The All tab displays all instances of file downloads that were analyzed in your NSX network.

Downloaded Files Over Time in the All Tab

The Downloaded files widget in the All tab provides an overview of the number of files that were downloaded in the monitored network during the specified time range. The graph is a daily histogram of downloaded files, grouped by the high-level file type.

The widget shows all file downloads that have been analyzed.

See Downloaded Files Over Time for the list of file types.

Use Filters in the Files Downloaded Page

NSX Network Detection and Response provides a filtering mechanism that allows you to focus on specific information about downloaded files that are of interest to you. The use of filters is optional.

Procedure

  1. From the Files Downloaded page, click plus icon to expand the Filters widget.
  2. Click anywhere in the Filter on text box and select an item from the drop-down menu.

    You can select from the following available filters. To further narrow the focus of the displayed information, you can combine multiple filters.

    Filter Name

    Description

    Analysis tags

    Restrict displayed files by their analysis tags. These are labels assigned to a file or URL by the system analysis. They can identify a threat or threat class, or refer to specific malicious behavior that was detected.

    Analyst UUID

    Restrict displayed files to the system analysis UUID for the downloaded file. This is an internal unique identifier for the analysis of a file.

    Application protocol

    Restrict displayed files transferred over one of the specified protocols. Supported values are HTTP/HTTPS, FTP, and SMB.

    Contacted IP

    Restrict displayed files to the IP address from which the file was downloaded. Like the Host IP filter, this supports IP addresses, CIDR blocks or IP address ranges.

    File type filter

    Restrict displayed files to one or more high-level file types. See the list of file types (above).

    Files

    Select Malicious to restrict displayed files to malicious files. These are files that were assigned a score of 70 or more (out of 100) by the system analysis.

    Host IP

    Restrict displayed files to the IP address of the host in the network that downloaded the file. This filter supports selecting one or more IP addresses, CIDR blocks (for example, 192.168.0.0/24) or IP address ranges (for example, 192.168.1.5-192.168.1.9).

    HTTP Host

    Restrict displayed files to the host name(s) from which the file was downloaded.

    Note:

    This value is extracted from the HTTP Host header in the HTTP request that downloaded the file. Therefore, it is under the control of the client and can be spoofed by a malicious software, such as a malware binary already running on an infected host.

    MD5

    Restrict displayed files to the MD5 hash of the downloaded file.

    Minimum score

    Restrict displayed files to those assigned a score greater than your chosen value (from 1-100) by the system analysis.

  3. To apply the selected filters, click Apply.
  4. (Optional) To delete an individual filter, click the REMOVE– button next to its entry. To delete all the selected filters, click the X icon located on the right side of the Filters widget.

    The Filters widget collapses when you delete all the selected filters.

Downloaded Files List in the All Tab

The Downloaded files list displays all of the files that have been downloaded by hosts in the network and processed by the NSX Advanced Threat Prevention service.

The Quick search text box in the upper-left corner of the list provides fast, as-you-enter search capability. It filters the rows in the list and displays only those rows that have text, in any column, that matches the query string that you entered in the search text box.

To customize the columns displayed in the list, click the additional content icon. Described by surrounding text. icon located in the upper-right corner of the list.

You can customize the number of rows to be displayed. The default is 20 entries. Use the left arrowhead and right arrowhead icon icons to navigate through multiple pages.

Each row is a summary of a downloaded file. Click the plus icon icon or anywhere on an entry row to access a detailed view of the downloaded file.

See Downloaded Files Details for additional information on the detailed view of the downloaded fiel.

The list is sorted by the timestamp information and includes the following columns.
Column Name Description
Timestamp The timestamp of the detection of the file download.
Host The host that downloaded the file.
Contacted IP IP address of the contacted host.
Location

For a download, this is the URL of the file in the supported format. For example, \\127.0.0.2\samba_share\1128dedb.exe for an SMB download or http://www.example.com/download/example.zip for an HTTP download.

For an upload, "Upload" is displayed.

MD5 The MD5 hash of the downloaded file.
Type The high-level type of the downloaded file. See the Downloaded Files Over Time for the list of file types.
AV Class A label defining the antivirus class of the downloaded file. If the label has the tag iconicon, you can click that for a pop-up description.
Malware A label defining the malware type of the downloaded file. If the label has the tag icon icon, you can click that for a pop-up description.
Score

The score assigned to the downloaded file by the NSX Intelligence analysis. Click sort list icon to sort the list by score.

If icon for blocked appears, it indicates the artifact has been blocked.