Which data can a root domain access?

Overview

Currently, data access across domains affects only query data. Users in a root domain will be able to see events from data tables in all their child domains.

• When a user in a root domain accesses the Data search area, they will see not only their own tables in the finder but all the tables with data in all their child domains.

• If a user in the root domain accesses a data table that contains events from different domains, they will see the owner of each specific event in the client column. This column will be added to all the tables in a root domain and is always located next to the eventdate column.

Open

• The users in the root domain will see the client column in all the queries, no matter the method used (Data search, Query API, Activeboards, Flow, OData feeds…)

Also, note that a root domain will always have access to the following information by default:

• All the Devo activity of the child domains in the siem.logtrust.web.activity table. Find more info about this table in this article.

• All the ingestion metrics of the child domains in the siem.logtrust.collector.counter table.

• All the alerts triggered in the child domains in the siem.logtrust.alert.info table. Find more info about this table in this article.

• Access to all the data in the child domains using the global search.

Custom tables in root domains

my.synthesis tables

Synthesis tables belong to a specific domain only. Synthesis in the child won’t be visible from the root domain. New synthesis can be created directly in the root.

my.app and my.upload tables

The data inside all the my.app.* and my.upload.* in the child domains will be automatically available in the root domain querying the two-level tables my.app and my.upload respectively.

Besides, admin users in a root domain can create a new my.app.* or my.upload.* table directly from the finder. To do it: