Solution Briefs

Investigate Use Case: Research files hashes during incident response.

Issue link: https://learn-umbrella.cisco.com/i/750789

Contents of this Issue

Navigation

Page 1 of 1

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Imagine you get an alert from your SIEM and find a suspicious file hash. Using Investigate, you uncover the following: Query file hashes in Investigate. Analyze the file hash (SHA256, SHA1, or MD5) to quickly learn if it's malicious. Threat Score: with a score of "100", this file is very likely to be malicious. Static Analysis Information: See static file data such as the file size, file type, and the first time seen. View behavioral indicators. See the malware's behavior and pattern of execution on an endpoint. Pivot directly into Threat Grid. Dig deeper into the file analysis data by pivoting into the Threat Grid UI. (Separate Threat Grid license required) See associated samples & AV results. Build out your scope of investigation and uncover other file hashes found to be making command & control callbacks to the same domain and any matching antivirus signatures from the Threat Grid AV engine. View network connections. Identify the domains and IPs that the malware file attempted to connect to during execution. Uncover other details about the domain, including associated samples. With one click, pivot into the domain view. See alerts, global request patterns, passive DNS data, and more. Uncover other files that have been calling back to this domain. Starting from a single piece of data, you're able to build the most complete view of an attacker's infrastructure. Investigate combines domain, IP, and file analysis data in a correlated source to help you speed up incident response and better research threats. 1 2 3 4 6 5

Articles in this issue

view archives of Solution Briefs - Investigate Use Case: Research files hashes during incident response.