Devo parsers / Special Devo tags and data tables / Union tables

Union tables

There are two different types of union tables: proprietary and common.

Proprietary union tables are union tables created by a user for specific purposes and can be used only inside their domain of creation. Learn more about union table creation here.

Common union tables are union tables that are available in all domains and collect information for monitoring purposes. There are several technologies for which, regardless of brand, the log events contain very similar, or identical fields. When this is the case, as with web servers, firewalls, proxies, and several other technologies, Devo automatically generates a union table that contains the events from several different data sources. Union tables are indicated in the finder by the union icon. Hover over the icon to see a full list of the tables that the union table will collect if available in the deployment.

In this article, we will focus on the common union tables you may find in your finder. In the table below, find a list with all the available custom tables in Devo, and the source tables they draw data from.

Union table	Source tables
auth.all	auth.cisco.ise auth.duo.administrator.login auth.duo.authentication.events auth.okta.events auth.okta.system auth.onelogin.events auth.ping.federate.audit auth.securenvoy auth.thycotic.secretserver box.audit.unix.auditd box.audit.unix.audispd box.devo_ea.events_windows box.devo_ua.events_windows box.unix box.win box.winNxlong box.win_classic box.win_kinesis box.win_nxlog box.win_quest.change_auditor.leef box.win_snare box.win_solarwinds box.win_winlogbeat cef0.microsoft.microsoftWindows cloud.aws.cloudtrail.events cloud.azure.ad.signin cloud.azure.sql.audit cloud.gsuite.reports.login cloud.office365.management db.mssql.events db.oracle.audit_trail firewall.paloalto.system siem.logtrust.web.connection vpn.aws.client vpn.cisco.asa.anyconnect
auth.unix	box.unix
av.all.threats	av.mcafee.epo.threat av.sophos.threats av.symantec.sepc.events
box.all.win	box.devo_ua.events_windows box.win box.winNxlog box.win_kinesis box.win_nxlog box.win_quest.change_auditor.leef box.win_snare box.win_solarwinds
box.audit.unix	box.audit.unix.auditd box.audit.unix.auditspd
cdn.all.access	cdn.akamai.access cdn.triton.access
dhcp.all	dhcp.bluecat.dhcpd dhcp.infoblox.stdout dhcp.microsoft.ip4 dhcp.microsoft.ip6 dhcp.unix.stdout
domains.all	dns.bind.query dns.bluecat.named dns.infoblox.response edr.crowdstrike.cannon.dnsrequest firewall.fortinet.event.dns ids.bro.dns ids.bro.http proxy.all.access sig.cisco.umbrella.dns web.all.access
edr.all.threats	cef0.bit9CarbonblackJson.cbResponse edr.carbonblack.alert edr.crowdstrike.cannon edr.crowdstrike.falcon edr.crowdstrike.falconstreaming.detection_summary edr.cylance.threats edr.cylance.device edr.fireeye.alerts edr.minervalabs.events edr.symantec.events edr.tanium.events edr.tanium.threats endpoint.carbonblack.protection
edr.carbonblack.all	cef0.bit9CarbonblackJson.cbResponse edr.carbonblack.alert edr.carbonblack.binary edr.carbonblack.feed edr.carbonblack.ingress edr.carbonblack.watchlist
edr.crowdstrike.falconstreaming.user_activity_all	edr.crowdstrike.falconstreaming.user_activity_detections edr.crowdstrike.falconstreaming.user_activity_device_control_policy edr.crowdstrike.falconstreaming.user_activity_devices edr.crowdstrike.falconstreaming.user_activity_groups edr.crowdstrike.falconstreaming.user_activity_ip_whitelist edr.crowdstrike.falconstreaming.user_activity_other edr.crowdstrike.falconstreaming.user_activity_prevention_policy edr.crowdstrike.falconstreaming.user_activity_quarantined_files edr.crowdstrike.falconstreaming.user_activity_sensor_update_policy
firewall.all.cpu	firewall.fortinet.event.system firewall.sophos.xgfirewall.systemhealth
firewall.all.ips	firewall.fortinet.utm.ips firewall.sonicwall.genv58
firewall.all.mem	firewall.fortinet.event.system firewall.sophos.xgfirewall.systemhealth
firewall.all.traffic	box.iptables cef0.checkPoint.vpn1Firewall1 cef0.forcepoint.firewall cef0.paloAltoNetworks.lf cef0.paloAltoNetworks.panOs cef0.stonesoft.firewall cef0.stonesoft.stonegate cef0.zscaler.nssfwlog cloud.azure.firewall.application_rule cloud.azure.firewall.network_rule firewall.checkpoint.fw firewall.checkpoint.gaia firewall.checkpoint.lea firewall.checkpoint.log_exporter firewall.cisco.asa firewall.cisco.fmc firewall.cisco.fmc_estreamer firewall.cisco.fwsm firewall.cisco.pix firewall.fortinet.traffic firewall.juniper.isg.traffic firewall.juniper.nsm.traffic firewall.juniper.srx.traffic firewall.juniper.ssg.traffic firewall.meraki.flows firewall.paloalto.traffic firewall.pfsense.firewall firewall.pfsense.filterlog firewall.sonicwall.genv58 firewall.sophos.securenet.packetfilter firewall.sophos.xgfirewall.firewall firewall.stonegate.leef firewall.stonegate.xml firewall.velocloud.traffic firewall.watchguard.traffic proxy.zscaler.nss_firewall
firewall.all.virus	firewall.fortinet.utm.virus firewall.sonicwall.genv58
firewall.all.vpn.auth	firewall.fortinet.event.vpn firewall.sonicwall.genv58
firewall.all.vpn.traffic	firewall.fortinet.event.vpn firewall.sonicwall.genv58
firewall.all.webfilter	firewall.fortinet.utm.webfilter firewall.sonicwall.genv58 firewall.sophos.xgfirewall.contentfiltering
firewall.paloalto.all	firewall.paloalto.config firewall.paloalto.correlation firewall.paloalto.hipmatch firewall.paloalto.system firewall.paloalto.traffic firewall.paloalto.threat firewall.paloalto.url firewall.paloalto.userid
ftp.all.access	ftp.iis.accessW3cAll
ids.bricata.alerts.all	ids.bricata.brocata ids.bricata.burocata
ids.rscope	ids.rscope.communication ids.rscope.conn ids.rscope.dce_rpc ids.rscope.dhcp ids.rscope.dns ids.rscope.dpd ids.rscope.files ids.rscope.ftp ids.rscope.http ids.rscope.intel ids.rscope.irc ids.rscope.kerberos ids.rscope.known_hosts ids.rscope.known_services ids.rscope.modbus ids.rscope.mysql ids.rscope.notice ids.rscope.ntlm ids.rscope.pe ids.rscope.protocolstats_orig ids.rscope.protocolstats_resp ids.rscope.radius ids.rscope.rdp ids.rscope.removed_files ids.rscope.reporter ids.rscope.rfb ids.rscope.rscopestats_byte ids.rscope.rscopestats_core ids.rscope.rscopestats_misc ids.rscope.rscopestats_pckt ids.rscope.rscopestats_port ids.rscope.rscopestats_sys ids.rscope.sip ids.rscope.smb_files ids.rscope.smb_mapping ids.rscope.smtp ids.rscope.snmp ids.rscope.socks ids.rscope.software ids.rscope.ssh ids.rscope.ssl ids.rscope.stats ids.rscope.stderr ids.rscope.stdout ids.rscope.syslog ids.rscope.tunnel ids.rscope.weird ids.rscope.x509
ips.all.alerts	firewall.fortinet.utm.ips firewall.fortinet.ips.anomaly firewall.sophos.securenet.ips firewall.stonegate.ips ips.cisco.sdee.alerts ips.corero.common ips.proventia.siteprotector.leef ips.toplayer.common
nac.aruba.sessions	nac.aruba.sessions.common nac.aruba.sessions.failed_authentications nac.aruba.sessions.radius
netstat.netflow.all	cloud.aws.vpc.flow netstat.netflow.lt netstat.netflow.v9 netstat.netflow.ipfix vpc.aws.flow
network.dns	cloud.azure.firewall.dns_proxy dns.bind.query dns.bluecat.named dns.infoblox.response dns.infoblox.bloxonethreatdefense.threats dns.windows edr.crowdstrike.cannon.dnsrequest firewall.paloalto.traffic ids.bro.dns
proxy.all.access	cef0.zscaler.nssweblog firewall.sophos.xgfirewall.contentfiltering proxy.bluecoat.proxysg.main proxy.bluecoat.proxysg.bcreportermain_v1 proxy.forcepoint.access proxy.haproxy.all proxy.isaserver.accessW3cAb proxy.mcafee.webgw.accessAb proxy.mcafee.webgw.default proxy.squid.accessClf proxy.squid.accessCombined proxy.squid.accessLt proxy.squid.accessSquid proxy.squid.accessSquidMime proxy.varnish.accessCombined proxy.varnish.accessCombinedXff proxy.zscaler.access proxy.zscaler.nss proxy.zscaler.nss_web sig.cisco.umbrella.proxy
proxy.haproxy.all	proxy.haproxy.clf proxy.haproxy.http proxy.haproxy.tcp
syslog.all.stats	syslog.alcohol.stats syslog.hybrid.stats syslog.scoja.stats
web.all.access	web.apache.accessClf web.apache.accessCombined web.apache.accessLt web.apache.accessLtXff web.apache.accessVhc web.aws.cloudfront.accessW3c web.aws.elb.access web.aws.s3.access web.iis.accessNcsa web.iis.accessW3cAll web.iis.accessW3c web.iplanet.accessClf2 web.jboss.accessClf web.jboss.accessCombined web.jboss.accessLt web.nginx.accessCombined web.nginx.accessLt web.nginx.accessLtXff web.nginx.accessMain web.tomcat.accessClf web.tomcat.accessCombined web.tomcat.accessLt web.webseal.accessCombined

Download as PDF