Unified Events

Unified events

Unified Events is a firewall event monitoring feature in Firewall Management Center that:

  • Provides a single-screen view of various firewall event types, including connection, intrusion, file, malware, and security-related connection events.

  • Stacks related events together in the table to provide more context about the security incident.

  • Correlates associated events so that you can better understand and troubleshoot network issues without toggling between multiple event viewers.

The Live View option in the Unified Events table lets you see the firewall events in real time and monitor network activity. For example, if you are a firewall administrator, viewing real-time event updates after making a policy change helps ensure that the changes are correctly enforced on your network.

The Unified Events table is highly customizable. You can create and apply custom filters to fine-tune the information displayed on the event viewer. You can save custom filters for specific needs that you use often, and quickly load these saved filters. You can customize the event table by adding, removing, pinning, or reordering columns.

Requirements for using unified events

Before using Unified Events in the Firewall Management Center, ensure you meet these requirements.

  • You must have Administrator, Security Analyst, or Security Analyst (Read only) privileges to access the Unified Events feature.

  • You must configure the necessary policies and enable logging settings on your devices to generate security events and display them on the Unified Events page.

Work with unified events

View and work with various firewall event types in a single table without needing to switch between multiple event viewers.

Use this view to:

  • Look for relationships between events of different types in the unified view.

  • See the effects of policy changes in real time.

Before you begin

You must have Admin or Security Analyst privileges to perform this task.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Choose the time range (fixed or sliding).

For more information, see Set a time range in unified events.

Step 3

If you are storing events remotely on a Secure Network Analytics appliance and you have good reason to change the data source, choose a data source.

See important information at Work in the Secure Firewall Management Center with Connection Events Stored on a Secure Network Analytics Appliance.

Step 4

You can filter the vast list of firewall events that the unified events table initially displays for a more granular contextual picture of events in your network.

For more information, see Filters in unified events.

Step 5

Choose more options:

To do this ...

Do this

Customize columns

  • Add or remove columns:

    Click the column picker (column picker icon) and choose columns. Values in some fields depend on the event type. The following icons that appear next to each field indicate the event type correspondence:

    • Connection event (connection_event_icon)

    • Security-related connection event (security-related connection event icon)

    • Intrusion event (intrusion_event_icon)

    • File event (file_event_icon)

    • Malware event (malware_event_icon)

    • Troubleshoot event (Troubleshoot_event_icon)

    Click the event icon next to the column set filtering options to filter the list of event fields according to the selected event type.

    Note

     

    Including many columns may degrade performance. You can view data for hidden columns by expanding an event row to view event details.

  • Reorder columns:

    Drag and drop the column heading.

  • Pin (freeze) columns to the left or right side of the table so they do not scroll:

    • Drag a column all the way to either left or right side of the table or drag and drop a column heading into the pinned area.

    • To unpin a column, drag the column out of the pinned area.

  • Resize columns.

  • Revert columns to the default setting.

  • Save column sets to quickly reload your customized view later. For more information, see Save a column set topic.

Data is always sorted by time, with the most recent events on top.

Quickly filter by event type

Event type filter buttons, located in the upper left, allow you to quickly apply the event type filters. Each event type button displays the number of events available for the selected time range. Click the event type button to include or exclude that event type.

Figure 1. Event type filter buttons
Event type filter buttons enable users to quickly apply filters for different event types, displaying the number of available events for the selected time range.

Note

 

The Troubleshoot Event (Troubleshoot_event_icon) button appears under the Troubleshooting tab. To view the troubleshooting events, you must enable the logging of all troubleshooting syslogs in the threat defense device platform settings policy. For more information, see View Troubleshooting Syslogs in the Secure Firewall Management Center.

Identify related events

Click a row to highlight other events that are related to this event.

If needed, filter the events to display a small enough set of events.

Note

 

The initiator of a connection is not necessarily the same as the sender of a malware file. Search for the file or malware event associated with a connection event by filtering the unified events table with the Source or Destination IP filter.

View event details

Click the > (Expand) icon at the left end of the row. Event details do not include the field which has no data to display.

Tip

 

Alternatively, double-click on an event row to view the Event Details pane. When the Event Details pane is open, click on any event row in the table to load the details of that event.

Troubleshoot events using Packet Tracer

  1. Click the ellipsis icon (more icon) adjacent to the row for which you want to run the packet trace.

  2. Choose Open in Packet Tracer to simulate a packet in the Packet Tracer tool based on the source and destination addresses and protocol characteristics of the event. Trace the simulated packet and use the trace result to troubleshoot the security event. For more information on how to use the packet tracer tool, see Run a packet trace.

View events in real time

Click Go Live. For more information, see Enable live event monitoring in unified events.

If events stream too quickly, enter filter criteria.

Cross-launch to external resources

Click the ellipsis (more icon) in a table cell to see the options available for that cell value, if any.

For more information, see Event Investigation Using Web-Based Resources.

Open multiple unified events windows

  • You can display different views of the unified events table using multiple browser tabs or windows.

  • Each new tab or window has the characteristics of the most recently modified tab/window.

  • To make any open tab/window as the template, make a minor change to it.

  • The system processes queries on multiple tabs sequentially.

  • Depending on the view (complex queries, or viewing in live view mode when the incoming event rate is high, for example), you may experience slower performance if more than 4 tabs are open simultaneously.

Save searches

Save custom searches as your favorites and quickly load them later. For more information, see Save a search in unified events.

Bookmark or share query results

Bookmark or copy-paste the URL in the browser window.

  • The URL retrieves different events later if it uses the sliding time range.

  • The URL does not capture column visibility, size and order, and real-time streaming settings.

Set a time range in unified events

Set a time range in unified events to view firewall events for a specific period and control which events are displayed in the table.

When you change the time range, the unified events table automatically refreshes to reflect your changes. The time range that you select does not apply to other tables in the event viewer. For example, a time range that you select when viewing connection events does not apply to the unified events table and vice versa.


Note

If your time window extends back beyond the retention period for connection events, look for Security-Related Connection events in the tables under Events & Logs > + Show more > Connection > Security-Related Events .

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

By default, the unified events table displays events from the past hour.

Step 2

Click the current time range.

Step 3

Choose one of the following:

  • If you want to see events for a fixed time range, click Fixed Time Range and choose the Start time and End time.

    To set the current time as the End time, click Now.

  • If you want a sliding default time window (such as last one hour), select Sliding Time Range and specify the desired length.

    The table displays all the events generated from a specific start time—for example, the past hour—relative to the present. Refreshing the view ensures the window always displays events from the most recent hour of activity.

Step 4

Click Apply.

Enable live event monitoring in unified events

Configure Unified Events to display firewall events in real time, eliminating the need for manual refreshes.

When live view mode is active, the event logs appear in real time as the security event occurs in your network. This enables you to identify and resolve security incidents quickly.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

By default, the Unified Events table displays historical events from the past hour.

Step 2

Click Go Live to start real-time viewing of new events.

New events are displayed at the top of the events table. The time range section includes a timer that indicates the length of time live view has been active.

Note

 

When using the Go Live feature, this limitation applies for the UDP traffic:

  • By default, the Go Live feature in Firewall Management Center considers traffic data from the last 30 seconds, which is shorter than the 120 seconds required for UDP connections to be processed to include in Unified Events table. This may cause UDP events to appear incomplete in the Unified Events table.

  • Configure logging at the beginning of the connection for UDP traffic to improve visibility.

What to do next

To exit the live view mode, click Live.

Filters in unified events

The Unified Events table displays firewall events from the past hour. Use these steps to filter and narrow the view for more granular analysis of your network traffic.

Filters help you quickly access critical information. For example, if you want to monitor application access for specific users, you can apply search criteria to isolate relevant firewall logs. The event viewer displays only the entries that match your criteria.

You can use both inclusion and exclusion criteria to refine your search results effectively.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Enter the filter criteria:

  • To manually enter the filter criteria:

    1. Enter filter criteria in the search field, or select a filter from the drop-down list.

    2. Enter the value for the selected filter criteria. Suggestions will appear in the drop-down list as you type.

  • To pick the filter criteria from the table, click the dots in a cell and choose an option to include or exclude that value from your filter criteria.

    Tip

     

    • Use the Ctrl+click (Windows) or Command-click (Mac) key to quickly add an inclusion filter criteria.

    • Use the Alt+click (Windows) or Option-click (Mac) key to quickly add an exclusion filter criteria.

  • Refine your filter criteria. For information about wildcards and search behavior, see Event Searches.

  • Include operators (such as <, >, !) in the value field, preceding the value. For example, enter !Allow in the Action field to find all events with an action other than Allow.

Step 3

Perform the search.

Tip

 

You can use the Ctrl+Enter (Windows) or Command-Enter (Mac) key command to initiate a search.

Events in the unified events table are not aggregated when the displayed columns all hold identical values. Every event matching your filter criteria is listed individually.

The unified events table displays filtered results based on your criteria, showing only the events that match your inclusion and exclusion filters for more targeted analysis.

What to do next

To save a custom filter, see Save a search in unified events topic.

Save a search in unified events

Save custom searches as your favorites to quickly load them later for efficient firewall event analysis.

Note that this option is not available for the Troubleshooting table.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Click the Events tab.

Step 3

Enter a search criteria as described in the Filters in unified events topic.

Step 4

Click the Favorite Searches (favorite searches icon) icon on the search text box.

Step 5

Do one of the following:

  • To save a new search, specify a search name and click Save as new.

  • To overwrite a saved search, click Edit next to the saved search that you want to overwrite, and click Overwrite.

What to do next

To load a saved search, see Load a saved search in unified events.

Load a saved search in unified events

If you have previously saved search criteria in Unified Events, you can quickly load the criteria and focus on particular firewall events without entering your criteria again.

Before you begin

Ensure you have already saved your preferred search criteria. For more information on saving search criteria, see Save a search in unified events.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Click the Favorite Searches (favorite searches icon) icon on the search text box.

Step 3

Click the saved search that you want to load.

Save a column set

Save custom column sets as your favorites to load them later or quickly toggle between custom tables.

This option allows you to create personalized table layouts for more efficient firewall event review. Note that this option is not available for the Troubleshooting table.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Click the column picker Icon (column picker icon) and choose the set of columns that you want to save.

Step 3

Click the Favorite column sets (Favorite column sets) icon.

Step 4

Do one of the following:

  • To save a new column set, specify a column set name and click Save as new.

  • To overwrite a favorite column set, click Edit(edit icon) on the column set that you want to overwrite, and click Overwrite.

The custom column set is saved and can be loaded later for quick access to your preferred table layout.

What to do next

To load a saved column set, see Load a saved column set topic.

Load a saved column set

Apply preferred table layouts and streamline firewall event analysis by loading a previously saved column set in the Unified Events page.

Before you begin

Ensure you have already saved a column set. For more information on saving a column set, see Save a column set.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Click the column picker icon (column picker icon).

Step 3

Click the Favorite column sets (Favorite column sets) .

Step 4

Click the column set that you want to load.

View troubleshooting syslogs from threat defense devices in unified events

Configure the threat defense devices to log all troubleshooting syslogs to the Firewall Management Center and view them as Troubleshoot Events in the Unified Events table. Use this option to view device syslogs in real-time. You can filter and analyze them with other event types in the same table to troubleshoot your Firewall Threat Defense devices.

For more information, see View Troubleshooting Syslogs in the Secure Firewall Management Center.

Before you begin

Ensure that you enable the managed Firewall Threat Defense devices to send all logs to the Firewall Management Center by configuring the Logging to Secure Firewall Management Center option in the device's platform settings. For more information, see Enable Logging and Configure Basic Settings in the Cisco Secure Firewall Management Center Device Configuration Guide.

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events.

Step 2

Click the Troubleshooting tab.

Step 3

In the troubleshooting events table, you can do the following:

  • View and analyze the troubleshoot events alongside the corresponding connection events to gain additional insights for troubleshooting.

  • Click Go Live to view the troubleshoot events in real time. This helps you to correlate the device logs with the recent device configuration changes.

Unified events column details

Values in some field on the Unified Events page depend on the event type. See this table for values by event type for the default fields.

To see all event fields and their correspondences, use the column picker (The image illustrates the layout of the unified events column, detailing the various event fields and their correspondences within the MITRE framework.) icon.

Unified events field

Connection or security-related connection event field

Intrusion event field

File event field

Malware event field

Time

First Packet

Time

Time

Time

Event Type

--

--

--

--

Action

Action

Inline Result

Action

Action

Reason

Reason

Reason

(Not applicable)

(Not applicable)

Source IP

Initiator IP

Source IP

Sending IP

Sending IP

Destination IP

Responder IP

Destination IP

Receiving IP

Receiving IP

Source Port/ICMP Type

Source Port

Source Port

Sending Port

Sending Port

Destination Port/ ICMP Type

Destination Port

Destination Port

Receiving Port

Receiving Port

Web Application

Web Application

Web Application

Web Application

Web Application

Rule

Access Control Rule

Access Control Rule

(Not applicable)

(Not applicable)

Policy

Access Control Policy

Intrusion Policy

File Policy

File Policy

Device

Device

Device

Device

Device

For more information about the event fields, refer to:

See also: A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.


Note

Even if logging is not enabled at the beginning of a connection, the system has and uses this value as the Time field in the unified events table. To check if a connection event was logged at the beginning and end of the connection, expand the event row for details. If both ends of the connection were logged, you will see a Last Packet field.

History for unified events

This table provides a chronological history of Unified Events feature updates and improvements, enabling you to track feature availability and requirements across different Firewall Management Center versions.

Feature

Minimum Firewall Management Center

Minimum Firewall Threat Defense

Details

View diagnostic syslog messages in the Unified Events table.

7.6.0

Any

You can now view the device syslogs as a new event type called Troubleshoot Events in the Unified Events page. The unified events table allows you to view the troubleshoot events in real-time and correlate them with other event types within the same event table, providing deeper insights to help you troubleshoot the threat defense device configurations.

New/modified screens: Analysis > Unified Events > Troubleshooting.

Quickly apply event type filters to the Unified Events table.

7.6.0

Any

Introduced event type filter buttons, which allows you to quickly apply Event Type filters to the unified events table. Additionally, each button shows the count of events that correspond to the chosen time period.

New/modified screens: Analysis > Unified Events.

Packet tracer for unified events

7.4.1

7.2.6

Any

You can now open the packet tracer from the Unified Events page, to troubleshoot your security events.

Click the Ellipsis(ellipsis icon) icon next to an event for which you want to run packet trace, and click the Open in Packet Tracer link.

Version restrictions: Not supported with Version 7.3.x or 7.4.0.

Unified events improvements

7.4

Any

Improvements to the save favorite column sets and searches functions.

Save your favorite searches

7.3

Any

Save column sets and searches as your favorites and later launch them quickly.

Unified events table

7.0

Any

View and work in a single table with multiple event types: Connection (including Security Intelligence), intrusion, file, and malware.

New/modified screens: New page under Analysis > Unified Events.

Supported platforms: Firewall Management Center