Files views of Baseline Drift Reports provide more detail than the Computers views because the key elements of drift are based on the files themselves.

There are three primary File views available for drift reports:

  • All Top-level Files – This is the main Files View of the drift report. It shows the drift, risk, and other data for each top-level file in the report.
  • Files Associated with One Top-Level File – This is a drift report for the files associated with one top-level file. You can view an associated files report by clicking on a highlighted name in the Top-Level Files report.
  • Files on One Computer – This is a drift report for all the files on one computer that contribute to drift. You can view a computer-specific files report by clicking on the name of a computer in the Computer view.

In addition to the primary views, there are pre-configured Saved Views that give you a different perspective on the information in drift-by-files tables:

  • Drift Contributing to Risk – This shows the standard report on drift by (top-level) files, except that files with drift risk of 0 are filtered out.
  • Drift by Category – This view is the equivalent of selecting Category in the Group by menu or Filters list. It shows a list of file categories, as reported by Carbon Black File Reputation, in the left column of the table. Clicking on the plus sign next to a category expands the view to include all files in that category and the Drift and Risk levels for each file.
  • Drift by Publisher/Company – This view is the equivalent of selecting Publisher or Company in the Group by menu or Filters list. It shows a list of the identifiable Publisher or Company names for the files in the left column of the table. Clicking on the plus sign next to a Publisher or Company name expands the view to include all files with that Publisher or Company, and the Drift and Risk levels for each file.
  • Drift by Installed Program – This view is the equivalent of selecting Installed Program in the Group by menu. It shows total drift of all files associated with an installer program.

    Note: This view is useful for Windows agents only.

The following table shows the controls and default fields on the Files view of a drift report.

Table 1. Drift Report Results Elements

Item

Description

The View Report Results button View Report Results button

In Computer View mode, drills down to the Baseline Drift report for the computer in its row.

The View Details button View Details button

In Files views, opens the File Instance Details page for the file in its row.

The Find Files button Find Files button

(In Files views only) Goes to the Find Files page and shows all file instances matching the hash of the file in its row, on all computers.

File Name

Shows the name of a file in the target that is contributing to drift. If the file is highlighted in blue, it is a link, indicating that it is a top-level file with associated files. Clicking on the link drills down to a Baseline Drift report for the files associated with the named top-level file.

Publisher or Company

Shows the publisher (if available) or company (if available and there is no publisher information).

Drift

In Computer View mode, the sum of drift for all drifted files on the computer in this row.

In File views, the sum of drift for this file (if it has no associated files) or for files associated with this file (if it is a top-level file).

For views with grouped information, the sum of the drift for each instance of the group parameter. Expanding the group shows drift for each member of the group.

Risk

The sum of the risk for all drifted files on the item in this row. See How Drift and Risk are Measured for more details.

Threat

A threat level for the file in this row based on a weighted analysis of malware threats known to Carbon Black File Reputation. Threat levels are Malicious (red ! icon), Potentially Malicious (yellow ! icon), Unknown (no icon), or Clean (green Ö icon).

Trust

On a scale of 0-10, the level of trust for the file in this row. Zero is the lowest level of trust and 10 is the highest. Trust is computed from a variety of factors, including file source, publisher, and identification in Carbon Black File Reputation (for example, is it malware or some other undesirable category of file).

Computer

Shows which computer the file in this row is on. Clicking on the name opens the Computer Details page for that computer.

User Name

User logged into the computer when the installation was started or top-level file was created.

View Mode

Clicking on Files in the View Mode dialog box changes the view from drift by computers to drift by files, and lists the top-level files in the report. Clicking on Computers in the View Mode dialog box changes the view from drift by file to drift by computers, and lists all of the computers in the drift report.

Note: Clicking on Show individual files in the lower right of the table causes the Files view to show both top-level files and any files associated with them.

Saved Views

Files View mode has three saved views. To return to a full list of files in the report, click none on the Saved Views menu.

Action menu

Allows you to take action on checked files in the drift report. See Responding to Drift Report Results for details.