malware retrospective event but no information on file, file trajectory, first last seen, protocol, ...

maccagrabun · ‎05-04-2017

Hi,

I would like to know how to explain a malware retrospective event without any information such as:
file, file trajectory, first last seen, protocol, trajectory.

A few questions I hope you guys can help out with . I also added some pictures to make it more clear:

what does this exactly mean ?
how can FMC show this particular event without any knowledge on hosts that send or received this file ?
the detection name doesn't say anything about the file ?
how to work with this kind of information ?

I understand I can go to virustotal and enter the hash and get some more info. I can also use Umbrella Investigate. But I would like to know how and in what way did FMC find out about this file ?

Also looking at the detection name it doesn't say anything about the file. I would guess SBX.TG stands for Sandbox ThreatGrid, but ... ?!

thank in advance!

-------------------
macca.grabun

maccagrabun · ‎05-09-2017

nobody seen retrospective events without sufficient information before ?

Jetsy Mathew · ‎05-11-2017

Hello Macca,

Based on the Firepower guide , looks like it has very limited info.

The new retrospective malware event represents a disposition change for all files detected in the last week that have the same SHA-256 hash value. For that reason, these events contain limited information: the date and time the Firepower Management Center was notified of the disposition change, the new disposition, the SHA-256 hash value of the file, and the threat name. They do not contain IP addresses or other contextual information.

Regards

Jetsy

malware retrospective event but no information on file, file trajectory, first last seen, protocol, etc.