You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 60
Next »
There are two different types of union tables: proprietary and common.
Proprietary union tables are union tables created by a user for specific purposes and can be used only inside their domain of creation. Learn more about union table creation here.
Common union tables are union tables that are available in all domains and collect information for monitoring purposes. There are several technologies for which, regardless of brand, the log events contain very similar, or identical fields. When this is the case, as with web servers, firewalls, proxies, and several other technologies, Devo automatically generates a union table that contains the events from several different data sources. Union tables are indicated in the finder by the union icon. Hover over the icon to see a full list of the tables that the union table will collect if available in the deployment.
In this article, we will focus on the common union tables you may find in your finder. In the table below, find a list with all the available custom tables in Devo, and the source tables they draw data from.
Union table | Source tables |
---|
auth.all | adn.f5.bigip.apm
adn.f5.bigip.audit
app.lastpass.events
auth.cisco.ise
auth.duo.administrator.login
auth.duo.authentication.events
auth.jumpcloud.all.events
auth.okta.events
auth.okta.system
auth.onelogin.events
auth.ping.federate.audit
auth.ping.federate.security_audit
auth.ping.id.mfa
auth.rsa.secureid.runtime
auth.securenvoy
auth.thycotic.secretserver
auth.unix
box.all.win
cef0.microsoft.microsoftWindows
cloud.aws.cloudtrail.events
cloud.aws.cloudtrail.signin
cloud.azure.ad.signin
cloud.azure.sql.audit
cloud.gsuite.reports.login
cloud.office365.management
crm.salesforceobjects.loginhistory
db.mssql.events
db.oracle.audit_trail
ddi.infoblox.audit
firewall.all.vpn.auth
firewall.fortinet.event.system
firewall.juniper.srx.system
firewall.paloalto.globalprotect
firewall.paloalto.system
helpdesk.zendesk.audit.logs
network.cisco.switch
network.citrix.adc.sslvpn
siem.logtrust.web.connection
vpn.aws.client
vpn.cisco.asa.anyconnect
|
auth.jumpcloud.all.events | auth.jumpcloud.directory.events
auth.jumpcloud.ldap.events
auth.jumpcloud.mdm.events
auth.jumpcloud.radius.events
auth.jumpcloud.software.events
auth.jumpcloud.sso.events
auth.jumpcloud.systems.events
|
auth.unix | box.audit.unix
box.devo_ea.events_linux
box.unix
box.unix_cloudwatch
box.vmware.esx
cloud.azure.vm.unix
|
av.all.threats | av.mcafee.epo.threat
av.sophos.threats
av.symantec.sepc.events
|
box.all.win | box.devo_ea.events_windows
box.devo_ua.events_windows
box.win
box.win_classic
box.win_cloudwatch
box.win_hf
box.win_kinesis
box.win_nxlog
box.win_quest.change_auditor.leef
box.win_snare
box.win_solarwinds
box.win_winlogbeat
box.winNxlog
cloud.azure.vm.applicationevent
cloud.azure.vm.securityevent
cloud.azure.vm.systemevent
|
box.audit.unix | box.audit.unix.audispd
box.audit.unix.auditd
|
cdn.all.access | cdn.akamai.access
cdn.triton.access
|
cef0.fornitet.fortigateAll | cef0.fortinet.fortigate
cef0.fortinet.fortigate200e
cef0.fortinet.fortigate300d
cef0.fortinet.fortigate400e
cef0.fortinet.fortigate600e
cef0.fortinet.fortigate60e
|
cloud.office365.management | cloud.office365.management.aip
cloud.office365.management.airinvestigation
cloud.office365.management.azureactivedirectory
cloud.office365.management.cca
cloud.office365.management.compliance
cloud.office365.management.compliancemanager
cloud.office365.management.corereporting
cloud.office365.management.crm
cloud.office365.management.dlpsensitiveinformationtype
cloud.office365.management.endpoint
cloud.office365.management.exchange
cloud.office365.management.mcas
cloud.office365.management.microsoftflow
cloud.office365.management.microsoftforms
cloud.office365.management.microsoftstream
cloud.office365.management.microsoftteams
cloud.office365.management.mip
cloud.office365.management.myanalytics
cloud.office365.management.officeapps
cloud.office365.management.onedrive
cloud.office365.management.onedriveforbusiness
cloud.office365.management.powerapps
cloud.office365.management.powerbi
cloud.office365.management.powerplatformadmin
cloud.office365.management.project
cloud.office365.management.publicendpoint
cloud.office365.management.quarantine
cloud.office365.management.rdl
cloud.office365.management.securitycompliancecenter
cloud.office365.management.sharepoint
cloud.office365.management.skypeforbusiness
cloud.office365.management.threatintelligence
cloud.office365.management.workplaceanalytics
cloud.office365.management.yammer
cloud.office365.oldmanagement
|
ddi.infoblox.dns.queries_responses | |
dhcp.all | ddi.infoblox.dhcp.dhcpd
dhcp.bluecat.dhcpd
dhcp.infoblox.stdout
dhcp.microsoft.ip4
dhcp.microsoft.ip6
dhcp.unix.stdout
firewall.paloalto.system
|
domains.all | ddi.infoblox.dns.queries
dns.bind.query
dns.bluecat.named
dns.bluecat.stats
dns.infoblox.response
dns.windows
edr.crowdstrike.cannon.dnsrequest
firewall.fortinet.event.dns
ids.bro.dns
ids.bro.http
proxy.all.access
proxy.zscaler.umbrella.dns
sig.cisco.umbrella.dns
web.all.access
|
edr.all.threats | av.sentinelone.rfc_5424
cef0.bit9CarbonblackJson.cbResponse
edr.carbonblack.alert
edr.cbef.alert.cb_analytics
edr.cbef.alert.watchlist
edr.crowdstrike.cannon
edr.crowdstrike.falcon
edr.crowdstrike.falconstreaming.detection_summary
edr.cylance.threats
edr.cylance.device
edr.fireeye.alerts
edr.minervalabs.events
edr.sentinelone.agent.threats
edr.symantec.events
edr.tanium.events
edr.tanium.threats
endpoint.carbonblack.protection
xdr.cynet.alerts.events
|
edr.carbonblack.all | |
edr.crowdstrike.falconstreaming.user_activity_all | edr.crowdstrike.falconstreaming.user_activity_detections
edr.crowdstrike.falconstreaming.user_activity_device_control_policy
edr.crowdstrike.falconstreaming.user_activity_devices
edr.crowdstrike.falconstreaming.user_activity_groups
edr.crowdstrike.falconstreaming.user_activity_ip_whitelist
edr.crowdstrike.falconstreaming.user_activity_other
edr.crowdstrike.falconstreaming.user_activity_prevention_policy
edr.crowdstrike.falconstreaming.user_activity_quarantined_files
edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
|
firewall.all.cpu | |
firewall.all.ips | |
firewall.all.mem | |
firewall.all.traffic | adn.f5.bigip.afm
adn.f5.bigip.asm
box.iptables
cef0.checkPoint.vpn1Firewall1
cef0.cisco.firepower
cef0.forcepoint.firewall
cef0.fortinet.fortigateAll
cef0.paloAltoNetworks.lf
cef0.paloAltoNetworks.panOs
cef0.stonesoft.firewall
cef0.stonesoft.stonegate
cef0.zscaler.nssfwlog
cloud.azure.firewall.application_rule
cloud.azure.firewall.network_rule
cloud.cloudflare.logpush.http
edr.crowdstrike.falconstreaming.firewall_match
firewall.checkpoint.fw
firewall.checkpoint.gaia
firewall.checkpoint.lea
firewall.checkpoint.log_exporter
firewall.cisco.asa
firewall.cisco.fmc
firewall.cisco.fmc_estreamer
firewall.cisco.ftd
firewall.cisco.fwsm
firewall.cisco.pix
firewall.fortinet.traffic
firewall.juniper.isg.traffic
firewall.juniper.nsm.traffic
firewall.juniper.srx.traffic
firewall.juniper.ssg.traffic
firewall.meraki.flows
firewall.paloalto.traffic
firewall.pfsense.filterlog
firewall.pfsense.firewall
firewall.sonicwall.genv58
firewall.sophos.securenet.packetfilter
firewall.sophos.xgfirewall.firewall
firewall.stonegate.leef
firewall.stonegate.xml
firewall.velocloud.traffic
firewall.vyatta.traffic
firewall.watchguard.traffic
proxy.zscaler.nss_firewall
proxy.zscaler.zia.firewall
|
firewall.all.virus | |
firewall.all.vpn.auth | |
firewall.all.vpn.traffic | |
firewall.all.webfilter | firewall.fortinet.utm.webfilter
firewall.sonicwall.genv58
firewall.sophos.xgfirewall.contentfiltering
|
firewall.paloalto.all | firewall.paloalto.config
firewall.paloalto.correlation
firewall.paloalto.globalprotect
firewall.paloalto.hipmatch
firewall.paloalto.system
firewall.paloalto.traffic
firewall.paloalto.threat
firewall.paloalto.url
firewall.paloalto.userid
|
ftp.all.access | |
ids.bricata.alerts.all | ids.bricata.brocata
ids.bricata.burocata
|
ids.rscope | ids.rscope.communication
ids.rscope.conn
ids.rscope.dce_rpc
ids.rscope.dhcp
ids.rscope.dns
ids.rscope.dpd
ids.rscope.files
ids.rscope.ftp
ids.rscope.http
ids.rscope.intel
ids.rscope.irc
ids.rscope.kerberos
ids.rscope.known_hosts
ids.rscope.known_services
ids.rscope.modbus
ids.rscope.mysql
ids.rscope.notice
ids.rscope.ntlm
ids.rscope.pe
ids.rscope.protocolstats_orig
ids.rscope.protocolstats_resp
ids.rscope.radius
ids.rscope.rdp
ids.rscope.removed_files
ids.rscope.reporter
ids.rscope.rfb
ids.rscope.rscopestats_byte
ids.rscope.rscopestats_core
ids.rscope.rscopestats_misc
ids.rscope.rscopestats_pckt
ids.rscope.rscopestats_port
ids.rscope.rscopestats_sys
ids.rscope.sip
ids.rscope.smb_files
ids.rscope.smb_mapping
ids.rscope.smtp
ids.rscope.snmp
ids.rscope.socks
ids.rscope.software
ids.rscope.ssh
ids.rscope.ssl
ids.rscope.stats
ids.rscope.stderr
ids.rscope.stdout
ids.rscope.syslog
ids.rscope.tunnel
ids.rscope.weird
ids.rscope.x509
|
ips.all.alerts | firewall.fortinet.utm.ips
firewall.fortinet.ips.anomaly
firewall.sophos.securenet.ips
firewall.stonegate.ips
ips.cisco.sdee.alerts
ips.corero.common
ips.proventia.siteprotector.leef
ips.toplayer.common
|
nac.aruba.sessions | nac.aruba.sessions.common
nac.aruba.sessions.failed_authentications
nac.aruba.sessions.radius
|
netstat.netflow.all | |
network.dns | cloud.azure.firewall.dns_proxy
dns.bind.query
dns.bluecat.named
dns.infoblox.response
dns.infoblox.bloxonethreatdefense.threats
dns.windows
edr.crowdstrike.cannon.dnsrequest
firewall.paloalto.traffic
ids.bro.dns
|
proxy.all.access | cef0.zscaler.nssweblog
firewall.sophos.xgfirewall.contentfiltering
proxy.bluecoat.proxysg.main
proxy.bluecoat.proxysg.bcreportermain_v1
proxy.forcepoint.access
proxy.haproxy.all
proxy.isaserver.accessW3cAb
proxy.mcafee.webgw.accessAb
proxy.mcafee.webgw.default
proxy.squid.accessClf
proxy.squid.accessCombined
proxy.squid.accessLt
proxy.squid.accessSquid
proxy.squid.accessSquidMime
proxy.varnish.accessCombined
proxy.varnish.accessCombinedXff
proxy.zscaler.access
proxy.zscaler.nss
proxy.zscaler.nss_web
sig.cisco.umbrella.proxy
|
proxy.haproxy.all | proxy.haproxy.clf
proxy.haproxy.http
proxy.haproxy.tcp
|
syslog.all.stats | syslog.alcohol.stats
syslog.hybrid.stats
syslog.scoja.stats
|
web.all.access | cloud.aws.cloudfront.web_1
cloud.azure.appgateway.access_log
web.apache.accessClf
web.apache.accessCombined
web.apache.accessLt
web.apache.accessLtXff
web.apache.accessVhc
web.aws.cloudfront.accessW3c
web.aws.elb.access
web.aws.s3.access
web.iis.accessNcsa
web.iis.accessW3cAll
web.iis.accessW3c
web.iplanet.accessClf2
web.jboss.accessClf
web.jboss.accessCombined
web.jboss.accessLt
web.nginx.accessCombined
web.nginx.accessLt
web.nginx.accessLtXff
web.nginx.accessMain
web.tomcat.accessClf
web.tomcat.accessCombined
web.tomcat.accessLt
web.webseal.accessCombined
web.aws.alb.access
|