Investigate: Malware Analysis Events List and Files List

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode
 

The Malware Analysis Events List and Files List provide a detailed view of events or files. You can double-click on an event or file in either of the lists to display the Analysis Results view in a new browser tab.

To access this view, go to INVESTIGATE > Malware Analysis > Select a Malware Analysis Service dialog. Select a service from the left panel, then select a job from the right panel, and click View Scan. In the Summary of Events view do one of the following:

  • In either the Total panel or the High Confidence panel, click the number in the Events Created section.
  • If you want to view the Files List, click the number in the Files Processed section.

Workflow

the Investigate workflow, with View Query Results highlighted

What do you want to do?

                                                
User RoleI want to ...Documentation

Threat Hunter

view detailed malware analysis data for files or events*

Examine Scan Files and Events in List Form

Threat Hunter

submit queryBeginning an Investigation of a Service or Collection
Threat Hunterview query results Conducting an Investigation

Threat Hunter

reconstruct an event

Reconstruct an Event

Threat Hunteranalyze an event Analyze Events in the Event Analysis View
Threat Hunterconduct malware analysis* Conducting Malware Analysis

Incident Responder

investigate an incident

NetWitness Respond User Guide

*You can perform this task in the current view.

Related Topics

Quick Look

This is an example of the Events List view.

This is the Events List

This is an example of the Files List view.
This is the Files List.

These are the features in the Events List toolbar, and the Files List toolbar is the same, except it has no option to delete events.

This is the Events List toolbar

                                   
FeatureDescription
Back to SummaryReturns to the Summary of Events view.
Delete EventsRemoves the selected events from the current events list.
Download FilesDisplays the Malware File Download dialog, which allows you to download available files.
Sort Menu Displays a drop-down menu from which you can decide how to sort the list. These are the options for sorting:
  • High Confidence
  • Static
  • Network
  • Community
  • Sandbox
  • AV
  • File Name
  • File Type
  • Hash
  • Date Archived
  • Size
The button directly to the right of this drop-down indicates whether the list will be sorted by ascending or descending values.
Sort Menu Displays a drop-down menu from which you can select a secondary sorting order. This menu includes an option forNetWitness SuiteNone, so selecting a secondary sorting order is not necessary.
Filter button Displays a drop-down window in which you can filter the list by filename or MD5 Hash.

These are the features in the Events List.

                                                                           
FeatureDescription
The High Confidence icon Indicates whether the event is influenced by the high confidence flag.
Static, Network, Community, SandboxDisplays the scores for each scoring module.
AVIndicates whether the AV flagged this event as suspicious.
The customized rule icon Indicates whether the event is influenced by a customized rule.
Date ArchivedDisplays the date and time the event was archived.
Session TimeDisplays the time of the event's session.
Trusted icon Indicates whether the hash value is marked as trusted.
# FilesDisplays the number of files included in the event.
Source AddressDisplays the address of the event source.
IdentityDisplays the identity of the event source.
Destination AddressDisplays the address of the event destination.
Destination CountryDisplays the country of the event destination.
Alias HostDisplays the hostname of the alias.
Event TypeDisplays the type of event. For example, Manual Upload.
ServiceDisplays the service on which the event occurred.
Destination OrganizationDisplays the organization of the destination.

These are the features in the Files List grid.

                                                    
FeatureDescription
The high confidence icon Indicates whether the event is influenced by high confidence flag.
Static, Network, Community, SandboxDisplays the scores for each scoring module.
AVIndicates whether the AV flagged this event as suspicious.
File NameDisplays the name of the file.
File TypeDisplays the type of the file (for example, PDF or x86 PE)
MD5 HashDisplays the MD5 hash.
Source AddressDisplays the address of the file source.
Destination AddressDisplays the address of the file destination.
Date ArchivedDisplays the date and time the file was archived.
SizeIndicates the size of the file.
You are here
Table of Contents > Investigation Reference Materials > Malware Analysis Events List and Files List

Attachments

    Outcomes