Working with Unified Events

View and work with various firewall event types in a single table without needing to switch between multiple event viewers.

Use this view to:

Look for relationships between events of different types in the unified view.
See the effects of policy changes in real time.

Procedure

Step 1

Choose Analysis > Unified Events.

Step 2

Choose the time range (fixed or sliding). For more information, see Set a Time Range in Unified Events.

Step 3

You can filter the vast list of firewall events that the unified events table initially displays for a more granular contextual picture of events in your network. For more information, see Filters in Unified Events.

Step 4

Choose more options:

To Do This ...

Do This

Customize columns

Add or remove columns:

Click the column picker ( column picker icon ) and choose columns. Values in some fields depend on the event type. The following icons that appear next to each field indicates the event type correspondence:

Connection event ()
Security-related connection event ()
Intrusion event ()
File event ()
Malware event ()

Click the event icon next to the column set filtering options to filter the list of event fields according to the selected event type.

Note	Including many columns may degrade performance. You can view data for hidden columns by expanding an event row to view event details.

Reorder columns:

Drag and drop the column heading.
Pin (freeze) columns to the left or right side of the table so they do not scroll:

Drag a column all the way to either left or right side of the table.

Or, drag and drop a column heading into the pinned area.

To unpin a column, drag the column out of the pinned area.
Resize columns.
Revert columns to the default setting.
Save column sets to quickly reload your customized view later. For more information, see Save a Column Set topic.

Data is always sorted by time, with the most recent events on top.

Identify related events

Click a row to highlight other events that are related to this event.

If needed, filter the events to display a small enough set of events.

Note	The initiator of a connection is not necessarily the same as the sender of a malware file. Search for the file or malware event associated with a connection event by filtering the unified events table with the Source or Destination IP filter.

View event details

Click the > (Expand) icon at the left end of the row. Event details do not include the field which has no data to display.

Tip	Alternatively, double-click on an event row to view the Event Details pane. When the Event Details pane is open, click on any event row in the table to load the details of that event.

Cross-launch to external resources

Click the ellipsis ( contextual_menu_icon ) in a table cell to see the options available for that cell value, if any.

For more information, see Event Investigation Using Web-Based Resources.

Open multiple unified events windows

You can display different views of the unified events table using multiple browser tabs or windows.
Each new tab or window has the characteristics of the most recently modified tab/window.
To make any open tab/window as the template, make a minor change to it.
The system processes queries on multiple tabs sequentially.
Depending on the view (complex queries, or viewing in live view mode when the incoming event rate is high, for example), you may experience slower performance if more than 4 tabs are open simultaneously.

Save searches

Save custom searches as your favorites and quickly load them later. For more information, see Save a Search in Unified Events.

Bookmark or share query results

Bookmark or copy-paste the URL in the browser window.

The URL retrieves different events later if it used the sliding time range.
The URL does not capture column visibility, size and order, and real-time streaming settings.