About Associated Samples in Investigate

When you search for an IP, a domain, or URL, Umbrella Investigate lists any checksum samples associated with the destination. A sample is a type of file, or file-like object created by a process running in memory. Cisco Secure Malware Analytics receives and analyzes submitted file samples and integrates the checksums with Umbrella Investigate. Associated samples are additional file samples known to be related to the main sample.

Cisco Secure Malware Analytics retains checksum samples for one year. You may find that Umbrella Investigate previously listed a sample related to a destination. If Cisco Secure Malware Analytics no longer contains a sample related to the destination, Investigate does not display the sample in the list of associated samples.

Note: Part of the functionality described for the Associated Samples feature of Investigate is only available with both Cisco Secure Malware Analytics and Umbrella Investigate subscriptions. For more information, contact [email protected]. If you would like to add Cisco Secure Malware Analytics to your existing license, contact your account representative.


Click the link to the SHA-256 signature to display the Investigate Sample View. The Sample view shows information about the individual malware samples, including behavior of the sample on the network.

Note: Some normal, safe domains may have malicious samples associated with them. Malware may use a domain or IP to check internet connectivity, or use a domain or IP as a source to determine more data about the host on which it resides—public IP of the infected host or network.

The Associated Sample tab lists up to 10 results per page and includes the following information:

  • Threat Score—The score given to a particular sample based on the analysis performed by Cisco Secure Malware Analytics. A Threat Score is a measure of the amount of system weakening, obfuscation, persistence, modification, data exfiltration, and other behaviors which may be a threat to the host system’s integrity. It is intended as an overall threat indicator that can be used as a guide to the likelihood that a submission is malicious. The Threat Score is not an authoritative classification of good and bad software.
  • SHA-256 Signature—The SHA-256 checksum of the associated sample. Use the checksum to pivot to the information about the sample.
  • AV Result—Antivirus results according to ClamAV. A sample can have more than one signature if it is detected under more than one family of malware. A sample may also have no signatures associated.
  • File Type—The type of file associated with the checksum.
  • First Seen—The date when the sample was first seen by Umbrella.

About DNS Resolution in Investigate < About Associated Samples in Investigate > About the Subdomains Tab in Investigate