Data querying in Devo
- Juan Tomás Alonso Nieto (Deactivated)
Analytics
All data structures defined for the Endpoint Agent use the following tagging structure: box.devo_ea.category.subcategory. It is, therefore, the root tag from which all subtables are made accessible.
From version 1.2.0 onwards, the product name is changed to Endpoint Agent and the structures in Devo change as follows:
box.devo_ua→box.devo_eadevo.ua→devo.ea
The following table summarizes the current implementation of data structures and their associated tagging.
Module | Root data structure | Data tables |
|---|---|---|
Configuration audit |
|
|
Performance monitoring |
|
|
Status monitoring |
|
|
Events - Windows |
|
|
Events - Unix |
|
|
Events - Sysmon |
|
|
Files logger |
|
|
Custom queries |
|
|
macOS users
Since macOS 10.15, there is a new Event System in macOS systems (Unified Logging System) that deprecates the existing ASL. The data existing in ASL can still be queried but due to the lack of reliability it is not consumed by default. The Endpoint Agent does not support consuming data from the new API for Unified Logging System and it will be supported in future versions. Other queries not related to Unified Logging System can be done normally.
The following union tables in the Devo platform contain data coming from the structures depicted above:
Union tables | Data tables |
|---|---|
|
|
|
|
|
|
|
|
Besides that, the Endpoint Agent solution sends real-time analytics and diagnostics information of the managers, agents, and extensions deployed in a given environment. The targeted data structures are the following:
Module | Root data structure | Data tables |
|---|---|---|
Manager telemetry and diagnostics |
|
|
Agent telemetry and diagnostics |
|
|
Extensions telemetry and diagnostics |
|
|