Malware Analysis Events List and Files List
The Malware Analysis Events List and Files List provide a detailed view of events or files. You can double-click on an event or file in either of the lists to display the Analysis Results view in a new browser tab.
To access this view, go to Investigate > Malware Analysis > Select a Malware Analysis Service dialog. Select a service from the left panel, then select a job from the right panel, and click View Scan. In the Summary of Events view do one of the following:
- In either the Total panel or the High Confidence panel, click the number in the Events Created section.
- If you want to view the Files List, click the number in the Files Processed section.
Workflow
What do you want to do?
| User Role | I want to ... | Show me how |
|---|---|---|
| Threat Hunter |
browse event metadata |
NetWitness Investigate User Guide |
| Threat Hunter |
browse raw events |
NetWitness Investigate User Guide |
| Threat Hunter |
analyze raw events and metadata |
NetWitness Investigate User Guide |
| Threat Hunter |
investigate endpoints (Version 11.1) |
NetWitness Endpoint User Guide |
|
Threat Hunter |
find suspicious endpoint files (Version 11.1) |
NetWitness Endpoint User Guide |
| Threat Hunter | scan files and events for malware* | Conducting Malware Analysis |
|
Incident Responder |
triage an incident in Investigate |
NetWitness Respond User Guide |
| Threat Hunter | export events and Files* | Examine Scan Files and Events in List Form |
| Threat Hunter | perform external lookups* | View Detailed Malware Analysis of an Event |
*You can perform this task in the current view.
Related Topics
- "How NetWitness Investigate Works" in the NetWitness Investigate User Guide
Quick Look
This is an example of the Events List view.
This is an example of the Files List view.
These are the features in the Events List toolbar, and the Files List toolbar is the same, except it has no option to delete events.
| Feature | Description |
|---|---|
|
Back to Summary |
Returns to the Summary of Events view. |
|
Delete Events |
Removes the selected events from the current events list. |
|
Download Files |
Displays the Malware File Download dialog, which allows you to download available files. |
 |
Displays a drop-down menu from which you can decide how to sort the list. These are the options for sorting:
The button directly to the right of this drop-down indicates whether the list will be sorted by ascending or descending values. |
|
Displays a drop-down menu from which you can select a secondary sorting order. This menu includes an option forNetWitnessNone, so selecting a secondary sorting order is not necessary. |
 |
Displays a drop-down window in which you can filter the list by filename or MD5 Hash. |
These are the features in the Events List.
| Feature | Description |
|---|---|
 |
Indicates whether the event is influenced by the high confidence flag. |
| Static, Network, Community, Sandbox | Displays the scores for each scoring module. |
| AV | Indicates whether the AV flagged this event as suspicious. |
 |
Indicates whether the event is influenced by a customized rule. |
| Date Archived | Displays the date and time the event was archived. |
| Session Time | Displays the time of the event's session. |
 |
Indicates whether the hash value is marked as trusted. |
| # Files | Displays the number of files included in the event. |
| Source Address | Displays the address of the event source. |
| Identity | Displays the identity of the event source. |
| Destination Address | Displays the address of the event destination. |
| Destination Country | Displays the country of the event destination. |
| Alias Host | Displays the hostname of the alias. |
| Event Type | Displays the type of event. For example, Manual Upload. |
| Service | Displays the service on which the event occurred. |
| Destination Organization | Displays the organization of the destination. |
These are the features in the Files List grid.
| Feature | Description |
|---|---|
|
Indicates whether the event is influenced by high confidence flag. |
| Static, Network, Community, Sandbox | Displays the scores for each scoring module. |
| AV | Indicates whether the AV flagged this event as suspicious. |
| File Name | Displays the name of the file. |
| File Type | Displays the type of the file (for example, PDF or x86 PE) |
| MD5 Hash | Displays the MD5 hash. |
| Source Address | Displays the address of the file source. |
| Destination Address | Displays the address of the file destination. |
| Date Archived | Displays the date and time the file was archived. |
| Size | Indicates the size of the file. |
