Union tables

There are two different types of union tables: proprietary and common.

Proprietary union tables are union tables created by a user for specific purposes and can be used only inside their domain of creation. Learn more about union table creation here.

Common union tables are union tables that are available in all domains and collect information for monitoring purposes. There are several technologies for which, regardless of brand, the log events contain very similar, or identical fields. When this is the case, as with web servers, firewalls, proxies, and several other technologies, Devo automatically generates a union table that contains the events from several different data sources. Union tables are indicated in the finder by the union icon. Hover over the icon to see a full list of the tables that the union table will collect if available in the deployment.

In this article, we will focus on the common union tables you may find in your finder. In the table below, find a list with all the available custom tables in Devo, and the source tables they draw data from.

Union table	Source tables

Union table	Source tables
auth.all	adn.f5.bigip.apm adn.f5.bigip.audit auth.cisco.ise auth.duo.administrator.login auth.duo.authentication.events auth.okta.events auth.okta.system auth.onelogin.events auth.ping.federate.audit auth.ping.federate.security_audit auth.securenvoy auth.thycotic.secretserver auth.unix box.all.win cef0.microsoft.microsoftWindows cloud.aws.cloudtrail.events cloud.aws.cloudtrail.signin cloud.azure.ad.signin cloud.azure.sql.audit cloud.gsuite.reports.login cloud.office365.management crm.salesforceobjects.loginhistory db.mssql.events db.oracle.audit_trail ddi.infoblox.audit firewall.fortinet.event.system firewall.paloalto.globalprotect firewall.paloalto.system helpdesk.zendesk.audit.logs network.citrix.adc.sslvpn siem.logtrust.web.connection vpn.aws.client vpn.cisco.asa.anyconnect
auth.unix	box.unix box.vmware.esx box.audit.unix box.devo_ea.events_linux
av.all.threats	av.mcafee.epo.threat av.sophos.threats av.symantec.sepc.events
box.all.win	box.win box.winNxlog box.win_nxlog box.win_kinesis box.win_snare box.win_solarwinds box.devo_ua.events_windows box.devo_ua.events_windows box.win_quest.change_auditor.leef box.win_winlogbeat box.win_classic cloud.azure.vm.securityevent cloud.azure.vm.systemevent cloud.azure.vm.applicationevent box.win_cloudwatch
box.audit.unix	box.audit.unix.auditd box.audit.unix.auditspd
cdn.all.access	cdn.akamai.access cdn.triton.access
cloud.office365.management	cloud.office365.management.aip cloud.office365.management.airinvestigation cloud.office365.management.azureactivedirectory cloud.office365.management.cca cloud.office365.management.compliance cloud.office365.management.compliancemanager cloud.office365.management.corereporting cloud.office365.management.crm cloud.office365.management.dlpsensitiveinformationtype cloud.office365.management.endpoint cloud.office365.management.exchange cloud.office365.management.mcas cloud.office365.management.microsoftflow cloud.office365.management.microsoftforms cloud.office365.management.microsoftstream cloud.office365.management.microsoftteams cloud.office365.management.mip cloud.office365.management.myanalytics cloud.office365.management.officeapps cloud.office365.management.onedrive cloud.office365.management.onedriveforbusiness cloud.office365.management.powerapps cloud.office365.management.powerbi cloud.office365.management.powerplatformadmin cloud.office365.management.project cloud.office365.management.publicendpoint cloud.office365.management.quarantine cloud.office365.management.rdl cloud.office365.management.se cloud.office365.management.securitycompliancecenter cloud.office365.management.sharepoint cloud.office365.management.skypeforbusiness cloud.office365.management.threatintelligence cloud.office365.management.workplaceanalytics cloud.office365.management.yammer cloud.office365.oldmanagement
cef0.fornitet.fortigateAll	cef0.fortinet.fortigate cef0.fortinet.fortigate200e cef0.fortinet.fortigate300d cef0.fortinet.fortigate400e cef0.fortinet.fortigate600e cef0.fortinet.fortigate60e
dhcp.all	ddi.infoblox.dhcp.dhcpd dhcp.bluecat.dhcpd dhcp.infoblox.stdout dhcp.microsoft.ip4 dhcp.microsoft.ip6 dhcp.unix.stdout
ddi.infoblox.dns.queries_responses	ddi.infoblox.dns.infobloxResponses ddi.infoblox.dns.queries ddi.infoblox.dns.queryErrors
domains.all	dns.bind.query dns.bluecat.named dns.infoblox.response edr.crowdstrike.cannon.dnsrequest firewall.fortinet.event.dns ids.bro.dns ids.bro.http proxy.all.access sig.cisco.umbrella.dns web.all.access
edr.all.threats	cef0.bit9CarbonblackJson.cbResponse edr.carbonblack.alert edr.crowdstrike.cannon edr.crowdstrike.falcon edr.crowdstrike.falconstreaming.detection_summary edr.cylance.threats edr.cylance.device edr.fireeye.alerts edr.minervalabs.events edr.symantec.events edr.tanium.events edr.tanium.threats endpoint.carbonblack.protection
edr.carbonblack.all	cef0.bit9CarbonblackJson.cbResponse edr.carbonblack.alert edr.carbonblack.binary edr.carbonblack.feed edr.carbonblack.ingress edr.carbonblack.watchlist
edr.crowdstrike.falconstreaming.user_activity_all	edr.crowdstrike.falconstreaming.user_activity_detections edr.crowdstrike.falconstreaming.user_activity_device_control_policy edr.crowdstrike.falconstreaming.user_activity_devices edr.crowdstrike.falconstreaming.user_activity_groups edr.crowdstrike.falconstreaming.user_activity_ip_whitelist edr.crowdstrike.falconstreaming.user_activity_other edr.crowdstrike.falconstreaming.user_activity_prevention_policy edr.crowdstrike.falconstreaming.user_activity_quarantined_files edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
firewall.all.cpu	firewall.fortinet.event.system firewall.sophos.xgfirewall.systemhealth
firewall.all.ips	firewall.fortinet.utm.ips firewall.sonicwall.genv58
firewall.all.mem	firewall.fortinet.event.system firewall.sophos.xgfirewall.systemhealth
firewall.all.traffic	box.iptables cef0.checkPoint.vpn1Firewall1 cef0.forcepoint.firewall cef0.paloAltoNetworks.lf cef0.paloAltoNetworks.panOs cef0.stonesoft.firewall cef0.stonesoft.stonegate cef0.zscaler.nssfwlog cloud.azure.firewall.application_rule cloud.azure.firewall.network_rule firewall.checkpoint.fw firewall.checkpoint.gaia firewall.checkpoint.lea firewall.checkpoint.log_exporter firewall.cisco.asa firewall.cisco.fmc firewall.cisco.fmc_estreamer firewall.cisco.fwsm firewall.cisco.pix firewall.fortinet.traffic firewall.juniper.isg.traffic firewall.juniper.nsm.traffic firewall.juniper.srx.traffic firewall.juniper.ssg.traffic firewall.meraki.flows firewall.paloalto.traffic firewall.pfsense.firewall firewall.pfsense.filterlog firewall.sonicwall.genv58 firewall.sophos.securenet.packetfilter firewall.sophos.xgfirewall.firewall firewall.stonegate.leef firewall.stonegate.xml firewall.velocloud.traffic firewall.watchguard.traffic proxy.zscaler.nss_firewall
firewall.all.virus	firewall.fortinet.utm.virus firewall.sonicwall.genv58
firewall.all.vpn.auth	firewall.fortinet.event.vpn firewall.sonicwall.genv58
firewall.all.vpn.traffic	firewall.fortinet.event.vpn firewall.sonicwall.genv58
firewall.all.webfilter	firewall.fortinet.utm.webfilter firewall.sonicwall.genv58 firewall.sophos.xgfirewall.contentfiltering
firewall.paloalto.all	firewall.paloalto.config firewall.paloalto.correlation firewall.paloalto.globalprotect firewall.paloalto.hipmatch firewall.paloalto.system firewall.paloalto.traffic firewall.paloalto.threat firewall.paloalto.url firewall.paloalto.userid
ftp.all.access	ftp.iis.accessW3cAll
ids.bricata.alerts.all	ids.bricata.brocata ids.bricata.burocata
ids.rscope	ids.rscope.communication ids.rscope.conn ids.rscope.dce_rpc ids.rscope.dhcp ids.rscope.dns ids.rscope.dpd ids.rscope.files ids.rscope.ftp ids.rscope.http ids.rscope.intel ids.rscope.irc ids.rscope.kerberos ids.rscope.known_hosts ids.rscope.known_services ids.rscope.modbus ids.rscope.mysql ids.rscope.notice ids.rscope.ntlm ids.rscope.pe ids.rscope.protocolstats_orig ids.rscope.protocolstats_resp ids.rscope.radius ids.rscope.rdp ids.rscope.removed_files ids.rscope.reporter ids.rscope.rfb ids.rscope.rscopestats_byte ids.rscope.rscopestats_core ids.rscope.rscopestats_misc ids.rscope.rscopestats_pckt ids.rscope.rscopestats_port ids.rscope.rscopestats_sys ids.rscope.sip ids.rscope.smb_files ids.rscope.smb_mapping ids.rscope.smtp ids.rscope.snmp ids.rscope.socks ids.rscope.software ids.rscope.ssh ids.rscope.ssl ids.rscope.stats ids.rscope.stderr ids.rscope.stdout ids.rscope.syslog ids.rscope.tunnel ids.rscope.weird ids.rscope.x509
ips.all.alerts	firewall.fortinet.utm.ips firewall.fortinet.ips.anomaly firewall.sophos.securenet.ips firewall.stonegate.ips ips.cisco.sdee.alerts ips.corero.common ips.proventia.siteprotector.leef ips.toplayer.common
nac.aruba.sessions	nac.aruba.sessions.common nac.aruba.sessions.failed_authentications nac.aruba.sessions.radius
netstat.netflow.all	cloud.aws.firewall.netflow cloud.aws.vpc.flow netstat.netflow.ipfix netstat.netflow.lt netstat.netflow.v9 vpc.aws.flow
network.dns	cloud.azure.firewall.dns_proxy dns.bind.query dns.bluecat.named dns.infoblox.response dns.infoblox.bloxonethreatdefense.threats dns.windows edr.crowdstrike.cannon.dnsrequest firewall.paloalto.traffic ids.bro.dns
proxy.all.access	cef0.zscaler.nssweblog firewall.sophos.xgfirewall.contentfiltering proxy.bluecoat.proxysg.main proxy.bluecoat.proxysg.bcreportermain_v1 proxy.forcepoint.access proxy.haproxy.all proxy.isaserver.accessW3cAb proxy.mcafee.webgw.accessAb proxy.mcafee.webgw.default proxy.squid.accessClf proxy.squid.accessCombined proxy.squid.accessLt proxy.squid.accessSquid proxy.squid.accessSquidMime proxy.varnish.accessCombined proxy.varnish.accessCombinedXff proxy.zscaler.access proxy.zscaler.nss proxy.zscaler.nss_web sig.cisco.umbrella.proxy
proxy.haproxy.all	proxy.haproxy.clf proxy.haproxy.http proxy.haproxy.tcp
syslog.all.stats	syslog.alcohol.stats syslog.hybrid.stats syslog.scoja.stats
web.all.access	cloud.aws.cloudfront.web_1 cloud.azure.appgateway.access_log web.apache.accessClf web.apache.accessCombined web.apache.accessLt web.apache.accessLtXff web.apache.accessVhc web.aws.cloudfront.accessW3c web.aws.elb.access web.aws.s3.access web.iis.accessNcsa web.iis.accessW3cAll web.iis.accessW3c web.iplanet.accessClf2 web.jboss.accessClf web.jboss.accessCombined web.jboss.accessLt web.nginx.accessCombined web.nginx.accessLt web.nginx.accessLtXff web.nginx.accessMain web.tomcat.accessClf web.tomcat.accessCombined web.tomcat.accessLt web.webseal.accessCombined web.aws.alb.access