Data querying in Devo

All data structures defined for the Endpoint Agent use the following tagging structure: box.devo_ea.category.subcategory. Therefore, it is the root tag from which all subtables are made accessible.

From version 1.2.0 onwards, the product name is changed to Endpoint Agent and thus the structures in Devo have changed.

box.devo_ua → box.devo_ea
devo.ua → devo.ea

The following table summarizes the current implementation of data structures and their associated tagging.

Module	Root data structure	Data tables

Module	Root data structure	Data tables
Configuration audit	`box.devo_ea.configuration`	`box.devo_ea.configuration.system_info` `box.devo_ea.configuration.users` `box.devo_ea.configuration.groups` `box.devo_ea.configuration.operating_system` `box.devo_ea.configuration.disk_info` `box.devo_ea.configuration.network` `box.devo_ea.configuration.win_software`
Performance monitoring	`box.devo_ea.performance`	`box.devo_ea.performance.cpu_mem` `box.devo_ea.performance.disk_io` `box.devo_ea.performance.disk_usage` `box.devo_ea.performance_network`
Status monitoring	`box.devo_ea.status`	`box.devo_ea.status.listening_ports` `box.devo_ea.status.process_open_sockets` `box.devo_ea.status.processes` `box.devo_ea.status.users_loggedin`
Events - Windows	`box.devo_ea.events_windows`	`box.devo_ea.events_windows.application` `box.devo_ea.events_windows.powershell` `box.devo_ea.events_windows.security` `box.devo_ea.events_windows.system`
Events - Unix	`box.devo_ea.events_linux`	`box.devo_ea.events_linux`
Events - Sysmon	`box.devo_ea.events_windows`	`box.devo_ea.events_windows.sysmon`
Files logger	`box.devo_ea.files`	`box.devo_ea.files.dns_windows` `box.devo_ea.files.iis` Custom
File Integrity Monitoring (FIM)	`box.devo_ea.status`	`box.devo_ea.status.fim`
SW Inventory & Vulnerabilities	`box.devo_ea.inventories`	`box.devo_ea.inventories.sw_vulnerabilities`
Custom queries	`box.devo_ea.unknown`	Custom

macOS users

Since macOS 10.15, there is a new Event System in macOS systems (Unified Logging System) that deprecates the existing ASL. The data existing in ASL can still be queried but due to the lack of reliability it is not consumed by default. The Endpoint Agent does not support consuming data from the new API for Unified Logging System and it will be supported in future versions. Other queries not related to Unified Logging System can be done normally.

The following union tables in Devo platform contain data coming from the structures depicted above:

Union table	Data tables
`box.all.win`	`box.devo_ea.events_windows`
`auth.all`	`box.devo_ea.events_windows`
`auth.unix`	`box.devo_ea.events_linux`
`network.dns`	`box.devo_ea.files.dns_windows`

Besides that, the EA solution sends real-time analytics and diagnostics information of the managers, agents, and extensions deployed in a given environment. The targeted data structures are the following:

Module	Root data structure	Data tables
Manager telemetry and diagnostics	`devo.ea.manager`	`devo.ea.manager.status`
Agent telemetry and diagnostics		`devo.ea.agent.status`
Extensions telemetry and diagnostics	`devo.ea.extensions`	`devo.ea.extensions.fetchfiles_config` `devo.ea.extensions.fetchfiles_info`
Agent publishers and subscribers status		`devo.ea.agent.events_pubsub`
Agent loaded extensions status		`devo.ea.agent.extensions`
Agent flags status		`devo.ea.agent.flags`
Agent version information		`devo.ea.agent.info`
Agent packs status		`devo.ea.agent.packs`
Agent registry plugins status		`devo.ea.agent.registry`
Agent scheduled queries status		`devo.ea.agent.schedule`