog.
    104MWHashPaste.png
  3. Click Filter.
    Malware Analysis filters the list to display only files or events with the selected hash
  4. To revert to the unfiltered list, click 104FilterIcon.png. When the Filter dialog is displayed, click Reset.

Download Files from the Files List

Security Analytics lets you select and download files from the Files List or the Events List.

Caution: Use caution when downloading files from Malware Analysis; some files may contain harmful code. File Download is a specific permission that can be configured, refer to "Define Roles and Permissions for Malware Analysts" in the Malware Analysis Configuration Guide for more details.

To download files from the Files List or Events List:

  1. In the Files List or Events List, select the checkbox next to one or more rows.
  2. In the toolbar, select 104DnLdFilesIcon.png.
    The Malware File Download dialog is displayed.
  3. Do one of the following:
    1. If you decide not to download the file, click Cancel.
    2. If you want to download the file, select click the Download button.
      The file or files selected are downloaded in a zip archive with the name Malware_Files.zip.

Delete Events from the Scan

In the Events List, you select one or more events and delete them from the scan. This is useful for removing events that are not of interest.

To remove an event from the scan being viewed:

  1. In the Events List, select one or more events.
  2. In the toolbar, click ic-dltevnts.png.
    Security Analytics asks for confirmation that you want to delete the events.
  3. In the confirmation dialog, click Yes.
    The selected events are deleted.

Return to the Summary of Events

To leave the Files List or Events List and return to the Summary of Events, click Back to Summary.

Open the Detailed Analysis for an Event

While you examine events or files in the Files List or Events List, you can double-click any event or file to open a detailed analysis of the event in the Events List or the event with which the file in the Files List is associated (see View Detailed Malware Analysis of an Event).

You are here: Conduct Malware Analysis > Examine Scan Files and Events in List Form

Attachments

    Outcomes