Union tables

There are two different types of union tables: proprietary and common.

Proprietary union tables are union tables created by a user for specific purposes and can be used only inside their domain of creation. Learn more about union table creation here.

Common union tables are union tables that are available in all domains and collect information for monitoring purposes. There are several technologies for which, regardless of brand, the log events contain very similar, or identical fields. When this is the case, as with web servers, firewalls, proxies, and several other technologies, Devo automatically generates a union table that contains the events from several different data sources. Union tables are indicated in the finder by the union icon. Hover over the icon to see a full list of the tables that the union table will collect if available in the deployment.

In this article, we will focus on the common union tables you may find in your finder. In the table below, find a list with all the available custom tables in Devo, and the source tables they draw data from.

Union table	Source tables
auth.all	`adn.f5.bigip.apm` `adn.f5.bigip.audit` `app.lastpass.events` `auth.cisco.ise` `auth.duo.administrator.login` `auth.duo.authentication.events` `auth.jumpcloud.all.events` `auth.okta.events` `auth.okta.system` `auth.onelogin.events` `auth.ping.federate.audit` `auth.ping.federate.security_audit` `auth.ping.id.mfa` `auth.rsa.secureid.runtime` `auth.securenvoy` `auth.thycotic.secretserver` `auth.unix` `box.all.win` `cef0.microsoft.microsoftWindows` `cloud.aws.cloudtrail.events` `cloud.aws.cloudtrail.signin` `cloud.azure.ad.signin` `cloud.azure.sql.audit` `cloud.gsuite.reports.login` `cloud.office365.management` `crm.salesforceobjects.loginhistory` `db.mssql.events` `db.oracle.audit_trail` `ddi.infoblox.audit` `firewall.all.vpn.auth` `firewall.fortinet.event.system` `firewall.juniper.srx.system` `firewall.paloalto.globalprotect` `firewall.paloalto.system` `helpdesk.zendesk.audit.logs` `network.cisco.switch` `network.citrix.adc.sslvpn` `siem.logtrust.web.connection` `vpn.aws.client` `vpn.cisco.asa.anyconnect`
auth.jumpcloud.all.events	`auth.jumpcloud.directory.events` `auth.jumpcloud.ldap.events` `auth.jumpcloud.mdm.events` `auth.jumpcloud.radius.events` `auth.jumpcloud.software.events` `auth.jumpcloud.sso.events` `auth.jumpcloud.systems.events`
auth.unix	`box.audit.unix` `box.devo_ea.events_linux` `box.unix` `box.unix_cloudwatch` `box.vmware.esx` `cloud.azure.vm.unix`
av.all.threats	`av.mcafee.epo.threat` `av.sophos.threats` `av.symantec.sepc.events`
box.all.win	`box.devo_ea.events_windows` `box.devo_ua.events_windows` `box.win` `box.win_classic` `box.win_cloudwatch` `box.win_hf` `box.win_kinesis` `box.win_nxlog` `box.win_quest.change_auditor.leef` `box.win_snare` `box.win_solarwinds` `box.win_winlogbeat` `box.winNxlog` `cloud.azure.vm.applicationevent` `cloud.azure.vm.securityevent` `cloud.azure.vm.systemevent`
box.audit.unix	`box.audit.unix.audispd` `box.audit.unix.auditd`
cdn.all.access	`cdn.akamai.access` `cdn.triton.access`
cef0.fornitet.fortigateAll	`cef0.fortinet.fortigate` `cef0.fortinet.fortigate200e` `cef0.fortinet.fortigate300d` `cef0.fortinet.fortigate400e` `cef0.fortinet.fortigate600e` `cef0.fortinet.fortigate60e`
cloud.office365.management	`cloud.office365.management.aip` `cloud.office365.management.airinvestigation` `cloud.office365.management.azureactivedirectory` `cloud.office365.management.cca` `cloud.office365.management.compliance` `cloud.office365.management.compliancemanager` `cloud.office365.management.corereporting` `cloud.office365.management.crm` `cloud.office365.management.dlpsensitiveinformationtype` `cloud.office365.management.endpoint` `cloud.office365.management.exchange` `cloud.office365.management.mcas` `cloud.office365.management.microsoftflow` `cloud.office365.management.microsoftforms` `cloud.office365.management.microsoftstream` `cloud.office365.management.microsoftteams` `cloud.office365.management.mip` `cloud.office365.management.myanalytics` `cloud.office365.management.officeapps` `cloud.office365.management.onedrive` `cloud.office365.management.onedriveforbusiness` `cloud.office365.management.powerapps` `cloud.office365.management.powerbi` `cloud.office365.management.powerplatformadmin` `cloud.office365.management.project` `cloud.office365.management.publicendpoint` `cloud.office365.management.quarantine` `cloud.office365.management.rdl` `cloud.office365.management.securitycompliancecenter` `cloud.office365.management.sharepoint` `cloud.office365.management.skypeforbusiness` `cloud.office365.management.threatintelligence` `cloud.office365.management.workplaceanalytics` `cloud.office365.management.yammer` `cloud.office365.oldmanagement`
ddi.infoblox.dns.queries_responses	`ddi.infoblox.dns.infobloxResponses` `ddi.infoblox.dns.queries` `ddi.infoblox.dns.queryErrors`
dhcp.all	`ddi.infoblox.dhcp.dhcpd` `dhcp.bluecat.dhcpd` `dhcp.infoblox.stdout` `dhcp.microsoft.ip4` `dhcp.microsoft.ip6` `dhcp.unix.stdout` `firewall.paloalto.system`
domains.all	`ddi.infoblox.dns.queries` `dns.bind.query` `dns.bluecat.named` `dns.bluecat.stats` `dns.infoblox.response` `dns.windows` `edr.crowdstrike.cannon.dnsrequest` `firewall.fortinet.event.dns` `ids.bro.dns` `ids.bro.http` `proxy.all.access` `proxy.zscaler.umbrella.dns` `sig.cisco.umbrella.dns` `web.all.access`
edr.all.threats	`av.sentinelone.rfc_5424` `cef0.bit9CarbonblackJson.cbResponse` `edr.carbonblack.alert` `edr.cbef.alert.cb_analytics` `edr.cbef.alert.watchlist` `edr.crowdstrike.cannon` `edr.crowdstrike.falcon` `edr.crowdstrike.falconstreaming.detection_summary` `edr.cylance.threats` `edr.cylance.device` `edr.fireeye.alerts` `edr.minervalabs.events` `edr.sentinelone.agent.threats` `edr.symantec.events` `edr.tanium.events` `edr.tanium.threats` `endpoint.carbonblack.protection` `xdr.cynet.alerts.events`
edr.carbonblack.all	`cef0.bit9CarbonblackJson.cbResponse` `edr.carbonblack.alert` `edr.carbonblack.binary` `edr.carbonblack.feed` `edr.carbonblack.ingress` `edr.carbonblack.protect` `edr.carbonblack.watchlist`
edr.crowdstrike.falconstreaming.user_activity_all	`edr.crowdstrike.falconstreaming.user_activity_detections` `edr.crowdstrike.falconstreaming.user_activity_device_control_policy` `edr.crowdstrike.falconstreaming.user_activity_devices` `edr.crowdstrike.falconstreaming.user_activity_groups` `edr.crowdstrike.falconstreaming.user_activity_ip_whitelist` `edr.crowdstrike.falconstreaming.user_activity_other` `edr.crowdstrike.falconstreaming.user_activity_prevention_policy` `edr.crowdstrike.falconstreaming.user_activity_quarantined_files` `edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy`
firewall.all.cpu	`firewall.fortinet.event.system` `firewall.sophos.xgfirewall.systemhealth`
firewall.all.ips	`firewall.fortinet.utm.ips` `firewall.sonicwall.genv58`
firewall.all.mem	`firewall.fortinet.event.system` `firewall.sophos.xgfirewall.systemhealth`
firewall.all.traffic	`adn.f5.bigip.afm` `adn.f5.bigip.asm` `box.iptables` `cef0.checkPoint.vpn1Firewall1` `cef0.cisco.firepower` `cef0.forcepoint.firewall` `cef0.fortinet.fortigateAll` `cef0.paloAltoNetworks.lf` `cef0.paloAltoNetworks.panOs` `cef0.stonesoft.firewall` `cef0.stonesoft.stonegate` `cef0.zscaler.nssfwlog` `cloud.azure.firewall.application_rule` `cloud.azure.firewall.network_rule` `cloud.cloudflare.logpush.http` `edr.crowdstrike.falconstreaming.firewall_match` `firewall.checkpoint.fw` `firewall.checkpoint.gaia` `firewall.checkpoint.lea` `firewall.checkpoint.log_exporter` `firewall.cisco.asa` `firewall.cisco.fmc` `firewall.cisco.fmc_estreamer` `firewall.cisco.ftd` `firewall.cisco.fwsm` `firewall.cisco.pix` `firewall.fortinet.traffic` `firewall.juniper.isg.traffic` `firewall.juniper.nsm.traffic` `firewall.juniper.srx.traffic` `firewall.juniper.ssg.traffic` `firewall.meraki.flows` `firewall.paloalto.traffic` `firewall.pfsense.filterlog` `firewall.pfsense.firewall` `firewall.sonicwall.genv58` `firewall.sophos.securenet.packetfilter` `firewall.sophos.xgfirewall.firewall` `firewall.stonegate.leef` `firewall.stonegate.xml` `firewall.velocloud.traffic` `firewall.vyatta.traffic` `firewall.watchguard.traffic` `proxy.zscaler.nss_firewall` `proxy.zscaler.zia.firewall`
firewall.all.virus	`firewall.fortinet.utm.virus` `firewall.sonicwall.genv58`
firewall.all.vpn.auth	`firewall.fortinet.event.vpn` `firewall.sonicwall.genv58`
firewall.all.vpn.traffic	`firewall.fortinet.event.vpn` `firewall.sonicwall.genv58`
firewall.all.webfilter	`firewall.fortinet.utm.webfilter` `firewall.sonicwall.genv58` `firewall.sophos.xgfirewall.contentfiltering`
firewall.paloalto.all	`firewall.paloalto.config` `firewall.paloalto.correlation` `firewall.paloalto.globalprotect` `firewall.paloalto.hipmatch` `firewall.paloalto.system` `firewall.paloalto.traffic` `firewall.paloalto.threat` `firewall.paloalto.url` `firewall.paloalto.userid`
ftp.all.access	`ftp.iis.accessW3cAll`
ids.bricata.alerts.all	`ids.bricata.brocata` `ids.bricata.burocata`
ids.rscope	`ids.rscope.communication` `ids.rscope.conn` `ids.rscope.dce_rpc` `ids.rscope.dhcp` `ids.rscope.dns` `ids.rscope.dpd` `ids.rscope.files` `ids.rscope.ftp` `ids.rscope.http` `ids.rscope.intel` `ids.rscope.irc` `ids.rscope.kerberos` `ids.rscope.known_hosts` `ids.rscope.known_services` `ids.rscope.modbus` `ids.rscope.mysql` `ids.rscope.notice` `ids.rscope.ntlm` `ids.rscope.pe` `ids.rscope.protocolstats_orig` `ids.rscope.protocolstats_resp` `ids.rscope.radius` `ids.rscope.rdp` `ids.rscope.removed_files` `ids.rscope.reporter` `ids.rscope.rfb` `ids.rscope.rscopestats_byte` `ids.rscope.rscopestats_core` `ids.rscope.rscopestats_misc` `ids.rscope.rscopestats_pckt` `ids.rscope.rscopestats_port` `ids.rscope.rscopestats_sys` `ids.rscope.sip` `ids.rscope.smb_files` `ids.rscope.smb_mapping` `ids.rscope.smtp` `ids.rscope.snmp` `ids.rscope.socks` `ids.rscope.software` `ids.rscope.ssh` `ids.rscope.ssl` `ids.rscope.stats` `ids.rscope.stderr` `ids.rscope.stdout` `ids.rscope.syslog` `ids.rscope.tunnel` `ids.rscope.weird` `ids.rscope.x509`
ips.all.alerts	`firewall.fortinet.utm.ips` `firewall.fortinet.ips.anomaly` `firewall.sophos.securenet.ips` `firewall.stonegate.ips` `ips.cisco.sdee.alerts` `ips.corero.common` `ips.proventia.siteprotector.leef` `ips.toplayer.common`
nac.aruba.sessions	`nac.aruba.sessions.common` `nac.aruba.sessions.failed_authentications` `nac.aruba.sessions.radius`
netstat.netflow.all	`cloud.aws.firewall.netflow` `cloud.aws.vpc.flow` `netstat.netflow.ipfix` `netstat.netflow.lt` `netstat.netflow.v9` `vpc.aws.flow`
network.dns	`cloud.azure.firewall.dns_proxy` `dns.bind.query` `dns.bluecat.named` `dns.infoblox.response` `dns.infoblox.bloxonethreatdefense.threats` `dns.windows` `edr.crowdstrike.cannon.dnsrequest` `firewall.paloalto.traffic` `ids.bro.dns`
proxy.all.access	`cef0.zscaler.nssweblog` `firewall.sophos.xgfirewall.contentfiltering` `proxy.bluecoat.proxysg.main` `proxy.bluecoat.proxysg.bcreportermain_v1` `proxy.forcepoint.access` `proxy.haproxy.all` `proxy.isaserver.accessW3cAb` `proxy.mcafee.webgw.accessAb` `proxy.mcafee.webgw.default` `proxy.squid.accessClf` `proxy.squid.accessCombined` `proxy.squid.accessLt` `proxy.squid.accessSquid` `proxy.squid.accessSquidMime` `proxy.varnish.accessCombined` `proxy.varnish.accessCombinedXff` `proxy.zscaler.access` `proxy.zscaler.nss` `proxy.zscaler.nss_web` `sig.cisco.umbrella.proxy`
proxy.haproxy.all	`proxy.haproxy.clf` `proxy.haproxy.http` `proxy.haproxy.tcp`
syslog.all.stats	`syslog.alcohol.stats` `syslog.hybrid.stats` `syslog.scoja.stats`
web.all.access	`cloud.aws.cloudfront.web_1` `cloud.azure.appgateway.access_log` `web.apache.accessClf` `web.apache.accessCombined` `web.apache.accessLt` `web.apache.accessLtXff` `web.apache.accessVhc` `web.aws.cloudfront.accessW3c` `web.aws.elb.access` `web.aws.s3.access` `web.iis.accessNcsa` `web.iis.accessW3cAll` `web.iis.accessW3c` `web.iplanet.accessClf2` `web.jboss.accessClf` `web.jboss.accessCombined` `web.jboss.accessLt` `web.nginx.accessCombined` `web.nginx.accessLt` `web.nginx.accessLtXff` `web.nginx.accessMain` `web.tomcat.accessClf` `web.tomcat.accessCombined` `web.tomcat.accessLt` `web.webseal.accessCombined` `web.aws.alb.access`