Logs tab

Downloaded files over time

The Downloaded files widget provides an overview of the number of files that were downloaded in the monitored network. The graph is a daily histogram of downloaded files, grouped by high level file type.

The widget shows all file downloads including those that have not been analyzed.

See the list of file types.

Filters

An easy-to-use filtering mechanism is provided that allows you to focus on the information that you are interested in. Click the icon to expand the Filters widget.

Note:

The use of filters is optional.

Click Filter by and select an item from the pull-down menu. Select from Analysis submission, Application protocol, Contacted Host, Contacted IP, Direction, File type filter, Home network, Host IP, Host Name, MD5, or SHA1 hash.

You can combine multiple filters to narrow the focus. You can also deploy multiple instances of some filters.

Delete an individual filter by clicking the Remove button next to its entry. Delete all the selected filters by clicking the icon. This also collapses the Filters widget.

Click Apply to apply the selected filters.

Analysis submission: Restrict files to Files submitted for analysis or Files not submitted for analysis. The default is All.
Application protocol: Restrict displayed files transferred over one of the specified protocols. Supported values are HTTP/HTTPS, FTP, and SMB.
Contacted Host: Restrict displayed files to those downloaded from one of the specified hostnames.
Contacted IP: Restrict displayed files to the IP address from which the file was downloaded. Like the Host IP filter, this supports IP addresses, CIDR blocks or IP address ranges.
Direction: Restrict displayed files to either downloaded or uploaded files.
File type filter: Restrict displayed files to one or more high-level file types. See the list of file types.
Home network: Restrict displayed files to those downloaded in the Home network only or Unidentified networks only.
Host IP: Restrict displayed files to the IP address of the host in the network that downloaded the file. This filter supports selecting one or more IP addresses, CIDR blocks (for example, 192.168.0.0/24) or IP address ranges (for example, 1.1.1.5-1.1.1.9).
Host Name: Restrict displayed files to those downloaded by the given host name or the label of a host in the network.
MD5: Restrict displayed files to the MD5 hash of the downloaded file.
SHA1 hash: Restrict displayed files to the SHA1 hash of the downloaded file.

Downloaded files list

The File download list displays all of the files that have been downloaded by hosts in the network.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the icon.

Customize the number of rows to be displayed. The default is 15 entries. Use the and icons to navigate through multiple pages.

Each row is a summary of a downloaded file. Click the icon (or anywhere on an entry row) to access a detailed view of the downloaded file.

The list is sorted by timestamp and includes the following fields:

Timestamp

The timestamp of the detection of the file download.

Host

The host that downloaded the file.

Sensor

The sensor that detected the file download.

Contacted IP

IP address of the contacted host.

Location

For a download, this is the URL of the file in the supported format. For example, \\127.0.0.2\samba_share\1128dedb.exe for an SMB download or http://www.example.com/download/example.zip for an HTTP download.

For an upload, "Upload" is displayed.

MD5

The MD5 hash of the downloaded file.

Type

The high-level type of the downloaded file. See the list of file types.

Score

The score assigned to the downloaded file by the VMware NSX Network Detection and Response analysis.

If the icon appears, it indicates the artifact has been blocked.