LogoLogo
LearnDocumentationSupportCommunity
Version 6.30
Version 6.30
  • Welcome
  • Nexthink V6
  • Overview
    • Software components
    • Collector
    • Finder
    • Engine
    • Portal
    • Nexthink Library
    • Digital Experience Score
  • Installation and configuration
    • Planning your installation
      • Overview of the installation process
      • Hardware requirements
      • Connectivity requirements
      • Software requirements
      • Reference architectures
    • Installing Portal and Engine Appliances
      • Installing the Appliance
      • Installing the Appliance on Azure
      • Installing the Appliance on AWS
      • Installing the Appliance on OTC
      • Managing Appliance accounts
      • Setting the names of the Portal
      • Setting the names of the Engines
      • Specifying your internal networks and domains
      • Federating your Appliances
      • STIG compliance in Web Console
      • Connecting the Portal to the Engines
      • Configuring session performance storage
      • Configuring device performance storage
      • Setting up a software license
      • Sending email notifications from the Appliance
      • Allocating resources for the Portal
    • Installing the Collector
      • Installing the Collector on Windows
      • Installing the Collector on macOS
      • Installing the Collector for a Proof of Value
      • Assigning Collectors to Engines
      • Assignment of roaming Collectors
      • Collector MSI parameters reference table
      • Nxtcfg - Collector configuration tool
      • Inspecting the connection status of the Collector
      • Querying the status of the TCP connection of the Collector
      • Reporting the URL of HTTP web requests
      • Auditing logon events
      • Viewing user interactions in virtualized and embedded environments
      • Engage notifications on macOS
      • Configuring Collector level anonymization
    • Collector remote connectivity
      • Redirecting and anonymizing Collector traffic
      • Redirecting the Collector TCP channel
      • Support for DirectAccess
      • Windows Collector proxy support
      • Mac Collector proxy support
    • Installing the Event Connector
      • Installing the Event Connector on Linux
    • Installing the Finder
      • Installing the Finder on Windows
      • Enabling Cross-Engine Finder features
      • Expanding the time frame of investigations in the Finder
      • Enabling Finder access to the Library
      • Finder proxy support
    • Updating from V6.x
      • Updating the Appliance
      • Content centralization when updating the Appliance
      • Updating the Collector
      • Viewing Collector deprecated fields
      • Updating the Finder
    • Security and user account management
      • Importing and replacing certificates
      • Hierarchizing your infrastructure
      • Adding users
      • Enabling SAML authentication of users
      • Just-In-Time provisioning of user accounts
      • Enabling Windows authentication of users
      • Multi-factor authentication for local accounts overview
      • Provisioning user accounts from Active Directory
      • Establishing a privacy policy
      • Disabling local accounts for interactive users
      • Setting the complexity and minimum length of passwords for local accounts
      • Protecting local accounts against brute force attacks
      • Preventing password saving in the Finder
      • Controlling session timeouts in the Portal
      • Security settings in the Appliance
      • Setting the Do Not Disturb periods between campaigns
    • Data retrieval and storage
      • Data retention
      • Increasing the maximum number of metrics
      • Establishing a data retention policy in the Engine
      • Storing Engine data in a secondary disk drive
      • Importing data from Microsoft Active Directory
      • Setting the locale in the Portal
      • Changing the Time Zone of the Portal
      • Time Zones and data collection
      • Changing the data collection time of the Portal
      • Nightly task schedules timetable
      • Changing the thresholds of High CPU warnings
      • Automatic restart of unresponsive Engine
    • Maintenance operations
      • Logging in to the CLI
      • Special operation modes for the Engine and the Portal
      • Changing the default ports in the Appliance
      • Centralized Management of Appliances and Engines
      • Monitoring the performance of the Appliance
      • Resizing partitions in Appliance
      • Configuring the system log
      • Examining the logs in the Portal
      • GDPR - Retrieving or anonymizing personal data
      • Finding out unlicensed devices
      • Removing devices
      • Installing third-party software in the Appliance
      • Installing VMware Tools in the Appliance
      • Operational data sent to Nexthink
      • Sending additional data to Support
    • Disaster recovery
      • Planning for disaster recovery
      • Web Console backup and restore
      • Engine backup and restore
      • Portal backup and restore
      • Rule-based assignment backup and restore
      • License backup and restore
      • PKI backup and restore
    • Branding
      • Branding the Portal
      • Branding of campaigns
  • User manual
    • Getting started
      • Logging in to the Finder
      • Logging in to the Portal
      • Enabling STIG in Webconsole
    • Querying the system
      • Searching the subject of interest
      • Executing an investigation
      • Creating an investigation
      • Editing the options of an investigation
      • Combining logical conditions in investigations
      • Navigating through the results of an investigation
      • Properties of users and devices
    • Visualizing system activity in the Finder
      • Getting a quick overview
      • Graphically observing the activity of users and devices
      • Observing service performance
      • Viewing network connections
      • Viewing web requests
      • Viewing executions
    • Monitoring IT custom metrics
      • Creating a metric
      • Examples of metrics
      • Session performance
      • Device performance
      • Following the evolution of a metric
      • Finding the visuals of a metric
    • Monitoring IT services
      • Analyzing service quality
      • Creating a service
      • Following the evolution of a service
      • Specifying URL paths of web-based services
    • Engaging with the end user
      • Getting feedback from the end users
      • Types of campaigns
      • Creating a campaign
      • Editing a campaign
      • Types of questions
      • Controlling the flow of questions
      • Translating a campaign
      • Triggering a campaign manually
      • Limiting the reception rate of campaigns
      • Scrutinizing the results of a campaign
      • Continuously measuring the satisfaction of employees
    • Rating devices and users with scores
      • Computing scores
      • Creating a score
      • Checking and comparing ratings
      • Computing potential savings
      • Score XML Reference
      • Documenting scores
    • Remotely acting on devices
      • Scenarios for remote actions
      • Creating a remote action
      • Executing remote actions
      • Triggering a remote action manually
      • Writing scripts for remote actions on Windows
      • Writing scripts for remote actions on Mac
      • Example of self-healing scenario
      • Example of self-help scenario
      • Application control and remote actions
    • Organizing objects with categories
      • Classifying objects of the same type
      • Creating categories and keywords
      • Tagging objects manually
      • Tagging objects automatically
      • Importing tags from text files
    • Getting notified by the system
      • Receiving Engage campaigns
      • Receiving email digests
      • Receiving alerts
      • Creating a service-based alert
      • Creating an investigation-based alert
    • Building web-based dashboards
      • Introducing dashboards in the Portal
      • Creating a dashboard
      • Examining metrics in depth
      • Documenting dashboards
      • Assessing license use
      • Computing dashboard data
      • Reusing dashboard content
    • Importing and exporting authored content
      • Methods for reusing authored content
      • Manually sharing Finder content
      • Importing a content pack
      • Conflict resolution
      • Exporting a content pack
  • Library packs
    • Compliance
      • Device Compliance
    • Configuration Manuals
      • Overview (Configuration Manuals)
      • Installing A New Version Of A Library Pack
    • Digital Employee Score (DEX score)
      • DEX Score Installation And Configuration
      • Detailed Library Pack Changelog
    • Device management
      • Reduce logon duration
      • Group Policy Management
      • Hardware Asset Renewal
      • Hardware Asset Renewal Advanced
      • Application Auto-Start Impact
    • Remote Employee Experience
      • Remote Worker Experience
      • Home Networking
      • Change Log And Upgrade Process
      • Remote Worker Vs Office Worker Device Category
      • Remote Worker Insights
      • DEX V2 Upgrade Of Remote Worker
    • Persona Insight
      • Persona Insight - Overview
      • Persona Insight - Library Pack
      • Persona Insight - Score Only Pack
      • Persona Insight - Without Campaign pack
      • Persona Insight - Getting Started and Upgrade Procedure
      • Persona Insight - Configuration Guide
      • Persona Insight - Troubleshooting - Multiple devices on multiple engines
      • Persona Insight - Reference Guide
      • Persona Insight - Example Pack
      • Persona Insight - Device Sizing
        • Persona Insight - Device Sizing Overview
        • Persona Insight - Device Sizing Configuration
      • Persona Insight - Application Sizing
        • Persona Insight - Application Sizing Overview
        • Persona Insight - Application Sizing Configuration
      • Legacy Persona documentation
        • Persona Insight - Library Pack (V.1.0.0.0)
        • Persona Insight - Base Pack
        • Persona Insight - Base Pack Advanced
        • Persona Insight - Customization Guide (V1.0.0.0)
        • Persona Insight - Configuration Guide (V1.0.0.0)
        • Persona Insight - Reference Guide (V1.0.0.0)
    • GSuite
      • GSuite: Health
      • GSuite: Services
      • GSuite: Sentiment
      • GSuite: Advanced Health
    • Support
      • Support: Level 1
    • Shadow IT
      • Shadow IT
    • Malware Protection
      • Malware Protection
    • Office 365 Health
      • Office 365 Health: Overview
      • Office 365 Health: Services
    • Office 365 OneDrive
      • OneDrive Summary
      • OneDrive Operations
      • OneDrive Advanced Health
      • OneDrive Migration
      • OneDrive Sentiment
      • OneDrive Management
      • OneDrive Advanced Operations
    • Office 365 Teams
      • Teams Overall Configuration
      • Teams - Migration
      • Teams - Health
      • Teams - Advanced Health
      • Teams - Adoption
    • Microsoft 365 Apps
      • Microsoft 365 Apps - Operate
    • Employee Self Service
      • Overview
      • Configuration
      • Usage
    • Onboarding Experience Management
      • OEM - Overview
      • OEM - Configuration
    • Office 365 Outlook
      • Outlook Troubleshooting
    • Virtualization
      • Virtualization: Operate
      • Virtualization: AVD - Advanced
      • Virtualization: Citrix Advanced
      • Virtualization: Project
      • Virtualization: Troubleshooting
        • Virtualization: Troubleshooting: Configuration
    • Windows
      • Win10: Configuration
      • Win10: Migration
      • Win10: Feature Update
      • Win10: Quality Update
      • Windows Defender Management
      • Administrators Management
    • Windows 11
      • Windows 11 - Readiness
      • Windows 11 - Migration Pilot
      • Windows 11 - Migration
      • Windows 11 - Operate
    • Webex
      • Webex Operate
    • Zoom
      • Zoom Operate
    • Remote Actions
      • Get Performance Monitor Data
      • Skype For Business
      • Restart Device
      • Upload Logs to S3 using PreSigned URLs
    • Software Asset Optimization
    • Collaboration Optimization
      • Collaboration Optimization - Solution Overview
      • Collaboration Optimization - Configuration
      • Collaboration Optimization - Usage / Troubleshooting
    • Systems Management
      • Manage Configuration Drift
      • MS ConfigMgr - Client Health
        • MS ConfigMgr - Client Health - Summary
        • MS ConfigMgr - Client Health - Configuration Guide
      • Intune
        • Intune - Health
          • Intune - Health - Summary
          • Intune - Health - Configuration Guide
    • Return to the office
      • Return to the office - Planning
      • Return to the office - Readiness
    • Green IT
      • Green IT - Overview
      • Green IT - Configuration Guide
    • Hybrid Working
      • Hybrid Working Experience
      • Hybrid Working Experience - Installation and upgrade procedure
  • Integrations
    • Nexthink ServiceNow Service Graph Connector
      • Overview
        • Roles and Permissions
        • Modules
      • Installation and Configuration Guide
        • Pre-requisites
          • Configure Identification Rules
          • Import and setup the CMDB categories in Finder
        • Setup
          • Configure the connection
          • Configure import properties
          • Configure additional engines
          • Set up scheduled import jobs
      • Data transformation and mapping by default
      • How to customize the behaviour of the Connector
      • FAQ
        • Why ServiceNow Service Graph Connector?
        • What about Nexthink CMDB Connector?
        • Why is the name the primary key for the devices?
      • Troubleshooting
        • IRE identification issues
          • [No Choice found in the sys_choice table for the target table](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/ire-identification-issues/ no-choice-found-in-the-sys_choice-table-for-the-target-table.md)
          • Identification rules not created
          • Discovery_source choice not created
        • Timeout Errors
          • ECCResponseTimeoutException
          • HTTP 0 error
        • MID server issues
          • java.lang.NullPointerException
          • MID Server memory issues
          • Not trusted certificates in Quebec release
        • Configure credentials issues
          • [Not allowing update of property authentication_choice](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-credentials-issues/ not-allowing-update-of-property-authentication_choice.md)
          • Invalid username/password combo (HTTP 401/403)
        • Configure Engines Issues
          • [The client secret supplied for a confidential client is invalid](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-engines-issues/ the-client-secret-supplied-for-a-confidential-client-is-invalid.md)
        • No Cis imported and no errors found in the log
    • Nexthink ServiceNow Incident Management Connector (IMC)
      • Installation and configuration guide (IMC)
      • Troubleshooting Guide (IMC)
      • Domain separation installation (IMC)
    • Nexthink ServiceNow CMDB Connectors
      • Installation and Configuration Guide
      • Troubleshooting Guide
      • Field transformation and normalisation examples
    • Nexthink Event Connector
      • High level overview
      • Installation and Configuration Guide
      • Troubleshooting guide
      • RPM installation
      • Splunk specific documentation
        • Upgrading from Splunk Connector to Event Connector
        • Splunk add-on installation and usage
    • Nexthink Chatbot SDK
      • Introduction and concepts
      • Installation, configuration and update guide
        • Installation and configuration
        • Update to newer version
        • Uninstallation
        • Authentication
        • Topics configuration
        • Remote action configuration
        • Advanced configuration
        • Additional resources and references
      • Dimensioning guide
      • Troubleshooting
      • Technical solution description
      • Downloads and release notes
  • Glossary and references
    • Search and information display
      • Search in Finder
      • Keyboard shortcuts for column display selection
      • Campaign display compatibility
      • Real-time and consolidated service data
      • Service errors and warnings
      • Errors and warnings for devices and executions
      • Types of widgets
      • Widget compute state in charts
      • Errors in the execution of remote actions
      • Top results of Cross-Engine investigations
      • Engine data history
    • Tooltips in the user and device views
      • Alerts tooltips
      • Warnings tooltips
      • Errors tooltips
      • Activity tooltips
      • Services tooltips
    • Database information and organization
      • Maximum supported values
      • Local and shared content
      • Device Identification
      • Local IP address of devices
      • Timestamping of events
      • Boot and logon duration
      • Application startup duration
      • Application not responding events
      • Memory and CPU usage
      • Status of TCP connections
      • Status of UDP connections
      • Network and port scan conditions
      • Binary paths
      • Maximum number of Binaries
      • Package Executable Mapping
      • Metro apps
      • Investigation with packages
      • Portal aggregation and grouping
      • Focus time metric
    • Security
      • Access rights and permissions
      • Active Directory authentication
      • Canonical domain names for Windows authentication
      • System alerts
      • Audit trail
      • Appliance hardening
      • STIG hardening
      • FIPS 140-2 compliance
      • Security bulletins
        • Is Nexthink affected by Okta breach
        • Is Nexthink affected by SolarWinds breach
        • Nexthink and Log4j - Security bulletin
        • CVE-2022-22965 - Security Vulnerability Spring4shell - Spring Framework
        • Version 6.22.2.10: Security Vulnerability Maintenance Release
        • The Collector V6.27.X Release – Security Bulletin
    • References
      • Components of the Collector
      • Server support
      • Compatibility mode
    • Glossary
      • Activity
      • Alert
      • Application
      • Binary
      • Campaign
      • Category
      • Connection
      • Dashboard
      • Destination
      • Device
      • Domain
      • Entity
      • Event
      • Executable
      • Execution
      • Focus time
      • Hierarchy
      • Installation
      • Investigation
      • Keyword
      • Metric
      • Module
      • Object
      • Package
      • Platform
      • Port
      • Printer
      • Score
      • Service
      • Session
      • System boot
      • User
      • User logon
      • Web request
      • Widget
  • API and integrations
    • Integrating with Nexthink
      • Event Connector
      • Getting data through the NXQL API
      • Bidirectional integration with the Finder
      • Count metrics API
      • Software metering API
      • Services API
      • List Engines API
      • GetSID API
      • Triggering campaigns via their API
      • Triggering remote actions via their API
      • Audit trail API
      • Integrating investigation-based alerts
      • Downloads
    • NXQL API
      • Introducing the NXQL API
      • NXQL Tutorial
      • NXQL language definition
      • NXQL Data Model
    • Integrations
      • Excel integration with NXQL
      • Power BI
      • Azure Data Lake Storage Gen2
      • Splunk Event Connector
    • ServiceNow
      • CMDB Connector
      • Incident Management Connector
      • Event Management

© Nexthink

  • Privacy policy
  • Responsible Disclosure Policy
On this page
  • Objects
  • application
  • binary
  • destination
  • device
  • domain
  • executable
  • package
  • port
  • printer
  • service
  • url_path
  • user
  • Events
  • connection
  • device_activity
  • device_error
  • device_performance
  • device_warning
  • execution
  • execution_error
  • execution_warning
  • installation
  • network_scan
  • port_scan
  • printout
  • session_performance
  • user_activity
  • web_request
  • Relationships
  • connection
  • device_activity
  • device_error
  • device_performance
  • device_warning
  • execution
  • execution_error
  • execution_warning
  • installation
  • network_scan
  • port_scan
  • printout
  • session_performance
  • user_activity
  • web_request
  • package
  • Aggregates
  • connection
  • device_activity
  • device_error
  • device_performance
  • device_warning
  • execution
  • execution_error
  • execution_warning
  • installation
  • network_scan
  • package
  • port_scan
  • printout
  • session_performance
  • user_activity
  • web_request
  • Definitions

Was this helpful?

  1. API and integrations
  2. NXQL API

NXQL Data Model

Objects

application

An application is a sets of executables e.g. 'Microsoft Office'. Platforms:

Name

Type

Operating system

Properties

Description

company

string

  • Windows

  • macOS

–

Company producing the application

database_usage

permill

  • Windows

  • macOS

–

Percentage of the database used by information related with the application

description

string

Windows

–

Application description

first_seen

datetime

  • Windows

  • macOS

NU

First time activity of the application was recorded on any device.

id

identifier

  • Windows

  • macOS

–

Unique application identifier

known_packages

string

  • Windows

  • macOS

–

List of packages known to contain the application. This list is not exhaustive: The presence of a package does not necessarily imply that on a given device the application was installed through that package.

last_seen

datetime

  • Windows

  • macOS

NU

Last time activity of the application was recorded on any device.

name

string

  • Windows

  • macOS

–

Application name

platform

enum

  • Windows

  • macOS

–

The platform (operating system family) on which the application is running.

storage_policy

enum

  • Windows

  • macOS

–

Indicates the event storage policy for the application. Possible values are:

  • all: web requests, connections and executions are stored;

  • connections and executions;

  • executions;

  • none: no activity is recorded.

total_active_days

day

  • Windows

  • macOS

–

Total number of days the application was active.

binary

A binary is an executable binary files identified by its hash code. Platforms:

Name

Type

Operating system

Properties

Description

application_category

string

  • Windows

  • macOS

SE

Indicates the category of the application:

  • '-': Not yet tagged;

  • Unknown: Not categorized by Nexthink Library.

application_company

string

  • Windows

  • macOS

–

Application company

application_name

string

  • Windows

  • macOS

–

Application name

architecture

enum

  • Windows

  • macOS

–

Executable architecture (32/64 bit)

average_cpu_usage

permill

Windows

–

Average CPU usage for the binary

average_memory_usage

byte

Windows

NU

Average memory usage for the binary

average_number_of_graphical_handles

integer

Windows

NU

Average number of graphical handles (GDI)

company

string

  • Windows

  • macOS

–

Executable company

database_usage

permill

  • Windows

  • macOS

–

Percentage of the database used by information related with the binary.

description

string

Windows

–

Description as it appears in the binary file.

executable_name

string

  • Windows

  • macOS

–

Executable name

file_size

byte

  • Windows

  • macOS

–

Binary file size

first_seen

datetime

  • Windows

  • macOS

NU

First time activity of the binary was recorded on any device.

hash

md5

  • Windows

  • macOS

–

Hash code of the binary (MD5)

id

identifier

  • Windows

  • macOS

–

Unique binary identifier

last_seen

datetime

  • Windows

  • macOS

NU

Last time activity of the binary was recorded on any device.

paths

path

  • Windows

  • macOS

–

List of paths of the binary

platform

enum

  • Windows

  • macOS

–

The platform (operating system family) on which the binary is running.

sha1

sha1

  • Windows

  • macOS

–

SHA-1 hash code of the binary

sha256

sha256

  • Windows

  • macOS

–

SHA-256 hash code of the binary

storage_policy

enum

  • Windows

  • macOS

–

Event storage policy for the binary (connection and execution, execution-only or none)

threat_level

enum

  • Windows

  • macOS

SE

Indicates the threat level of the binary:

  • '-': Not yet tagged;

  • none detected: No known threat;

  • low: low threat;

  • intermediate: Intermediate threat;

  • high: high threat.

total_active_days

day

  • Windows

  • macOS

–

Total number of days the binary was active.

user_interface

boolean

Windows

–

Application has interactive user interface

version

version

  • Windows

  • macOS

–

Version of the binary

destination

A destination is a device or server receiving TCP/UDP connections. Platforms:

Name

Type

Operating system

Properties

Description

database_usage

permill

  • Windows

  • macOS

–

Percentage of the database used by information related with the destination

first_seen

datetime

  • Windows

  • macOS

NU

First time activity to the destination was recorded on any device.

id

identifier

  • Windows

  • macOS

–

Unique destination identifier

ip_address

ip_address

  • Windows

  • macOS

–

IP address for the destination

last_seen

datetime

  • Windows

  • macOS

NU

Last time activity to the destination was recorded on any device.

name

string

  • Windows

  • macOS

–

Reverse lookup name

device

A device is Windows physical or virtual machine monitored by a Nexthink Collector. Platforms:

Name

Type

Operating system

Properties

Description

administrator_account_status

enum

Windows

–

Determines whether the local Administrator account is enabled or disabled.

all_antispywares

string

Windows

–

Summary information about all the detected antispyware:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

all_antiviruses

string

Windows

–

Summary information about all the detected antiviruses:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

all_firewalls

string

Windows

–

Summary information about all the detected firewalls:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

allow_non_provisionable_devices

boolean

–

NU

Indicates whether a device which does not fully support the policy is still allowed to connect to the Exchange Exchange ActiveSync server. If 'yes', the security policy is not guaranteed to be applied, even if the field 'ActiveSync policy application status' value is 'applied in full'

antispyware_name

string

Windows

NU

Name of the main antispyware

antispyware_rtp

enum

Windows

–

Indicates whether the antispyware real time protection (RTP) is active:

  • on: Indicates that RTP is active;

  • off: Indicates that either RTP is not active or no antispyware has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

antispyware_up_to_date

enum

Windows

–

Indicates whether the antispyware is up-to-date:

  • yes: Indicates that antispyware is up-to-date;

  • no: Indicates that either the antispyware is not up-to-date or no antispyware has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

antivirus_name

string

Windows

NU

Name of the main antivirus

antivirus_rtp

enum

Windows

–

Indicates whether the antivirus real time protection (RTP) is active:

  • on: Indicates that RTP is active;

  • off: Indicates that either RTP is not active or no antivirus has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

antivirus_up_to_date

enum

Windows

–

Indicates whether the antivirus is up-to-date:

  • yes: Indicates that antivirus is up-to-date;

  • no: Indicates that either the antivirus is not up-to-date or no antivirus has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

audit_account_logon_events

enum

Windows

–

Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.

audit_account_management

enum

Windows

–

Determines whether to audit each event of account management on a computer.

audit_directory_service_access

enum

Windows

–

Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.

audit_logon_events

enum

Windows

–

Determines whether to audit each instance of a user logging on to or logging off from a computer.

audit_object_access

enum

Windows

–

Determines whether to audit the event of a user accessing an object, e.g. a file, folder, registry key, printer, and so forth - that has its own system access control list (SACL) specified.

audit_policy_change

enum

Windows

–

Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.

audit_privilege_use

enum

Windows

–

Determines whether to audit each instance of a user exercising a user right.

audit_process_tracking

enum

Windows

–

Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.

audit_system_events

enum

Windows

–

Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.

average_boot_duration

millisecond

Windows

NU

Full boot duration baseline

average_fast_startup_duration

millisecond

Windows

NU

Indicated the fast startup boot duration averaged over the fast startups. In the calculation, recent boots weigh more than older boots (exponentially weighted moving average).

average_logon_duration

millisecond

Windows

NU

User logon duration baseline

bios_serial_number

string

  • Windows

  • macOS

NU

BIOS serial number

boot_disk_health_status

enum

Windows

NU

Indicates the health of the disk from which the device is booting [from], as reported by the operating system.

boot_disk_type

enum

  • Windows

  • macOS

NU

Indicates the type of the disk from which the device is booting.

chassis_serial_number

string

Windows

NU

Chassis serial number

cltr_ca_license_uid

string

  • Windows

  • macOS

NU

Indicates the Collector assignment license UID

cltr_ca_status

enum

  • Windows

  • macOS

NU

Indicates whether Collector assignment service is enabled or disabled

cltr_crash_guard_count

integer

Windows

NU

Indicates the number of consecutive hard resets or system crashes of the device

cltr_crash_guard_limit

integer

Windows

NU

Indicates the Collector CrashGuard limit

cltr_crash_guard_protection_interval

integer

Windows

NU

Indicates the CrashGuard monitoring interval in minutes

cltr_crash_guard_react_interval

integer

Windows

NU

Indicates the Collector CrashGuard reactivation interval in hours

cltr_custom_shells

enum

Windows

NU

Indicates whether the Collector reports user logon events and user interactions in virtualized and embedded (kiosk mode) environments

cltr_data_channel_protocol

enum

  • Windows

  • macOS

NU

Specifies if the Collector data is sent over TCP or UDP

cltr_dns_res_preference

enum

Windows

NU

Indicates the DNS resolution preference for Collector in terms of IP protocol version on the device

cltr_engage_service_status

enum

  • Windows

  • macOS

NU

Indicates whether Engage is enabled or disabled

cltr_freezes_monitoring

enum

Windows

NU

Indicates whether the Collector is monitoring for unresponsive applications on the device

cltr_installs_scan_interval

integer

Windows

NU

Indicates the interval, in hours, after which the Collector checks for newly installed packages and updates

cltr_is_visible

enum

Windows

NU

Indicates whether Collector is hidden in the "Add or Remove Programs"

cltr_log_level

enum

  • Windows

  • macOS

NU

Indicates the Collector log level

cltr_max_segment_size

integer

Windows

NU

Indicates the maximum segment size of packets sent by Collector

cltr_ra_execution_policy

enum

Windows

NU

Indicates the Powershell script execution policy

cltr_smb_print_mon_status

enum

Windows

NU

Indicates whether SMB printing monitoring is enabled or disabled

cltr_string_tag

string

  • Windows

  • macOS

NU

Indicates the Collector string tag

cltr_web_mon_status

enum

Windows

NU

Indicates whether Web & Cloud monitoring is enabled or disabled

collector_distinguished_name

string

Windows

NU

Indicates the distinguished name (DN) as seen:

  • For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;

  • For Mobile: In the Exchange ActiveSync server Note that this DN is reported by the Collector.

collector_installation_log

string

Windows

NU

Link to the last Nexthink Collector installation error log

collector_package_target_version

version

  • Windows

  • macOS

NU

Indicates the Collector package version that is targeted.

collector_print_monitoring_status

enum

Windows

NU

Indicates whether the Collector printing monitoring is enabled or disabled

collector_status

enum

  • Windows

  • macOS

NU

Indicates the status of the Nexthink Collector package installed on the device:

  • unmanaged: the Collector is not automatically updated

  • up-to-date: the Collector is up-to-date

  • outdated: a newer Collector version is available.

collector_tag

integer

Windows

–

Collector installation tag

collector_update_status

enum

Windows

–

Current status of Nexthink Collector Updater

collector_version

version

  • Windows

  • macOS

–

Version number of Nexthink Collector installation

cpu_frequency

mhz

  • Windows

  • macOS

NU

CPU frequency

cpu_model

string

  • Windows

  • macOS

NU

CPU model

database_usage

permill

  • Windows

  • macOS

–

Percentage of the database used by information related with the device

device_encryption_required

boolean

–

NU

Indicates whether device encryption is required.

device_manufacturer

string

  • Windows

  • macOS

NU

Indicates the device manufacturer.

device_model

string

  • Windows

  • macOS

NU

Indicates the model of the device.

device_password_required

boolean

–

NU

Indicates whether a password is required on the device.

device_product_id

string

  • Windows

  • macOS

NU

Device product ID

device_product_version

string

  • Windows

  • macOS

NU

Device product version

device_serial_number

string

  • Windows

  • macOS

NU

Indicates the device serial number.

device_type

enum

  • Windows

  • macOS

–

Type of device (desktop, laptop, server, mobile)

device_uid

md5

  • Windows

  • macOS

–

Indicates the universally unique identifier (based on Engine name and device ID)

device_uuid

string

  • Windows

  • macOS

–

Indicates the device universally unique identifier (UUID)

directory_service_site

string

Windows

NU

Site (or location) of an Active Directory (AD) service

disks_manufacturers

string

Windows

–

Hard disks manufacturers

disks_smart_index

percent

Windows

NU

Lowest S.M.A.R.T. index of installed hard disks (index is based on S.M.A.R.T. attributes)

distinguished_name

string

Windows

NU

Indicates the distinguished name (DN) as seen:

  • For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;

  • For Mobile: In the Exchange ActiveSync server

eas_access_state

enum

–

–

Indicates whether the device can access the Exchange ActiveSync server. The possible states are:

  • allowed: the device has access;

  • blocked: the device is blocked;

  • discovery: the device is temporary quarantined while it is being identified by the Exchange ActiveSync server;

  • quarantined: the device is waiting for Exchange ActiveSync administrator approval.

eas_access_state_reason

enum

–

–

Indicates the reason for the device access state. The possible values are:

  • global: caused by the global access settings;

  • device rule: caused by a device access rule;

  • individual: caused by an individual exemption;

  • policy: caused by Exchange ActiveSync policy.

eas_device_access_rule

string

–

–

Indicates the name of the access rule. An access rule allows, blocks or quarantines devices based on the device type, model, OS or user agent characteristics.

eas_device_identity

string

–

–

Indicates the identity of the device in Exchange ActiveSync Server.

eas_exemption

enum

–

–

Indicates whether a personal exemption is set for the device and its user. Possible values are:

  • none;

  • allow;

  • block.

eas_policy_application_status

enum

–

–

Indicates whether the Exchange ActiveSync policy is applied or not. Possible values are:

  • not applied;

  • applied in full: the policy is applied (unless the field 'Allow non provisionable devices' value is 'yes');

  • partially applied.

eas_policy_name

string

–

–

Indicates the name of the Exchange ActiveSync policy applied to the user's mailbox.

eas_policy_update

datetime

–

–

Indicates the last time the Exchange ActiveSync policy was updated on the device.

email_attachment_enabled

boolean

–

NU

Indicates whether attachments can be downloaded to the mobile device through the Exchange ActiveSync protocol.

enforce_password_history

integer

Windows

NU

Indicates the number of unique passwords that have to be associated with a user account before an old password can be reused.

entity

string

  • Windows

  • macOS

–

Entity

extended_logon_duration_baseline

millisecond

Windows

NU

Extended logon duration baseline

firewall_name

string

Windows

NU

Name of the main firewall

firewall_rtp

enum

Windows

–

Indicates whether the firewall real time protection (RTP) is active:

  • on: Indicates that RTP is active;

  • off: Indicates that either RTP is not active or no firewall has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

first_seen

datetime

  • Windows

  • macOS

NU

Indicates the first time when the activity of the device was recorded:

  • For Windows and Mac OS: The first time Collector reported activity;

  • For Mobile: The first time the device was reported with a successful synchronization.

graphical_card_ram

byte

Windows

NU

Amount of RAM of the graphical card with most RAM

graphical_cards

string

Windows

–

Installed graphical cards

group_name

string

  • Windows

  • macOS

NU

Name of computer domain or workgroup

guest_account_status

enum

Windows

–

Determines if the Guest account is enabled or disabled.

hard_disks

string

  • Windows

  • macOS

NC

List of all hard disks

id

identifier

  • Windows

  • macOS

–

Unique device identifier

internet_security_settings

enum

Windows

–

Internet security settings (ok, at risk or unknown)

ip_addresses

ip_address

  • Windows

  • macOS

–

List of IP addresses for the device

is_collector_distinguished_name_truncated

boolean

Windows

–

Flag indicating whether the collector DN is truncated or not

is_directory_service_site_truncated

boolean

Windows

–

Flag indicating whether the DS site is truncated or not

last_boot_duration

millisecond

Windows

NU

Last boot time duration

last_extended_logon_duration

millisecond

Windows

NU

Last extended logon duration

last_ip_address

ip_address

  • Windows

  • macOS

NU

Last IP address assigned to the device

last_known_connection_status

enum

  • Windows

  • macOS

NU

Indicates the last known connection status of the device:

  • udp: the device successfully connected via UDP but not TCP.

  • tcp: the device successfully connected via TCP but not UDP.

  • udp_tcp: the device successfully connected via both UDP and TCP.

  • '-': Collector version is below V6.6.

last_local_ip_address

ip_address

  • Windows

  • macOS

NU

Last local IP address assigned to the device

last_logged_on_user

string

Windows

NU

Last logged on user

last_logon_duration

millisecond

Windows

NU

Last user logon duration

last_logon_time

datetime

Windows

NU

Last logon time

last_seen

datetime

  • Windows

  • macOS

NU

Indicates the last time that activity on the device was reported:

  • For Windows and Mac OS: The last time Collector reported activity through the UDP channel,

  • For Mobile: The last time the device successfully synchronized with the Mobile Bridge.

last_seen_on_tcp

datetime

  • Windows

  • macOS

NU

Indicates the last time that the device was successfully connected through the TCP channel.

  • '-': The Collector is an older version that does not support TCP.

last_system_boot

datetime

  • Windows

  • macOS

NU

Last boot time

last_update

datetime

  • Windows

  • macOS

NU

Indicates the last Collector update time.

last_update_status

enum

  • Windows

  • macOS

NU

Indicates the status of the last Collector update:

  • '-': the Collector was never updated

  • successful installation: the last Collector installation was successful

  • package download error: the Collector was not able to download the Collector package from Nexthink Appliance

  • package digital signature error: the Collector was not able to check the Collector package digital signature

  • device reboot required: the device needs to be rebooted to complete the Collector installation

  • package error: the Collector package installation has failed

  • internal error: the Collector package installation has failed for an unexpected reason.

last_updater_request

datetime

Windows

NU

Last time Nexthink Updater checked for updates

last_windows_update

datetime

Windows

NU

Time of last system Update

local_administrators

string

Windows

–

Users and groups which are members of the Local Administrators group on the device and are active/enabled.

local_power_users

string

Windows

–

Users and groups which are members of the Local Powers Users group on the device.

logical_cpu_number

integer

  • Windows

  • macOS

NU

Indicates the number of cores multiplied by the number of threads that can run on each core through the use of hyperthreading.

logical_drives

string

  • Windows

  • macOS

–

List of all logical drives

mac_addresses

mac_address

  • Windows

  • macOS

–

List of MAC addresses for the device

maximum_password_age

integer

Windows

NU

Indicates the period in time (in days) during which the password can be used before the system requires the user to change it:

  • Windows: As set up in the group policy;

  • Mobile: As set up in security policies.

membership_type

enum

Windows

–

Type of computer membership (domain/workgroup)

minimum_password_age

integer

Windows

NU

Period of time (in days) that a password must be used before the user can change it.

minimum_password_length

integer

Windows

NU

Least number of characters that a password for a user account may contain.

monitor_models

string

Windows

–

Models of connected monitors

monitor_resolutions

string

Windows

–

Screen resolutions of connected monitors

monitors

string

Windows

–

Connected monitors

monitors_serial_numbers

string

Windows

–

Serial numbers of connected monitors (ordered as in 'Monitors')

name

string

  • Windows

  • macOS

–

Indicates the name of the device:

  • For Windows: NetBios Name;

  • For Mac OS: Computer name used on the network;

  • For Mobile: Composed by mailbox name and device friendly name.

number_of_antispyware

enum

Windows

–

Number of antispyware detected:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

number_of_antiviruses

enum

Windows

–

Number of antiviruses detected:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

number_of_cores

integer

  • Windows

  • macOS

NU

Number of cores

number_of_cpus

integer

  • Windows

  • macOS

NU

Number of CPUs

number_of_days_since_first_seen

integer

  • Windows

  • macOS

NU

Number of days since activity of the device was first recorded in the system.

number_of_days_since_last_boot

integer

  • Windows

  • macOS

NU

Number of days since last full boot

number_of_days_since_last_eas_policy_update

integer

–

NU

Indicates the number of days since the last Exchange ActiveSync policy update.

number_of_days_since_last_logon

integer

Windows

NU

Number of days since last logon

number_of_days_since_last_seen

integer

  • Windows

  • macOS

NU

Indicates the number of days since the last time the device was seen by Nexthink. The field is updated whenever device activity is detected:

  • For Windows and Mac OS: seen through the UDP channel,

  • For Mobile: seen through the Mobile Bridge.

number_of_days_since_last_seen_on_tcp

integer

Windows

NU

Indicates the number of days since the last time the device was successfully connected through the TCP channel. '-': The Collector is an older version that does not support TCP.

number_of_days_since_last_windows_update

integer

Windows

NU

Number of days since last system Update

number_of_firewalls

enum

Windows

–

Number of firewalls detected:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

number_of_graphical_cards

integer

Windows

–

Number of installed graphical cards

number_of_monitors

integer

  • Windows

  • macOS

–

Number of connected monitors

os_architecture

enum

  • Windows

  • macOS

–

Architecture of device operating system (x86/x64/ARM64)

os_build

version

Windows

–

Indicates the build number of the operating system.

os_version_and_architecture

string

  • Windows

  • macOS

NU

Indicates name, version and architecture (when applicable) of the operating system.

  • unknown: the OS version could not be retrieved or it could not be mapped to a recognized value.

password_complexity_requirements

enum

Windows

–

Indicates whether password complexity is required:

  • Windows: The password must meet complexity requirements as defined in the group policy;

  • Mobile: No simple passwords are allowed or a minimum password length is set, as defined in the security policy.

platform

enum

  • Windows

  • macOS

–

Indicates the platform of the device. A platform is a set of operating system families on which the same objects, activities, events and properties can be retrieved. The possible values are:

  • Windows;

  • Mac OS;

  • Mobile.

privileges_of_last_logged_on_users

enum

Windows

–

Privileges of the last logged on user (user, power user, administrator)

sd_card_encryption_required

boolean

–

NU

Indicates whether SD card encryption is required.

sid

sid

Windows

NU

Windows security identifier for the device.

storage_policy

enum

  • Windows

  • macOS

–

Indicates the event storage policy for the device. Possible values are:

  • all: web requests, connections and executions are stored

  • connections and executions;

  • executions;

  • none: no activity is recorded;

  • remove: The device will be removed from Engine during the next cleanup, as long as it is no longer sending data; Note that available events depend on the device platform.

system_drive_capacity

byte

  • Windows

  • macOS

–

Total capacity of system drive

system_drive_free_space

byte

  • Windows

  • macOS

–

Total available free space on system drive

system_drive_usage

percent

  • Windows

  • macOS

NU

Use percentage of system drive

total_active_days

day

  • Windows

  • macOS

–

Total number of days the device was active.

total_drive_capacity

byte

  • Windows

  • macOS

–

Total capacity of all drives

total_drive_free_space

byte

  • Windows

  • macOS

–

Total free space on all drives

total_drive_usage

permill

  • Windows

  • macOS

NU

Total use percentage of all drives

total_nonsystem_drive_capacity

byte

  • Windows

  • macOS

–

Total capacity of all non-system drives

total_nonsystem_drive_free_space

byte

  • Windows

  • macOS

–

Total free space on all non-system drives

total_nonsystem_drive_usage

percent

  • Windows

  • macOS

NU

Total use percentage of all non-system drives

total_ram

byte

  • Windows

  • macOS

NU

Total amount of RAM

updater_error

string

Windows

–

Last Nexthink Collector Updater error

updater_version

version

Windows

–

Nexthink Collector Updater version

upgrade_group

enum

  • Windows

  • macOS

NU

Indicates the update group of Nexthink Collector:

  • manual: the Collector is manually updated

  • pilot: the Collector is updated as part of the pilot group

  • main: the Collector is updated as part of the main group.

user_account_control_status

enum

Windows

–

User account control status (ok, at risk or unknown)

windows_license_key

string

Windows

NU

Windows license key

windows_updates_status

enum

Windows

–

Windows update status (ok, at risk or unknown)

wmi_status

enum

Windows

–

Windows WMI service status (ok, failure)

domain

A domain is a domain name e.g. www.nexthink.com. Platforms:

Name

Type

Operating system

Properties

Description

database_usage

permill

  • Windows

  • macOS

–

Percentage of the database used by information related with the domain

domain_category

string

  • Windows

  • macOS

SE

Indicates the category of the domain:

  • '-': Not yet tagged or internal domain.

first_seen

datetime

  • Windows

  • macOS

NU

The first time the domain has been seen.

hosting_country

string

  • Windows

  • macOS

SE

Indicates in which country the domain is hosted:

  • '-': Not yet tagged, internal domain or not known by Nexthink Library.

hostname

string

  • Windows

  • macOS

NU

The hostname of the fully qualified domain name

id

identifier

  • Windows

  • macOS

–

Unique domain identifier

internal_domain

boolean

  • Windows

  • macOS

–

Indicates whether the domain is considered internal:

  • yes: The domain is not reported to Nexthink Library and subdomains are not compressed using the '*' pattern;

  • no: The domain is reported to the Nexthink Library (if the license includes the Security module); complex subdomains are compressed using the '*' pattern.

last_seen

datetime

  • Windows

  • macOS

NU

The last time the domain has been seen.

name

string

  • Windows

  • macOS

–

The fully qualified domain name

protocol

enum

  • Windows

  • macOS

–

Protocols used in web requests (HTTP, TLS, HTTP/TLS)

response_size

byte

  • Windows

  • macOS

–

Total web incoming traffic

storage

enum

  • Windows

  • macOS

–

Event storage policy for the domain (web request or none)

threat_level

enum

  • Windows

  • macOS

SE

Indicates the threat level of the domain:

  • '-': Not yet tagged or internal domain;

  • none detected: No known threat;

  • low: low threat;

  • intermediate: Intermediate threat;

  • high: High threat.

executable

An application is a executable programs e.g. 'winword.exe'. Platforms:

Name

Type

Operating system

Properties

Description

application_company

string

  • Windows

  • macOS

–

Application company

application_name

string

  • Windows

  • macOS

–

Application name

database_usage

permill

  • Windows

  • macOS

–

Percentage of the database used by information related with the executable.

description

string

Windows

–

Executable description

first_seen

datetime

  • Windows

  • macOS

NU

First time activity of the executable was recorded on any device.

id

identifier

  • Windows

  • macOS

–

Unique executable identifier

known_packages

string

  • Windows

  • macOS

–

List of packages known to contain the executable. This list is not exhaustive: The presence of a package does not necessarily imply that on a given device the executable was installed through that package.

last_seen

datetime

  • Windows

  • macOS

NU

Last time activity of the executable was recorded on any device.

name

string

  • Windows

  • macOS

–

Executable name

platform

enum

  • Windows

  • macOS

–

The platform (operating system family) on which the executable is running.

storage_policy

enum

  • Windows

  • macOS

–

Indicates the event storage policy for the executable. Possible values are:

  • all: web requests, connections and executions are stored;

  • connections and executions;

  • executions;

  • none: no activity is recorded.

total_active_days

day

  • Windows

  • macOS

–

Total number of days the executable was active.

package

A package is a software packages (programs or updates). Platforms:

Name

Type

Operating system

Properties

Description

first_installation

datetime

Windows

NU

Time of first installation

first_seen

datetime

  • Windows

  • macOS

NU

The first time the package has been seen.

id

identifier

  • Windows

  • macOS

–

Unique package identifier

name

string

  • Windows

  • macOS

–

Package name

number_of_updates

integer

Windows

–

Number of updates (for programs)

platform

enum

  • Windows

  • macOS

–

The platform (operating system family) on which the package is installed.

program

string

  • Windows

  • macOS

–

Package program

publisher

string

  • Windows

  • macOS

NU

Package publisher

status

enum

  • Windows

  • macOS

–

Package status (installed/removed)

type

enum

  • Windows

  • macOS

–

Package type (program/update)

version

string

  • Windows

  • macOS

NU

Package version

windows_7_32bit_compatibility

string

Windows

DE

Indicates the Windows 7 (32-bit) compatibility of the package:

  • '-': Not yet tagged;

  • No information available: Not known by Nexthink Library;

  • Compatible: Compatible with Windows 7.

windows_7_64bit_compatibility

string

Windows

DE

Indicates the Windows 7 (64-bit) compatibility of the package:

  • '-': Not yet tagged;

  • No information available: Not known by Nexthink Library;

  • Compatible: Compatible with Windows 7.

port

A port is a TCP or UDP connection ports. Platforms:

Name

Type

Operating system

Properties

Description

first_seen

datetime

  • Windows

  • macOS

NU

First time activity of the port was recorded on any device.

id

identifier

  • Windows

  • macOS

–

Unique port identifier

last_seen

datetime

  • Windows

  • macOS

NU

Last time activity of the port was recorded on any device.

port_number

integer

  • Windows

  • macOS

–

Port number

port_type

enum

  • Windows

  • macOS

–

Port type (tcp, udp, tcp port scan, udp port scan)

port_value

port

  • Windows

  • macOS

–

Port value for tagging

printer

A printer is an installed printers (local, network, shared or virtual). Platforms:

Name

Type

Operating system

Properties

Description

first_seen

datetime

Windows

NU

First time activity of the printer was recorded on any device.

host_name

string

Windows

–

Host name

id

identifier

Windows

–

Unique print identifier

last_seen

datetime

Windows

NU

Last time activity of the printer was recorded on any device.

location

string

Windows

NU

Printer location

model

string

Windows

–

Printer model

name

string

Windows

–

Printer name

real_name

string

Windows

–

Most frequently seen display name

type

enum

Windows

–

Printer type (local/remote)

service

A service represents an IT service in your organization, such as the mail service or the directory service. Services are either based on TCP connections (for Windows and Mac devices) or on web requests (for Windows devices only). Platforms:

Name

Type

Operating system

Properties

Description

id

integer

  • Windows

  • macOS

–

Unique service identifier

name

string

  • Windows

  • macOS

–

Service name

status

enum

  • Windows

  • macOS

–

Service status (active, error)

type

enum

  • Windows

  • macOS

–

Type of service (network, web)

url_path

A url_path is a URL path after the domain name e.g. [www.nexthink.com]/awards/. Platforms:

Name

Type

Operating system

Properties

Description

id

identifier

  • Windows

  • macOS

–

Unique url path identifier

path

string

  • Windows

  • macOS

–

The URL path

user

A user is an object that represents an individual account in a device (local user) or in a group of devices (domain user). The account may identify a physical user or a system user. Platforms:

Name

Type

Operating system

Properties

Description

country

string

  • Windows

  • macOS

–

Country of user as listed in active directory

database_usage

permill

  • Windows

  • macOS

–

Percentage of the database used by information related with the binary

department

string

  • Windows

  • macOS

–

User department as listed in active directory

distinguished_name

string

  • Windows

  • macOS

NU

Active directory distinguished name (DN)

first_seen

datetime

  • Windows

  • macOS

NU

First time activity of the user was recorded on any device.

full_name

string

  • Windows

  • macOS

NU

Full user name as listed in active directory

id

identifier

  • Windows

  • macOS

–

Unique user identifier

job_title

string

  • Windows

  • macOS

NU

Job title as listed in active directory

last_seen

datetime

  • Windows

  • macOS

NU

Last time activity of the user was recorded on any device.

locality

string

  • Windows

  • macOS

–

Locality of user as listed in active directory

location

string

  • Windows

  • macOS

–

Location of user as listed in active directory

name

string

  • Windows

  • macOS

–

User logon name

number_of_days_since_last_seen

integer

  • Windows

  • macOS

NU

Indicates the number of days since the last time the user was seen by Nexthink. The field is updated whenever user activity is detected.

org_unit

string

  • Windows

  • macOS

–

Organisational unit of User as listed in active directory

seen_on_mac_os

boolean

  • Windows

  • macOS

–

Indicates if the user has been seen on a Mac device.

seen_on_mobile

boolean

  • Windows

  • macOS

–

Indicates if the user has been seen on a Mobile device.

seen_on_windows

boolean

  • Windows

  • macOS

–

Indicates if the user has been seen on a Windows device.

sid

sid

  • Windows

  • macOS

NU

Indicates the Windows security identifier for the user. For Mac OS, '-' means that the user is not in Active Directory.

total_active_days

day

  • Windows

  • macOS

–

Total number of days the user was active.

type

enum

  • Windows

  • macOS

–

Type of user (local/domain/system)

user_uid

md5

  • Windows

  • macOS

–

Indicates the universally unique identifier

Events

connection

A connection is a TCP connection or a UDP packet. Several identical TCP connections or UDP packets are merged when in close succession.

Platforms:

Name

Type

Operating system

Properties

Description

cardinality

integer

  • Windows

  • macOS

–

Number of underlying connections, consolidated over time

destination_ip_address

ip_address

  • Windows

  • macOS

–

IP address of the connection destination

device_ip_address

ip_address

  • Windows

  • macOS

–

IP address of the connection source

duration

millisecond

  • Windows

  • macOS

–

The time between the start of the first connection and the end of the last underlying connection.

end_time

datetime

  • Windows

  • macOS

–

Connection end time, corresponding to the moment when the last underlying connection was closed.

id

identifier

  • Windows

  • macOS

–

Unique connection identifier

incoming_bitrate

bps

  • Windows

  • macOS

NU

Average incoming bitrate of all underlying connections, consolidated over time

incoming_traffic

byte

  • Windows

  • macOS

–

Incoming traffic

network_interface_iana_code

string

  • Windows

  • macOS

–

(beta) Indicates the network interface IANA code.

network_interface_index

integer

  • Windows

  • macOS

–

(beta) Indicates the network interface index.

network_interface_type

enum

  • Windows

  • macOS

–

(beta) Indicates the network interface type. Possible values are:

  • wifi

  • ethernet

  • mobile

  • other

  • unknown: the Collector is not supporting interface type.

network_response_time

microsecond

  • Windows

  • macOS

–

TCP connection establishment time

outgoing_bitrate

bps

  • Windows

  • macOS

NU

Average outgoing bitrate of all underlying connections, consolidated over time

outgoing_traffic

byte

  • Windows

  • macOS

–

Outgoing traffic

start_time

datetime

  • Windows

  • macOS

–

Connection start time

status

enum

  • Windows

  • macOS

–

Status of the connection (established, rejected, no service, no host, closed)

type

enum

  • Windows

  • macOS

–

Type of the connection (tcp, udp)

device_activity

A device_activity is a device activity (boot or activity).

Platforms:

Name

Type

Operating system

Properties

Description

boot_type

enum

  • Windows

  • macOS

NU

Boot type of the boot activity

duration

millisecond

Windows

–

Boot duration (timed between kernel start and launch of 'logonui.exe' process) or online duration

id

identifier

  • Windows

  • macOS

–

Boot event identifier

time

datetime

  • Windows

  • macOS

–

Time of boot

type

enum

  • Windows

  • macOS

–

Activity event information

device_error

A device_error is a critical system errors (system crash, hard reset, or disk error).

Platforms:

Name

Type

Operating system

Properties

Description

error_code

integer

  • Windows

  • macOS

–

Error code

error_label

string

  • Windows

  • macOS

–

Error label

id

identifier

  • Windows

  • macOS

–

Problem identifier

start_time

datetime

  • Windows

  • macOS

–

Time of error

type

enum

  • Windows

  • macOS

–

Indicates the device error type, with the following possible values:

  • system crash: Windows bluescreen or macOS kernel panic;

  • hard reset: the device was abruptly stopped and then rebooted. It might be caused by pressing the reset button, a power failure or a crash;

  • SMART disk failure: a disk error was detected on a disk with SMART technology.

device_performance

A device_performance reports the average IOPS, CPU and memory of a device during one hours.

Platforms:

Name

Type

Operating system

Properties

Description

average_cpu_usage

permill

Windows

–

Average CPU usage on the period

average_memory_usage

byte

Windows

–

Average memory usage on the period

cpu_queue_length

integer

Windows

–

Average CPU queue length on the period

duration

millisecond

Windows

–

Total report duration

end_time

datetime

Windows

–

Report end time

id

identifier

Windows

–

Unique report identifier

normalized_cpu_usage

permill

Windows

–

Average CPU usage on the period normalized by the available logical CPUs

read_operations

integer

Windows

NU

Total disk read operations accumulated during the period

start_time

datetime

Windows

–

Start time

write_operations

integer

Windows

NU

Total disk write operations accumulated during the period

device_warning

A device_warning is a peak in device resource usage (CPU, memory or I/O).

Platforms:

Name

Type

Operating system

Properties

Description

duration

millisecond

  • Windows

  • macOS

–

Performance event duration

end_time

datetime

  • Windows

  • macOS

–

Performance event end time

id

identifier

  • Windows

  • macOS

–

Unique performance event identifier

info

string

  • Windows

  • macOS

–

Performance event information

start_time

datetime

  • Windows

  • macOS

–

Performance event start time

type

enum

  • Windows

  • macOS

–

Type of the device warning, one of:

  • 'high overall cpu usage'

  • 'high cpu usage' (deprecated)

  • 'high io usage'

  • 'high memory usage'

  • 'high number of page faults'.

value

percent

  • Windows

  • macOS

–

Performance percentage

warning_duration

millisecond

  • Windows

  • macOS

–

Indicates the duration of the warning. This duration can be shorter than the event duration when the warning is not continuous.

execution

An execution is a process executing on a device. Serveral executions of the same process are merged when in close succession.

Platforms:

Name

Type

Operating system

Properties

Description

average_memory_usage

byte

  • Windows

  • macOS

–

Average memory usage per execution

binary_path

path

  • Windows

  • macOS

–

Executed binary path

cardinality

integer

  • Windows

  • macOS

–

Number of underlying processes, consolidated over time

duration

millisecond

  • Windows

  • macOS

–

Total execution duration

end_time

datetime

  • Windows

  • macOS

–

Execution end time

focus_time

millisecond

  • Windows

  • macOS

NU

Focus time

id

identifier

  • Windows

  • macOS

–

Unique execution identifier

incoming_tcp_traffic

byte

  • Windows

  • macOS

–

Incoming TCP traffic

incoming_udp_traffic

byte

  • Windows

  • macOS

–

Incoming UDP traffic

memory_usage

byte

  • Windows

  • macOS

–

Average memory usage

outgoing_tcp_traffic

byte

  • Windows

  • macOS

–

Outgoing TCP traffic

outgoing_udp_traffic

byte

  • Windows

  • macOS

–

Outgoing UDP traffic

privilege_level

enum

  • Windows

  • macOS

–

Privilege level of the execution (user, power user, administrator)

start_time

datetime

  • Windows

  • macOS

–

Execution start time

startup_duration

millisecond

Windows

NU

Startup duration

status

enum

  • Windows

  • macOS

–

Status of the execution (started, stopped)

total_cpu_time

millisecond

  • Windows

  • macOS

–

Total CPU time

execution_error

An execution_error is application errors (crash or not responding)

Platforms:

Name

Type

Operating system

Properties

Description

id

identifier

  • Windows

  • macOS

–

Error identifier

info

string

  • Windows

  • macOS

–

Error event information

time

datetime

  • Windows

  • macOS

–

Time of error

type

enum

  • Windows

  • macOS

–

Type of the execution error (application not responding, crash)

execution_warning

An execution_warning is a peak in application resource usage (CPU or memory).

Platforms:

Name

Type

Operating system

Properties

Description

duration

millisecond

  • Windows

  • macOS

–

Performance event duration

end_time

datetime

  • Windows

  • macOS

–

Performance event end time

id

identifier

  • Windows

  • macOS

–

Unique performance event identifier

info

string

  • Windows

  • macOS

–

Performance event information

start_time

datetime

  • Windows

  • macOS

–

Performance event start time

type

enum

  • Windows

  • macOS

–

Type of the execution warning (high cpu usage, high memory usage)

value

percent

  • Windows

  • macOS

–

Performance percentage

warning_duration

millisecond

  • Windows

  • macOS

–

Indicates the duration of the warning. This duration can be shorter than the event duration when the warning is not continuous.

installation

A installation is the installation or uninstallation of a Software packages (programs or updates).

Platforms:

Name

Type

Operating system

Properties

Description

id

identifier

  • Windows

  • macOS

–

Unique deployment identifier

time

datetime

  • Windows

  • macOS

–

Installation start time

type

enum

  • Windows

  • macOS

–

Type of operation (installation, uninstallation)

network_scan

A network scan is a sequence of failed TCP connections or UDP packets made to the same port to more than 50 destinations within a few seconds.

Platforms:

Name

Type

Operating system

Properties

Description

cardinality

integer

  • Windows

  • macOS

–

Number of underlying connections, consolidated over time

device_ip_address

ip_address

  • Windows

  • macOS

–

IP address of the connection source

duration

millisecond

  • Windows

  • macOS

–

The time between the start of the first connection and end of the last underlying connection

end_time

datetime

  • Windows

  • macOS

–

Scanning end time, corresponding to the moment when the last underlying connection was closed.

id

identifier

  • Windows

  • macOS

–

Unique scanning identifier

network

ip_network

  • Windows

  • macOS

–

Minimum IP network including all scanned destinations

start_time

datetime

  • Windows

  • macOS

–

Scanning start time

status

enum

  • Windows

  • macOS

–

Status of the Scanning (established, closed)

type

enum

  • Windows

  • macOS

–

Type of the port scanning (tcp, udp)

port_scan

A port scan is a sequence of failed TCP connections or UDP packets made to the same destination to more than 50 ports within a few seconds.

Platforms:

Name

Type

Operating system

Properties

Description

cardinality

integer

  • Windows

  • macOS

–

Number of underlying connections, consolidated over time

destination_ip_address

ip_address

  • Windows

  • macOS

–

IP address of the scanned destination

device_ip_address

ip_address

  • Windows

  • macOS

–

IP address of the connection source

duration

millisecond

  • Windows

  • macOS

–

The time between the start of the first connection and end of the last underlying connection.

end_time

datetime

  • Windows

  • macOS

–

Scanning end time, corresponding to the moment when the last underlying connection was closed.

first_scanned_port

port

  • Windows

  • macOS

–

First port scanning

id

identifier

  • Windows

  • macOS

–

Unique scanning identifier

last_scanned_port

port

  • Windows

  • macOS

–

Last port scanning

start_time

datetime

  • Windows

  • macOS

–

Scanning start time

status

enum

  • Windows

  • macOS

–

Status of the Scanning (established, closed)

type

enum

  • Windows

  • macOS

–

Type of the port scanning (tcp, udp)

printout

A printout is a print job processed by a printer.

Platforms:

Name

Type

Operating system

Properties

Description

color_print

boolean

Windows

–

Color print

document_type

string

Windows

–

Type of printed document

duplex

boolean

Windows

–

Indicates whether the pages are printed on both sides of the sheet.

id

identifier

Windows

–

Unique print job identifier

number_of_printed_pages

integer

Windows

NU

Number of printed pages

page_size

string

Windows

–

Paper size for printed pages

print_quality

enum

Windows

–

Print quality

size

byte

Windows

NU

Print job size in bytes

status

enum

Windows

–

Print job status(success, error, timeout)

time

datetime

Windows

–

Print job time

session_performance

Sessions of a user logged on a device.

Platforms:

Name

Type

Operating system

Properties

Description

cardinality

integer

Windows

–

Number of underlaying sessions consolidated in a bucket period

citrix_rtt

millisecond

Windows

NU

Citrix RTT

client_ip

ip_address

Windows

–

Client IP

duration

millisecond

Windows

–

Session performance bucket period duration

end_time

datetime

Windows

–

Session performance bucket end time

id

identifier

Windows

–

Unique session performance identifier

session_network_latency

millisecond

Windows

NU

Session network latency

session_protocol

enum

Windows

NU

User input delay

start_time

datetime

Windows

–

Execution start time

user_activity

A user_activity is a user activity (logon or interactive activity).

Platforms:

Name

Type

Operating system

Properties

Description

duration

millisecond

  • Windows

  • macOS

–

Indicates the time between the user logging on and the desktop being shown.

id

identifier

  • Windows

  • macOS

–

User logon event identifier

real_duration

millisecond

  • Windows

  • macOS

–

Indicates the time between the user logging on and the device being ready to use. Desktops and laptops are considered fully functional once the CPU usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%.

time

datetime

  • Windows

  • macOS

–

Time of user logon

type

enum

  • Windows

  • macOS

–

Activity event information

web_request

A web_request is a HTTP or TLS requests.

Platforms:

Name

Type

Operating system

Properties

Description

cardinality

integer

  • Windows

  • macOS

–

Number of underlying web requests, consolidated over time

connections_duration

millisecond

  • Windows

  • macOS

–

The time between start of the first connection and end of the last underlying connection

end_time

datetime

  • Windows

  • macOS

–

Web request end time, corresponding to the moment when the last underlying TCP connection was closed.

http_status

http_status_code

  • Windows

  • macOS

NU

HTTP response status code

id

identifier

  • Windows

  • macOS

–

Unique request identifier

incoming_traffic

byte

  • Windows

  • macOS

–

Incoming web traffic of all underlying web requests, consolidated over time

network_response_time

microsecond

  • Windows

  • macOS

–

Average TCP connection establishment time of all underlying connections, consolidated over time

outgoing_traffic

byte

  • Windows

  • macOS

–

Outgoing web traffic of all underlying web requests, consolidated over time

protocol

enum

  • Windows

  • macOS

–

Web request protocol (HTTP, TLS)

protocol_version

enum

  • Windows

  • macOS

–

Web request protocol version

service_related

boolean

  • Windows

  • macOS

–

Indicates whether the web request is related to a configured service:

  • yes: These requests are always visible by all users;

  • no: Depending on the privacy settings, requests not related to a service might not be visible by everyone.

start_time

datetime

  • Windows

  • macOS

–

Web request start time

web_request_duration

millisecond

  • Windows

  • macOS

–

Average time between request and last response byte of all underlying requests, consolidated over time

Relationships

A relationships is a link between object and event tables and is specified in a with clause.

connection

  • device

  • user

  • binary

  • executable

  • application

  • destination

  • port

  • service

device_activity

  • device

device_error

  • device

device_performance

  • device

device_warning

  • device

execution

  • device

  • user

  • binary

  • executable

  • application

execution_error

  • device

  • user

  • binary

  • executable

  • application

execution_warning

  • device

  • user

  • binary

  • executable

  • application

installation

  • device

  • package

network_scan

  • device

  • user

  • binary

  • executable

  • application

  • port

port_scan

  • device

  • user

  • binary

  • executable

  • application

  • destination

printout

  • device

  • user

  • printer

session_performance

  • device

  • user

user_activity

  • device

  • user

web_request

  • device

  • user

  • binary

  • executable

  • application

  • destination

  • port

  • domain

  • url_path

  • service

package

  • device

  • package

Aggregates

connection

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

FP

Number of devices

number_of_users

integer

  • Windows

  • macOS

FP

Number of users

number_of_applications

integer

  • Windows

  • macOS

FP

Number of applications

number_of_executables

integer

  • Windows

  • macOS

FP

Number of executables

number_of_binaries

integer

  • Windows

  • macOS

FP

Number of binaries

number_of_destinations

integer

  • Windows

  • macOS

–

Number of destinations

number_of_ports

integer

  • Windows

  • macOS

–

Number of ports

number_of_connections

integer

  • Windows

  • macOS

–

Number of connections

cumulated_connection_duration

millisecond

  • Windows

  • macOS

–

Cumulated duration of TCP connections

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

incoming_traffic

byte

  • Windows

  • macOS

NU

Total network incoming traffic

outgoing_traffic

byte

  • Windows

  • macOS

NU

Total network outgoing traffic

average_network_response_time

microsecond

  • Windows

  • macOS

–

Average TCP connection establishment time

successful_connections_ratio

permill

  • Windows

  • macOS

NU

Percentage of successful TCP connections

network_availability_level

availability_level

  • Windows

  • macOS

NU

Graded ratio of successful TCP connections (high, medium, low)

average_incoming_bitrate

bps

  • Windows

  • macOS

NU

Average incoming network bitrate

average_outgoing_bitrate

bps

  • Windows

  • macOS

NU

Average outgoing network bitrate

highest_local_privilege_reached

privileges_level

  • Windows

  • macOS

NU

Highest local privilege level reached for executions (user, power user, administrator)

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

incoming_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average incoming network traffic

outgoing_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average outgoing network traffic

total_network_traffic

byte

  • Windows

  • macOS

NU

Network traffic

device_activity

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

average_boot_duration

millisecond

Windows

NU

Average boot duration

average_logon_duration

millisecond

Windows

NU

Average user logon duration

average_extended_logon_duration

millisecond

Windows

NU

Average extended logon duration

number_of_boots

integer

  • Windows

  • macOS

NU

Number of boots

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

uptime

millisecond

  • Windows

  • macOS

NU

Amount of time the machine has been running

cumulated_interaction_duration

millisecond

  • Windows

  • macOS

NU

Cumulated time with user interaction (mouse or keyboard events)

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

device_error

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

number_of_errors

integer

  • Windows

  • macOS

–

Number of system errors

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

device_performance

Name

Type

Operating system

Properties

Description

average_read_operations

integer

Windows

–

Average read IPOS

average_write_operations

integer

Windows

–

Average write IPOS

average_cpu_queue_length

integer

Windows

–

Average CPU queue length

average_memory_usage

byte

Windows

NU

Average memory usage

average_cpu_usage

percent

Windows

–

Average CPU usage

average_normalized_cpu_usage

percent

Windows

–

Average normalized CPU usage

device_warning

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

number_of_warnings

integer

  • Windows

  • macOS

–

Number of warnings

cumulated_warning_duration

millisecond

  • Windows

  • macOS

NU

Cumulated duration of the warning events

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

high_device_overall_cpu_time_ratio

permill

  • Windows

  • macOS

NU

Indicates the ratio between the time the device is in high overall CPU usage and its uptime.

high_device_memory_time_ratio

permill

  • Windows

  • macOS

NU

Indicates the ratio between the time the device is in high memory usage and its uptime.

high_device_io_throughput_time_ratio

permill

Windows

NU

Indicates the ratio between the time the device is in high IO throughput and its uptime.

high_device_page_faults_time_ratio

permill

Windows

NU

Indicates the ratio between the time the device is in high page faults and its uptime.

execution

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

FP

Number of devices

number_of_users

integer

  • Windows

  • macOS

FP

Number of users

number_of_applications

integer

  • Windows

  • macOS

FP

Number of applications

number_of_executables

integer

  • Windows

  • macOS

FP

Number of executables

number_of_binaries

integer

  • Windows

  • macOS

FP

Number of binaries

number_of_executions

integer

  • Windows

  • macOS

–

Number of executions

cumulated_execution_duration

millisecond

  • Windows

  • macOS

NU

Cumulated duration of executions

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

incoming_traffic

byte

  • Windows

  • macOS

NU

Total network incoming traffic

outgoing_traffic

byte

  • Windows

  • macOS

NU

Total network outgoing traffic

highest_local_privilege_reached

privileges_level

  • Windows

  • macOS

NU

Highest local privilege level reached for executions (user, power user, administrator)

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

average_memory_usage_per_execution

byte

  • Windows

  • macOS

NU

Average memory usage per execution

memory_usage

byte

  • Windows

  • macOS

NU

Memory usage

focus_time

millisecond

  • Windows

  • macOS

NU

Focus time

cpu_usage_ratio

permill

  • Windows

  • macOS

NU

Average CPU usage

total_cpu_time

millisecond

  • Windows

  • macOS

NU

Total CPU time

average_process_start_time

millisecond

Windows

NU

Average process start time

incoming_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average incoming network traffic

outgoing_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average outgoing network traffic

total_network_traffic

byte

  • Windows

  • macOS

NU

Network traffic

execution_error

Name

Type

Operating system

Properties

Description

application_not_responding_event_ratio

permill

  • Windows

  • macOS

NU

Application not responding event ratio

application_crash_ratio

permill

  • Windows

  • macOS

NU

Application crash ratio

number_of_application_not_responding_events

integer

  • Windows

  • macOS

–

Number of application not responding events

number_of_application_crashes

integer

  • Windows

  • macOS

–

Number of application crashes

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

number_of_users

integer

  • Windows

  • macOS

–

Number of users

number_of_applications

integer

  • Windows

  • macOS

–

Number of applications

number_of_executables

integer

  • Windows

  • macOS

–

Number of executables

number_of_binaries

integer

  • Windows

  • macOS

–

Number of binaries

number_of_errors

integer

  • Windows

  • macOS

–

Number of errors

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

execution_warning

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

number_of_users

integer

  • Windows

  • macOS

–

Number of users

number_of_applications

integer

  • Windows

  • macOS

–

Number of applications

number_of_executables

integer

  • Windows

  • macOS

–

Number of executables

number_of_binaries

integer

  • Windows

  • macOS

–

Number of binaries

number_of_warnings

integer

  • Windows

  • macOS

–

Number of warnings

cumulated_warning_duration

millisecond

  • Windows

  • macOS

NU

Cumulated duration of the warning events

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

high_application_thread_cpu_time_ratio

permill

  • Windows

  • macOS

NU

High application thread CPU time ratio

installation

Name

Type

Operating system

Properties

Description

number_of_packages

integer

  • Windows

  • macOS

–

Number of packages

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

number_of_installations

integer

  • Windows

  • macOS

–

Number of installations

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

network_scan

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

number_of_users

integer

  • Windows

  • macOS

–

Number of users

number_of_applications

integer

  • Windows

  • macOS

–

Number of applications

number_of_executables

integer

  • Windows

  • macOS

–

Number of executables

number_of_binaries

integer

  • Windows

  • macOS

–

Number of binaries

number_of_ports

integer

  • Windows

  • macOS

–

Number of ports

number_of_connections

integer

  • Windows

  • macOS

–

Number of connections

cumulated_scan_duration

millisecond

  • Windows

  • macOS

NU

Cumulated duration of the network scan

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

incoming_traffic

byte

  • Windows

  • macOS

NU

Total network incoming traffic

outgoing_traffic

byte

  • Windows

  • macOS

NU

Total network outgoing traffic

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

incoming_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average incoming network traffic

outgoing_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average outgoing network traffic

total_network_traffic

byte

  • Windows

  • macOS

NU

Network traffic

package

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

FP

Number of devices

number_of_packages

integer

  • Windows

  • macOS

FP

Number of packages

port_scan

Name

Type

Operating system

Properties

Description

number_of_devices

integer

  • Windows

  • macOS

–

Number of devices

number_of_users

integer

  • Windows

  • macOS

–

Number of users

number_of_applications

integer

  • Windows

  • macOS

–

Number of applications

number_of_executables

integer

  • Windows

  • macOS

–

Number of executables

number_of_binaries

integer

  • Windows

  • macOS

–

Number of binaries

number_of_connections

integer

  • Windows

  • macOS

–

Number of connections

number_of_destinations

integer

  • Windows

  • macOS

–

Number of destinations

cumulated_scan_duration

millisecond

  • Windows

  • macOS

NU

Cumulated duration of the network scan

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

incoming_traffic

byte

  • Windows

  • macOS

NU

Total network incoming traffic

outgoing_traffic

byte

  • Windows

  • macOS

NU

Total network outgoing traffic

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

incoming_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average incoming network traffic

outgoing_network_traffic_per_device

byte

  • Windows

  • macOS

NU

Device average outgoing network traffic

total_network_traffic

byte

  • Windows

  • macOS

NU

Network traffic

printout

Name

Type

Operating system

Properties

Description

number_of_devices

integer

Windows

–

Number of devices

number_of_users

integer

Windows

–

Number of users

number_of_printers

integer

Windows

–

Number of printers

number_of_printed_pages

integer

Windows

–

Number of printed pages

number_of_printouts

integer

Windows

–

Number of print jobs

activity_start_time

datetime

Windows

NU

Start time of investigated activity

activity_stop_time

datetime

Windows

NU

Stop time of investigated activity

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

session_performance

Name

Type

Operating system

Properties

Description

session_duration

millisecond

Windows

NU

Session duration

average_citrix_rtt

millisecond

Windows

NU

Average Citrix RTT

average_session_network_latency

millisecond

Windows

NU

Average session network latency

user_activity

Name

Type

Operating system

Properties

Description

number_of_devices

integer

Windows

–

Number of devices

number_of_users

integer

  • Windows

  • macOS

–

Number of users

number_of_logons

integer

Windows

–

Number of user logons

activity_start_time

datetime

Windows

NU

Start time of investigated activity

activity_stop_time

datetime

Windows

NU

Stop time of investigated activity

cumulated_interaction_duration

millisecond

Windows

NU

Cumulated time with user interaction (mouse or keyboard events)

average_logon_duration

millisecond

Windows

NU

Average user logon duration

average_extended_logon_duration

millisecond

Windows

NU

Average extended logon duration

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

web_request

Name

Type

Operating system

Properties

Description

total_web_traffic

byte

  • Windows

  • macOS

NU

Web traffic

outgoing_web_traffic_per_device

byte

  • Windows

  • macOS

NU

Outgoing web traffic per device

incoming_web_traffic_per_device

byte

  • Windows

  • macOS

NU

Incoming web traffic per device

number_of_devices

integer

  • Windows

  • macOS

FP

Number of devices

number_of_domains

integer

  • Windows

  • macOS

FP

Number of domains

number_of_users

integer

  • Windows

  • macOS

FP

Number of users

number_of_applications

integer

  • Windows

  • macOS

FP/NU

Number of applications

number_of_executables

integer

  • Windows

  • macOS

FP

Number of executables

number_of_binaries

integer

  • Windows

  • macOS

FP

Number of binaries

number_of_destinations

integer

  • Windows

  • macOS

–

Number of destinations

number_of_ports

integer

  • Windows

  • macOS

–

Number of ports

activity_start_time

datetime

  • Windows

  • macOS

NU

Start time of investigated activity

activity_stop_time

datetime

  • Windows

  • macOS

NU

Stop time of investigated activity

average_network_response_time

microsecond

  • Windows

  • macOS

–

Average TCP connection establishment time

highest_local_privilege_reached

privileges_level

  • Windows

  • macOS

NU

Highest local privilege level reached for executions (user, power user, administrator)

number_of_web_requests

integer

  • Windows

  • macOS

–

Number of web requests

protocols_used_in_requests

web_protocol_combination

  • Windows

  • macOS

NU

Protocols used in web requests (HTTP, TLS, HTTP/TLS)

lowest_protocol_version

min_web_protocol_version

  • Windows

  • macOS

NU

Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)

incoming_traffic

byte

  • Windows

  • macOS

NU

Total web incoming traffic

outgoing_traffic

byte

  • Windows

  • macOS

NU

Total web outgoing traffic

average_incoming_bitrate

bps

  • Windows

  • macOS

NU

Average incoming bitrate of all underlying web requests, consolidated over time

average_outgoing_bitrate

bps

  • Windows

  • macOS

NU

Average outgoing bitrate of all underlying web requests, consolidated over time

cumulated_web_request_duration

millisecond

  • Windows

  • macOS

NU

Cumulated duration of web requests

cumulated_web_interaction_duration

millisecond

  • Windows

  • macOS

NU

Cumulated time during which web requests occurred, counted with a 5 minutes resolution.

average_request_size

byte

  • Windows

  • macOS

NU

Average size of web requests

average_response_size

byte

  • Windows

  • macOS

NU

Average size of web responses

average_request_duration

millisecond

  • Windows

  • macOS

–

Average time between request and last response byte

successful_http_requests_ratio

permill

  • Windows

  • macOS

NU

Percentage of successful HTTP requests (1xx, 2xx and 3xx)

number_of_events

integer

  • Windows

  • macOS

NU

Number of events

Definitions

The following document lists all objects, fields and aggregates available through NXQL. Each field and aggregate have a name, a type, properties and a description.

Platforms can have the following values:

  • W: The field, aggregate or table is available on the Windows platform.

  • X: The field, aggregate or table is available on the Mac OS platform.

  • M: The field, aggregate or table is available on the Mobile platform.

Properties can have the following values:

  • DE: The field or aggregate is deprecated.

  • PB: The field or aggregate is in Public Beta.

  • FP: The field or aggregate can be used without a between clause.

  • NU: The field or aggregate can be nil.

  • SE: The field or aggregate is only available with a license containing the security feature.

  • WE: The field or aggregate is only available with a license containing the web monitoring feature.

  • NC: The field is not comparable.

Last updated 7 months ago

Was this helpful?