Cisco Secure Firewall Management Center Administration Guide, 7.6
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Unified Events is a firewall event monitoring feature in Firewall Management Center that:
Provides a single-screen view of various firewall event types, including connection, intrusion, file, malware, and security-related
connection events.
Stacks related events together in the table to provide more context about the security incident.
Correlates associated events so that you can better understand and troubleshoot network issues without toggling between multiple
event viewers.
The Unified Events table is highly customizable. You can create and apply custom filters to fine-tune the information displayed on the event
viewer. You can save custom filters for specific needs that you use often, and quickly load these saved filters. You can customize
the event table by adding, removing, pinning, or reordering columns.
Requirements for using unified events
Before using Unified Events in the Firewall Management Center, ensure you meet these requirements.
You must configure the necessary policies and enable logging settings on your devices to generate security events and display
them on the Unified Events page.
Work with unified events
View and work with various firewall event types in a single table without needing to switch between multiple event viewers.
Use this view to:
Look for relationships between events of different types in the unified view.
See the effects of policy changes in real time.
Before you begin
You must have Admin or Security Analyst privileges to perform this task.
You can filter the vast list of firewall events that the unified events table initially displays for a more granular contextual
picture of events in your network.
Click the column picker () and choose columns. Values in some fields depend on the event type. The following icons that appear next to each field indicate
the event type correspondence:
Connection event ()
Security-related connection event ()
Intrusion event ()
File event ()
Malware event ()
Troubleshoot event ()
Click the event icon next to the column set filtering options to filter the list of event fields according to the selected
event type.
Note
Including many columns may degrade performance. You can view data for hidden columns by expanding an event row to view event
details.
Reorder columns:
Drag and drop the column heading.
Pin (freeze) columns to the left or right side of the table so they do not scroll:
Drag a column all the way to either left or right side of the table or drag and drop a column heading into the pinned area.
To unpin a column, drag the column out of the pinned area.
Resize columns.
Revert columns to the default setting.
Save column sets to quickly reload your customized view later. For more information, see Save a column set topic.
Data is always sorted by time, with the most recent events on top.
Quickly filter by event type
Event type filter buttons, located in the upper left, allow you to quickly apply the event type filters. Each event type button
displays the number of events available for the selected time range. Click the event type button to include or exclude that
event type.
Figure 1. Event type filter buttons
Note
The Troubleshoot Event () button appears under the Troubleshooting tab. To view the troubleshooting events, you must enable the logging of all troubleshooting syslogs in the threat defense
device platform settings policy. For more information, see View Troubleshooting Syslogs in the Secure Firewall Management Center.
Identify related events
Click a row to highlight other events that are related to this event.
If needed, filter the events to display a small enough set of events.
Note
The initiator of a connection is not necessarily the same as the sender of a malware file. Search for the file or malware
event associated with a connection event by filtering the unified events table with the Source or Destination IP filter.
View event details
Click the > (Expand) icon at the left end of the row. Event details do not include the field which has no data to display.
Tip
Alternatively, double-click on an event row to view the Event Details pane. When the Event Details pane is open, click on any event row in the table to load the details of that event.
Troubleshoot events using Packet Tracer
Click the ellipsis icon () adjacent to the row for which you want to run the packet trace.
Choose Open in Packet Tracer to simulate a packet in the Packet Tracer tool based on the source and destination addresses and protocol characteristics
of the event. Trace the simulated packet and use the trace result to troubleshoot the security event. For more information
on how to use the packet tracer tool, see Run a packet trace.
You can display different views of the unified events table using multiple browser tabs or windows.
Each new tab or window has the characteristics of the most recently modified tab/window.
To make any open tab/window as the template, make a minor change to it.
The system processes queries on multiple tabs sequentially.
Depending on the view (complex queries, or viewing in live view mode when the incoming event rate is high, for example), you
may experience slower performance if more than 4 tabs are open simultaneously.
Save searches
Save custom searches as your favorites and quickly load them later. For more information, see Save a search in unified events.
Bookmark or share query results
Bookmark or copy-paste the URL in the browser window.
The URL retrieves different events later if it uses the sliding time range.
The URL does not capture column visibility, size and order, and real-time streaming settings.
Set a time range in unified events
Set a time range in unified events to view firewall events for a specific period and control which events are displayed in
the table.
When you change the time range, the unified events table automatically refreshes to reflect your changes. The time range that
you select does not apply to other tables in the event viewer. For example, a time range that you select when viewing connection
events does not apply to the unified events table and vice versa.
Note
If your time window extends back beyond the retention period for connection events, look for Security-Related Connection events
in the tables under Analysis > Connections > Security-Related
Events .
Procedure
Step 1
Choose Analysis > Unified Events.
By default, the unified events table displays events from the past hour.
Step 2
Click the current time range.
Step 3
Choose one of the following:
If you want to see events for a fixed time range, click Fixed Time Range and choose the Start time and End time.
To set the current time as the End time, click Now.
If you want a sliding default time window (such as last one hour), select Sliding Time Range and specify the desired length.
The table displays all the events generated from a specific start time—for example, the past hour—relative to the present.
Refreshing the view ensures the window always displays events from the most recent hour of activity.
Step 4
Click Apply.
Enable live event monitoring in unified events
Configure Unified Events to display firewall events in real time, eliminating the need for manual refreshes.
When live view mode is active, the event logs appear in real time as the security event occurs in your network. This enables
you to identify and resolve security incidents quickly.
Procedure
Step 1
Choose Analysis > Unified Events.
By default, the Unified Events table displays historical events from the past hour.
Step 2
Click Go Live to start real-time viewing of new events.
New events are displayed at the top of the events table. The time range section includes a timer that indicates the length
of time live view has been active.
Note
When using the Go Live feature, this limitation applies for the UDP traffic:
By default, the Go Live feature in considers traffic data from the last 30 seconds, which is shorter than the 120 seconds required for UDP connections to be
processed to include in Unified Events table. This may cause UDP events to appear incomplete in the Unified Events table.
Configure logging at the beginning of the connection for UDP traffic to improve visibility.
What to do next
To exit the live view mode, click Live.
Filters in unified events
The Unified Events table displays firewall events from the past hour. Use these steps to filter and narrow the view for more granular analysis
of your network traffic.
Filters help you quickly access critical information. For example, if you want to monitor application access for specific
users, you can apply search criteria to isolate relevant firewall logs. The event viewer displays only the entries that match
your criteria.
You can use both inclusion and exclusion criteria to refine your search results effectively.
Procedure
Step 1
Choose Analysis > Unified Events.
Step 2
Enter the filter criteria:
To manually enter the filter criteria:
Enter filter criteria in the search field, or select a filter from the drop-down list.
Enter the value for the selected filter criteria. Suggestions will appear in the drop-down list as you type.
To pick the filter criteria from the table, click the dots in a cell and choose an option to include or exclude that value
from your filter criteria.
Tip
Use the Ctrl+click (Windows) or Command-click (Mac) key to quickly add an inclusion filter criteria.
Use the Alt+click (Windows) or Option-click (Mac) key to quickly add an exclusion filter criteria.
Refine your filter criteria. For information about wildcards and search behavior, see Event Searches.
Include operators (such as <, >, !) in the value field, preceding the value. For example, enter !Allow in the Action field to find all events with an action other than Allow.
Step 3
Perform the search.
Tip
You can use the Ctrl+Enter (Windows) or Command-Enter (Mac) key command to initiate a search.
Events in the unified events table are not aggregated when the displayed columns all hold identical values. Every event matching
your filter criteria is listed individually.
The unified events table displays filtered results based on your criteria, showing only the events that match your inclusion
and exclusion filters for more targeted analysis.
If you have previously saved search criteria in Unified Events, you can quickly load the criteria and focus on particular firewall events without entering your criteria again.
Before you begin
Ensure you have already saved your preferred search criteria. For more information on saving search criteria, see Save a search in unified events.
Procedure
Step 1
Choose Analysis > Unified Events.
Step 2
Click the Favorite Searches () icon on the search text box.
Step 3
Click the saved search that you want to load.
Save a column set
Save custom column sets as your favorites to load them later or quickly toggle between custom tables.
This option allows you to create personalized table layouts for more efficient firewall event review. Note that this option
is not available for the Troubleshooting table.
Procedure
Step 1
Choose Analysis > Unified Events.
Step 2
Click the column picker Icon () and choose the set of columns that you want to save.
Step 3
Click the Favorite column sets () icon.
Step 4
Do one of the following:
To save a new column set, specify a column set name and click Save as new.
To overwrite a favorite column set, click Edit() on the column set that you want to overwrite, and click Overwrite.
The custom column set is saved and can be loaded later for quick access to your preferred table layout.
Apply preferred table layouts and streamline firewall event analysis by loading a previously saved column set in the Unified Events page.
Before you begin
Ensure you have already saved a column set. For more information on saving a column set, see Save a column set.
Procedure
Step 1
Choose Analysis > Unified Events.
Step 2
Click the column picker icon ().
Step 3
Click the Favorite column sets () .
Step 4
Click the column set that you want to load.
View troubleshooting syslogs from threat defense devices in unified events
Configure the threat defense devices to log all troubleshooting syslogs to the and view them as Troubleshoot Events in the Unified Events table. Use this option to view device syslogs in real-time. You can filter and analyze them with other event types in the
same table to troubleshoot your Firewall Threat Defense devices.
Ensure that you enable the managed Firewall Threat Defense devices to send all logs to the by configuring the option in the device's platform settings. For more information, see Enable Logging and Configure Basic Settings in the Cisco Secure Firewall Management
Center Device Configuration
Guide.
Procedure
Step 1
Choose Analysis > Unified Events.
Step 2
Click the Troubleshooting tab.
Step 3
In the troubleshooting events table, you can do the following:
View and analyze the troubleshoot events alongside the corresponding connection events to gain additional insights for troubleshooting.
Click Go Live to view the troubleshoot events in real time. This helps you to correlate the device logs with the recent device configuration
changes.
Unified events column details
Values in some field on the Unified Events page depend on the event type. See this table for values by event type for the default fields.
To see all event fields and their correspondences, use the column picker () icon.
Unified events field
Connection or security-related connection event field
Intrusion event field
File event field
Malware event field
Time
First Packet
Time
Time
Time
Event Type
--
--
--
--
Action
Action
Inline Result
Action
Action
Reason
Reason
Reason
(Not applicable)
(Not applicable)
Source IP
Initiator IP
Source IP
Sending IP
Sending IP
Destination IP
Responder IP
Destination IP
Receiving IP
Receiving IP
Source Port/ICMP Type
Source Port
Source Port
Sending Port
Sending Port
Destination Port/ ICMP Type
Destination Port
Destination Port
Receiving Port
Receiving Port
Web Application
Web Application
Web Application
Web Application
Web Application
Rule
Access Control Rule
Access Control Rule
(Not applicable)
(Not applicable)
Policy
Access Control Policy
Intrusion Policy
File Policy
File Policy
Device
Device
Device
Device
Device
For more information about the event fields, refer to:
Even if logging is not enabled at the beginning of a connection, the system has and uses this value as the Time field in the unified events table. To check if a connection event was logged at the beginning and end of the connection,
expand the event row for details. If both ends of the connection were logged, you will see a Last Packet field.
Feedback