NXQL Data Model
Objects
application
An application is a sets of executables e.g. 'Microsoft Office'. Platforms:
Name
Type
Operating system
Properties
Description
company
string
Windows
macOS
–
Company producing the application
database_usage
permill
Windows
macOS
–
Percentage of the database used by information related with the application
description
string
Windows
–
Application description
first_seen
datetime
Windows
macOS
NU
First time activity of the application was recorded on any device.
id
identifier
Windows
macOS
–
Unique application identifier
known_packages
string
Windows
macOS
–
List of packages known to contain the application. This list is not exhaustive: The presence of a package does not necessarily imply that on a given device the application was installed through that package.
last_seen
datetime
Windows
macOS
NU
Last time activity of the application was recorded on any device.
name
string
Windows
macOS
–
Application name
platform
enum
Windows
macOS
–
The platform (operating system family) on which the application is running.
storage_policy
enum
Windows
macOS
–
Indicates the event storage policy for the application. Possible values are:
all: web requests, connections and executions are stored;
connections and executions;
executions;
none: no activity is recorded.
total_active_days
day
Windows
macOS
–
Total number of days the application was active.
binary
A binary is an executable binary files identified by its hash code. Platforms:
Name
Type
Operating system
Properties
Description
application_category
string
Windows
macOS
SE
Indicates the category of the application:
'-': Not yet tagged;
Unknown: Not categorized by Nexthink Library.
application_company
string
Windows
macOS
–
Application company
application_name
string
Windows
macOS
–
Application name
architecture
enum
Windows
macOS
–
Executable architecture (32/64 bit)
average_cpu_usage
permill
Windows
–
Average CPU usage for the binary
average_memory_usage
byte
Windows
NU
Average memory usage for the binary
average_number_of_graphical_handles
integer
Windows
NU
Average number of graphical handles (GDI)
company
string
Windows
macOS
–
Executable company
database_usage
permill
Windows
macOS
–
Percentage of the database used by information related with the binary.
description
string
Windows
–
Description as it appears in the binary file.
executable_name
string
Windows
macOS
–
Executable name
file_size
byte
Windows
macOS
–
Binary file size
first_seen
datetime
Windows
macOS
NU
First time activity of the binary was recorded on any device.
hash
md5
Windows
macOS
–
Hash code of the binary (MD5)
id
identifier
Windows
macOS
–
Unique binary identifier
last_seen
datetime
Windows
macOS
NU
Last time activity of the binary was recorded on any device.
paths
path
Windows
macOS
–
List of paths of the binary
platform
enum
Windows
macOS
–
The platform (operating system family) on which the binary is running.
sha1
sha1
Windows
macOS
–
SHA-1 hash code of the binary
sha256
sha256
Windows
macOS
–
SHA-256 hash code of the binary
storage_policy
enum
Windows
macOS
–
Event storage policy for the binary (connection and execution, execution-only or none)
threat_level
enum
Windows
macOS
SE
Indicates the threat level of the binary:
'-': Not yet tagged;
none detected: No known threat;
low: low threat;
intermediate: Intermediate threat;
high: high threat.
total_active_days
day
Windows
macOS
–
Total number of days the binary was active.
user_interface
boolean
Windows
–
Application has interactive user interface
version
version
Windows
macOS
–
Version of the binary
destination
A destination is a device or server receiving TCP/UDP connections. Platforms:
Name
Type
Operating system
Properties
Description
database_usage
permill
Windows
macOS
–
Percentage of the database used by information related with the destination
first_seen
datetime
Windows
macOS
NU
First time activity to the destination was recorded on any device.
id
identifier
Windows
macOS
–
Unique destination identifier
ip_address
ip_address
Windows
macOS
–
IP address for the destination
last_seen
datetime
Windows
macOS
NU
Last time activity to the destination was recorded on any device.
name
string
Windows
macOS
–
Reverse lookup name
device
A device is Windows physical or virtual machine monitored by a Nexthink Collector. Platforms:
Name
Type
Operating system
Properties
Description
administrator_account_status
enum
Windows
–
Determines whether the local Administrator account is enabled or disabled.
all_antispywares
string
Windows
–
Summary information about all the detected antispyware:
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
all_antiviruses
string
Windows
–
Summary information about all the detected antiviruses:
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
all_firewalls
string
Windows
–
Summary information about all the detected firewalls:
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
allow_non_provisionable_devices
boolean
–
NU
Indicates whether a device which does not fully support the policy is still allowed to connect to the Exchange Exchange ActiveSync server. If 'yes', the security policy is not guaranteed to be applied, even if the field 'ActiveSync policy application status' value is 'applied in full'
antispyware_name
string
Windows
NU
Name of the main antispyware
antispyware_rtp
enum
Windows
–
Indicates whether the antispyware real time protection (RTP) is active:
on: Indicates that RTP is active;
off: Indicates that either RTP is not active or no antispyware has been detected;
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
antispyware_up_to_date
enum
Windows
–
Indicates whether the antispyware is up-to-date:
yes: Indicates that antispyware is up-to-date;
no: Indicates that either the antispyware is not up-to-date or no antispyware has been detected;
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
antivirus_name
string
Windows
NU
Name of the main antivirus
antivirus_rtp
enum
Windows
–
Indicates whether the antivirus real time protection (RTP) is active:
on: Indicates that RTP is active;
off: Indicates that either RTP is not active or no antivirus has been detected;
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
antivirus_up_to_date
enum
Windows
–
Indicates whether the antivirus is up-to-date:
yes: Indicates that antivirus is up-to-date;
no: Indicates that either the antivirus is not up-to-date or no antivirus has been detected;
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
audit_account_logon_events
enum
Windows
–
Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.
audit_account_management
enum
Windows
–
Determines whether to audit each event of account management on a computer.
audit_directory_service_access
enum
Windows
–
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
audit_logon_events
enum
Windows
–
Determines whether to audit each instance of a user logging on to or logging off from a computer.
audit_object_access
enum
Windows
–
Determines whether to audit the event of a user accessing an object, e.g. a file, folder, registry key, printer, and so forth - that has its own system access control list (SACL) specified.
audit_policy_change
enum
Windows
–
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
audit_privilege_use
enum
Windows
–
Determines whether to audit each instance of a user exercising a user right.
audit_process_tracking
enum
Windows
–
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
audit_system_events
enum
Windows
–
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
average_boot_duration
millisecond
Windows
NU
Full boot duration baseline
average_fast_startup_duration
millisecond
Windows
NU
Indicated the fast startup boot duration averaged over the fast startups. In the calculation, recent boots weigh more than older boots (exponentially weighted moving average).
average_logon_duration
millisecond
Windows
NU
User logon duration baseline
bios_serial_number
string
Windows
macOS
NU
BIOS serial number
boot_disk_health_status
enum
Windows
NU
Indicates the health of the disk from which the device is booting [from], as reported by the operating system.
boot_disk_type
enum
Windows
macOS
NU
Indicates the type of the disk from which the device is booting.
chassis_serial_number
string
Windows
NU
Chassis serial number
cltr_ca_license_uid
string
Windows
macOS
NU
Indicates the Collector assignment license UID
cltr_ca_status
enum
Windows
macOS
NU
Indicates whether Collector assignment service is enabled or disabled
cltr_crash_guard_count
integer
Windows
NU
Indicates the number of consecutive hard resets or system crashes of the device
cltr_crash_guard_limit
integer
Windows
NU
Indicates the Collector CrashGuard limit
cltr_crash_guard_protection_interval
integer
Windows
NU
Indicates the CrashGuard monitoring interval in minutes
cltr_crash_guard_react_interval
integer
Windows
NU
Indicates the Collector CrashGuard reactivation interval in hours
cltr_custom_shells
enum
Windows
NU
Indicates whether the Collector reports user logon events and user interactions in virtualized and embedded (kiosk mode) environments
cltr_data_channel_protocol
enum
Windows
macOS
NU
Specifies if the Collector data is sent over TCP or UDP
cltr_dns_res_preference
enum
Windows
NU
Indicates the DNS resolution preference for Collector in terms of IP protocol version on the device
cltr_engage_service_status
enum
Windows
macOS
NU
Indicates whether Engage is enabled or disabled
cltr_freezes_monitoring
enum
Windows
NU
Indicates whether the Collector is monitoring for unresponsive applications on the device
cltr_installs_scan_interval
integer
Windows
NU
Indicates the interval, in hours, after which the Collector checks for newly installed packages and updates
cltr_is_visible
enum
Windows
NU
Indicates whether Collector is hidden in the "Add or Remove Programs"
cltr_log_level
enum
Windows
macOS
NU
Indicates the Collector log level
cltr_max_segment_size
integer
Windows
NU
Indicates the maximum segment size of packets sent by Collector
cltr_ra_execution_policy
enum
Windows
NU
Indicates the Powershell script execution policy
cltr_smb_print_mon_status
enum
Windows
NU
Indicates whether SMB printing monitoring is enabled or disabled
cltr_string_tag
string
Windows
macOS
NU
Indicates the Collector string tag
cltr_web_mon_status
enum
Windows
NU
Indicates whether Web & Cloud monitoring is enabled or disabled
collector_distinguished_name
string
Windows
NU
Indicates the distinguished name (DN) as seen:
For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;
For Mobile: In the Exchange ActiveSync server Note that this DN is reported by the Collector.
collector_installation_log
string
Windows
NU
Link to the last Nexthink Collector installation error log
collector_package_target_version
version
Windows
macOS
NU
Indicates the Collector package version that is targeted.
collector_print_monitoring_status
enum
Windows
NU
Indicates whether the Collector printing monitoring is enabled or disabled
collector_status
enum
Windows
macOS
NU
Indicates the status of the Nexthink Collector package installed on the device:
unmanaged: the Collector is not automatically updated
up-to-date: the Collector is up-to-date
outdated: a newer Collector version is available.
collector_tag
integer
Windows
–
Collector installation tag
collector_update_status
enum
Windows
–
Current status of Nexthink Collector Updater
collector_version
version
Windows
macOS
–
Version number of Nexthink Collector installation
cpu_frequency
mhz
Windows
macOS
NU
CPU frequency
cpu_model
string
Windows
macOS
NU
CPU model
database_usage
permill
Windows
macOS
–
Percentage of the database used by information related with the device
device_encryption_required
boolean
–
NU
Indicates whether device encryption is required.
device_manufacturer
string
Windows
macOS
NU
Indicates the device manufacturer.
device_model
string
Windows
macOS
NU
Indicates the model of the device.
device_password_required
boolean
–
NU
Indicates whether a password is required on the device.
device_product_id
string
Windows
macOS
NU
Device product ID
device_product_version
string
Windows
macOS
NU
Device product version
device_serial_number
string
Windows
macOS
NU
Indicates the device serial number.
device_type
enum
Windows
macOS
–
Type of device (desktop, laptop, server, mobile)
device_uid
md5
Windows
macOS
–
Indicates the universally unique identifier (based on Engine name and device ID)
device_uuid
string
Windows
macOS
–
Indicates the device universally unique identifier (UUID)
directory_service_site
string
Windows
NU
Site (or location) of an Active Directory (AD) service
disks_manufacturers
string
Windows
–
Hard disks manufacturers
disks_smart_index
percent
Windows
NU
Lowest S.M.A.R.T. index of installed hard disks (index is based on S.M.A.R.T. attributes)
distinguished_name
string
Windows
NU
Indicates the distinguished name (DN) as seen:
For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;
For Mobile: In the Exchange ActiveSync server
eas_access_state
enum
–
–
Indicates whether the device can access the Exchange ActiveSync server. The possible states are:
allowed: the device has access;
blocked: the device is blocked;
discovery: the device is temporary quarantined while it is being identified by the Exchange ActiveSync server;
quarantined: the device is waiting for Exchange ActiveSync administrator approval.
eas_access_state_reason
enum
–
–
Indicates the reason for the device access state. The possible values are:
global: caused by the global access settings;
device rule: caused by a device access rule;
individual: caused by an individual exemption;
policy: caused by Exchange ActiveSync policy.
eas_device_access_rule
string
–
–
Indicates the name of the access rule. An access rule allows, blocks or quarantines devices based on the device type, model, OS or user agent characteristics.
eas_device_identity
string
–
–
Indicates the identity of the device in Exchange ActiveSync Server.
eas_exemption
enum
–
–
Indicates whether a personal exemption is set for the device and its user. Possible values are:
none;
allow;
block.
eas_policy_application_status
enum
–
–
Indicates whether the Exchange ActiveSync policy is applied or not. Possible values are:
not applied;
applied in full: the policy is applied (unless the field 'Allow non provisionable devices' value is 'yes');
partially applied.
eas_policy_name
string
–
–
Indicates the name of the Exchange ActiveSync policy applied to the user's mailbox.
eas_policy_update
datetime
–
–
Indicates the last time the Exchange ActiveSync policy was updated on the device.
email_attachment_enabled
boolean
–
NU
Indicates whether attachments can be downloaded to the mobile device through the Exchange ActiveSync protocol.
enforce_password_history
integer
Windows
NU
Indicates the number of unique passwords that have to be associated with a user account before an old password can be reused.
entity
string
Windows
macOS
–
Entity
extended_logon_duration_baseline
millisecond
Windows
NU
Extended logon duration baseline
firewall_name
string
Windows
NU
Name of the main firewall
firewall_rtp
enum
Windows
–
Indicates whether the firewall real time protection (RTP) is active:
on: Indicates that RTP is active;
off: Indicates that either RTP is not active or no firewall has been detected;
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
first_seen
datetime
Windows
macOS
NU
Indicates the first time when the activity of the device was recorded:
For Windows and Mac OS: The first time Collector reported activity;
For Mobile: The first time the device was reported with a successful synchronization.
graphical_card_ram
byte
Windows
NU
Amount of RAM of the graphical card with most RAM
graphical_cards
string
Windows
–
Installed graphical cards
group_name
string
Windows
macOS
NU
Name of computer domain or workgroup
guest_account_status
enum
Windows
–
Determines if the Guest account is enabled or disabled.
hard_disks
string
Windows
macOS
NC
List of all hard disks
id
identifier
Windows
macOS
–
Unique device identifier
internet_security_settings
enum
Windows
–
Internet security settings (ok, at risk or unknown)
ip_addresses
ip_address
Windows
macOS
–
List of IP addresses for the device
is_collector_distinguished_name_truncated
boolean
Windows
–
Flag indicating whether the collector DN is truncated or not
is_directory_service_site_truncated
boolean
Windows
–
Flag indicating whether the DS site is truncated or not
last_boot_duration
millisecond
Windows
NU
Last boot time duration
last_extended_logon_duration
millisecond
Windows
NU
Last extended logon duration
last_ip_address
ip_address
Windows
macOS
NU
Last IP address assigned to the device
last_known_connection_status
enum
Windows
macOS
NU
Indicates the last known connection status of the device:
udp: the device successfully connected via UDP but not TCP.
tcp: the device successfully connected via TCP but not UDP.
udp_tcp: the device successfully connected via both UDP and TCP.
'-': Collector version is below V6.6.
last_local_ip_address
ip_address
Windows
macOS
NU
Last local IP address assigned to the device
last_logged_on_user
string
Windows
NU
Last logged on user
last_logon_duration
millisecond
Windows
NU
Last user logon duration
last_logon_time
datetime
Windows
NU
Last logon time
last_seen
datetime
Windows
macOS
NU
Indicates the last time that activity on the device was reported:
For Windows and Mac OS: The last time Collector reported activity through the UDP channel,
For Mobile: The last time the device successfully synchronized with the Mobile Bridge.
last_seen_on_tcp
datetime
Windows
macOS
NU
Indicates the last time that the device was successfully connected through the TCP channel.
'-': The Collector is an older version that does not support TCP.
last_system_boot
datetime
Windows
macOS
NU
Last boot time
last_update
datetime
Windows
macOS
NU
Indicates the last Collector update time.
last_update_status
enum
Windows
macOS
NU
Indicates the status of the last Collector update:
'-': the Collector was never updated
successful installation: the last Collector installation was successful
package download error: the Collector was not able to download the Collector package from Nexthink Appliance
package digital signature error: the Collector was not able to check the Collector package digital signature
device reboot required: the device needs to be rebooted to complete the Collector installation
package error: the Collector package installation has failed
internal error: the Collector package installation has failed for an unexpected reason.
last_updater_request
datetime
Windows
NU
Last time Nexthink Updater checked for updates
last_windows_update
datetime
Windows
NU
Time of last system Update
local_administrators
string
Windows
–
Users and groups which are members of the Local Administrators group on the device and are active/enabled.
local_power_users
string
Windows
–
Users and groups which are members of the Local Powers Users group on the device.
logical_cpu_number
integer
Windows
macOS
NU
Indicates the number of cores multiplied by the number of threads that can run on each core through the use of hyperthreading.
logical_drives
string
Windows
macOS
–
List of all logical drives
mac_addresses
mac_address
Windows
macOS
–
List of MAC addresses for the device
maximum_password_age
integer
Windows
NU
Indicates the period in time (in days) during which the password can be used before the system requires the user to change it:
Windows: As set up in the group policy;
Mobile: As set up in security policies.
membership_type
enum
Windows
–
Type of computer membership (domain/workgroup)
minimum_password_age
integer
Windows
NU
Period of time (in days) that a password must be used before the user can change it.
minimum_password_length
integer
Windows
NU
Least number of characters that a password for a user account may contain.
monitor_models
string
Windows
–
Models of connected monitors
monitor_resolutions
string
Windows
–
Screen resolutions of connected monitors
monitors
string
Windows
–
Connected monitors
monitors_serial_numbers
string
Windows
–
Serial numbers of connected monitors (ordered as in 'Monitors')
name
string
Windows
macOS
–
Indicates the name of the device:
For Windows: NetBios Name;
For Mac OS: Computer name used on the network;
For Mobile: Composed by mailbox name and device friendly name.
number_of_antispyware
enum
Windows
–
Number of antispyware detected:
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
number_of_antiviruses
enum
Windows
–
Number of antiviruses detected:
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
number_of_cores
integer
Windows
macOS
NU
Number of cores
number_of_cpus
integer
Windows
macOS
NU
Number of CPUs
number_of_days_since_first_seen
integer
Windows
macOS
NU
Number of days since activity of the device was first recorded in the system.
number_of_days_since_last_boot
integer
Windows
macOS
NU
Number of days since last full boot
number_of_days_since_last_eas_policy_update
integer
–
NU
Indicates the number of days since the last Exchange ActiveSync policy update.
number_of_days_since_last_logon
integer
Windows
NU
Number of days since last logon
number_of_days_since_last_seen
integer
Windows
macOS
NU
Indicates the number of days since the last time the device was seen by Nexthink. The field is updated whenever device activity is detected:
For Windows and Mac OS: seen through the UDP channel,
For Mobile: seen through the Mobile Bridge.
number_of_days_since_last_seen_on_tcp
integer
Windows
NU
Indicates the number of days since the last time the device was successfully connected through the TCP channel. '-': The Collector is an older version that does not support TCP.
number_of_days_since_last_windows_update
integer
Windows
NU
Number of days since last system Update
number_of_firewalls
enum
Windows
–
Number of firewalls detected:
unknown: Indicates that the information could not be retrieved;
N/A: This field is not available on this operating system;
'-': No data, incompatible collector version or the data is not yet available.
number_of_graphical_cards
integer
Windows
–
Number of installed graphical cards
number_of_monitors
integer
Windows
macOS
–
Number of connected monitors
os_architecture
enum
Windows
macOS
–
Architecture of device operating system (x86/x64/ARM64)
os_build
version
Windows
–
Indicates the build number of the operating system.
os_version_and_architecture
string
Windows
macOS
NU
Indicates name, version and architecture (when applicable) of the operating system.
unknown: the OS version could not be retrieved or it could not be mapped to a recognized value.
password_complexity_requirements
enum
Windows
–
Indicates whether password complexity is required:
Windows: The password must meet complexity requirements as defined in the group policy;
Mobile: No simple passwords are allowed or a minimum password length is set, as defined in the security policy.
platform
enum
Windows
macOS
–
Indicates the platform of the device. A platform is a set of operating system families on which the same objects, activities, events and properties can be retrieved. The possible values are:
Windows;
Mac OS;
Mobile.
privileges_of_last_logged_on_users
enum
Windows
–
Privileges of the last logged on user (user, power user, administrator)
sd_card_encryption_required
boolean
–
NU
Indicates whether SD card encryption is required.
sid
sid
Windows
NU
Windows security identifier for the device.
storage_policy
enum
Windows
macOS
–
Indicates the event storage policy for the device. Possible values are:
all: web requests, connections and executions are stored
connections and executions;
executions;
none: no activity is recorded;
remove: The device will be removed from Engine during the next cleanup, as long as it is no longer sending data; Note that available events depend on the device platform.
system_drive_capacity
byte
Windows
macOS
–
Total capacity of system drive
system_drive_free_space
byte
Windows
macOS
–
Total available free space on system drive
system_drive_usage
percent
Windows
macOS
NU
Use percentage of system drive
total_active_days
day
Windows
macOS
–
Total number of days the device was active.
total_drive_capacity
byte
Windows
macOS
–
Total capacity of all drives
total_drive_free_space
byte
Windows
macOS
–
Total free space on all drives
total_drive_usage
permill
Windows
macOS
NU
Total use percentage of all drives
total_nonsystem_drive_capacity
byte
Windows
macOS
–
Total capacity of all non-system drives
total_nonsystem_drive_free_space
byte
Windows
macOS
–
Total free space on all non-system drives
total_nonsystem_drive_usage
percent
Windows
macOS
NU
Total use percentage of all non-system drives
total_ram
byte
Windows
macOS
NU
Total amount of RAM
updater_error
string
Windows
–
Last Nexthink Collector Updater error
updater_version
version
Windows
–
Nexthink Collector Updater version
upgrade_group
enum
Windows
macOS
NU
Indicates the update group of Nexthink Collector:
manual: the Collector is manually updated
pilot: the Collector is updated as part of the pilot group
main: the Collector is updated as part of the main group.
user_account_control_status
enum
Windows
–
User account control status (ok, at risk or unknown)
windows_license_key
string
Windows
NU
Windows license key
windows_updates_status
enum
Windows
–
Windows update status (ok, at risk or unknown)
wmi_status
enum
Windows
–
Windows WMI service status (ok, failure)
domain
A domain is a domain name e.g. www.nexthink.com. Platforms:
Name
Type
Operating system
Properties
Description
database_usage
permill
Windows
macOS
–
Percentage of the database used by information related with the domain
domain_category
string
Windows
macOS
SE
Indicates the category of the domain:
'-': Not yet tagged or internal domain.
first_seen
datetime
Windows
macOS
NU
The first time the domain has been seen.
hosting_country
string
Windows
macOS
SE
Indicates in which country the domain is hosted:
'-': Not yet tagged, internal domain or not known by Nexthink Library.
hostname
string
Windows
macOS
NU
The hostname of the fully qualified domain name
id
identifier
Windows
macOS
–
Unique domain identifier
internal_domain
boolean
Windows
macOS
–
Indicates whether the domain is considered internal:
yes: The domain is not reported to Nexthink Library and subdomains are not compressed using the '*' pattern;
no: The domain is reported to the Nexthink Library (if the license includes the Security module); complex subdomains are compressed using the '*' pattern.
last_seen
datetime
Windows
macOS
NU
The last time the domain has been seen.
name
string
Windows
macOS
–
The fully qualified domain name
protocol
enum
Windows
macOS
–
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
response_size
byte
Windows
macOS
–
Total web incoming traffic
storage
enum
Windows
macOS
–
Event storage policy for the domain (web request or none)
threat_level
enum
Windows
macOS
SE
Indicates the threat level of the domain:
'-': Not yet tagged or internal domain;
none detected: No known threat;
low: low threat;
intermediate: Intermediate threat;
high: High threat.
executable
An application is a executable programs e.g. 'winword.exe'. Platforms:
Name
Type
Operating system
Properties
Description
application_company
string
Windows
macOS
–
Application company
application_name
string
Windows
macOS
–
Application name
database_usage
permill
Windows
macOS
–
Percentage of the database used by information related with the executable.
description
string
Windows
–
Executable description
first_seen
datetime
Windows
macOS
NU
First time activity of the executable was recorded on any device.
id
identifier
Windows
macOS
–
Unique executable identifier
known_packages
string
Windows
macOS
–
List of packages known to contain the executable. This list is not exhaustive: The presence of a package does not necessarily imply that on a given device the executable was installed through that package.
last_seen
datetime
Windows
macOS
NU
Last time activity of the executable was recorded on any device.
name
string
Windows
macOS
–
Executable name
platform
enum
Windows
macOS
–
The platform (operating system family) on which the executable is running.
storage_policy
enum
Windows
macOS
–
Indicates the event storage policy for the executable. Possible values are:
all: web requests, connections and executions are stored;
connections and executions;
executions;
none: no activity is recorded.
total_active_days
day
Windows
macOS
–
Total number of days the executable was active.
package
A package is a software packages (programs or updates). Platforms:
Name
Type
Operating system
Properties
Description
first_installation
datetime
Windows
NU
Time of first installation
first_seen
datetime
Windows
macOS
NU
The first time the package has been seen.
id
identifier
Windows
macOS
–
Unique package identifier
name
string
Windows
macOS
–
Package name
number_of_updates
integer
Windows
–
Number of updates (for programs)
platform
enum
Windows
macOS
–
The platform (operating system family) on which the package is installed.
program
string
Windows
macOS
–
Package program
publisher
string
Windows
macOS
NU
Package publisher
status
enum
Windows
macOS
–
Package status (installed/removed)
type
enum
Windows
macOS
–
Package type (program/update)
version
string
Windows
macOS
NU
Package version
windows_7_32bit_compatibility
string
Windows
DE
Indicates the Windows 7 (32-bit) compatibility of the package:
'-': Not yet tagged;
No information available: Not known by Nexthink Library;
Compatible: Compatible with Windows 7.
windows_7_64bit_compatibility
string
Windows
DE
Indicates the Windows 7 (64-bit) compatibility of the package:
'-': Not yet tagged;
No information available: Not known by Nexthink Library;
Compatible: Compatible with Windows 7.
port
A port is a TCP or UDP connection ports. Platforms:
Name
Type
Operating system
Properties
Description
first_seen
datetime
Windows
macOS
NU
First time activity of the port was recorded on any device.
id
identifier
Windows
macOS
–
Unique port identifier
last_seen
datetime
Windows
macOS
NU
Last time activity of the port was recorded on any device.
port_number
integer
Windows
macOS
–
Port number
port_type
enum
Windows
macOS
–
Port type (tcp, udp, tcp port scan, udp port scan)
port_value
port
Windows
macOS
–
Port value for tagging
printer
A printer is an installed printers (local, network, shared or virtual). Platforms:
Name
Type
Operating system
Properties
Description
first_seen
datetime
Windows
NU
First time activity of the printer was recorded on any device.
host_name
string
Windows
–
Host name
id
identifier
Windows
–
Unique print identifier
last_seen
datetime
Windows
NU
Last time activity of the printer was recorded on any device.
location
string
Windows
NU
Printer location
model
string
Windows
–
Printer model
name
string
Windows
–
Printer name
real_name
string
Windows
–
Most frequently seen display name
type
enum
Windows
–
Printer type (local/remote)
service
A service represents an IT service in your organization, such as the mail service or the directory service. Services are either based on TCP connections (for Windows and Mac devices) or on web requests (for Windows devices only). Platforms:
Name
Type
Operating system
Properties
Description
id
integer
Windows
macOS
–
Unique service identifier
name
string
Windows
macOS
–
Service name
status
enum
Windows
macOS
–
Service status (active, error)
type
enum
Windows
macOS
–
Type of service (network, web)
url_path
A url_path is a URL path after the domain name e.g. [www.nexthink.com]/awards/. Platforms:
Name
Type
Operating system
Properties
Description
id
identifier
Windows
macOS
–
Unique url path identifier
path
string
Windows
macOS
–
The URL path
user
A user is an object that represents an individual account in a device (local user) or in a group of devices (domain user). The account may identify a physical user or a system user. Platforms:
Name
Type
Operating system
Properties
Description
country
string
Windows
macOS
–
Country of user as listed in active directory
database_usage
permill
Windows
macOS
–
Percentage of the database used by information related with the binary
department
string
Windows
macOS
–
User department as listed in active directory
distinguished_name
string
Windows
macOS
NU
Active directory distinguished name (DN)
first_seen
datetime
Windows
macOS
NU
First time activity of the user was recorded on any device.
full_name
string
Windows
macOS
NU
Full user name as listed in active directory
id
identifier
Windows
macOS
–
Unique user identifier
job_title
string
Windows
macOS
NU
Job title as listed in active directory
last_seen
datetime
Windows
macOS
NU
Last time activity of the user was recorded on any device.
locality
string
Windows
macOS
–
Locality of user as listed in active directory
location
string
Windows
macOS
–
Location of user as listed in active directory
name
string
Windows
macOS
–
User logon name
number_of_days_since_last_seen
integer
Windows
macOS
NU
Indicates the number of days since the last time the user was seen by Nexthink. The field is updated whenever user activity is detected.
org_unit
string
Windows
macOS
–
Organisational unit of User as listed in active directory
seen_on_mac_os
boolean
Windows
macOS
–
Indicates if the user has been seen on a Mac device.
seen_on_mobile
boolean
Windows
macOS
–
Indicates if the user has been seen on a Mobile device.
seen_on_windows
boolean
Windows
macOS
–
Indicates if the user has been seen on a Windows device.
sid
sid
Windows
macOS
NU
Indicates the Windows security identifier for the user. For Mac OS, '-' means that the user is not in Active Directory.
total_active_days
day
Windows
macOS
–
Total number of days the user was active.
type
enum
Windows
macOS
–
Type of user (local/domain/system)
user_uid
md5
Windows
macOS
–
Indicates the universally unique identifier
Events
connection
A connection is a TCP connection or a UDP packet. Several identical TCP connections or UDP packets are merged when in close succession.
Platforms:
Name
Type
Operating system
Properties
Description
cardinality
integer
Windows
macOS
–
Number of underlying connections, consolidated over time
destination_ip_address
ip_address
Windows
macOS
–
IP address of the connection destination
device_ip_address
ip_address
Windows
macOS
–
IP address of the connection source
duration
millisecond
Windows
macOS
–
The time between the start of the first connection and the end of the last underlying connection.
end_time
datetime
Windows
macOS
–
Connection end time, corresponding to the moment when the last underlying connection was closed.
id
identifier
Windows
macOS
–
Unique connection identifier
incoming_bitrate
bps
Windows
macOS
NU
Average incoming bitrate of all underlying connections, consolidated over time
incoming_traffic
byte
Windows
macOS
–
Incoming traffic
network_interface_iana_code
string
Windows
macOS
–
(beta) Indicates the network interface IANA code.
network_interface_index
integer
Windows
macOS
–
(beta) Indicates the network interface index.
network_interface_type
enum
Windows
macOS
–
(beta) Indicates the network interface type. Possible values are:
wifi
ethernet
mobile
other
unknown: the Collector is not supporting interface type.
network_response_time
microsecond
Windows
macOS
–
TCP connection establishment time
outgoing_bitrate
bps
Windows
macOS
NU
Average outgoing bitrate of all underlying connections, consolidated over time
outgoing_traffic
byte
Windows
macOS
–
Outgoing traffic
start_time
datetime
Windows
macOS
–
Connection start time
status
enum
Windows
macOS
–
Status of the connection (established, rejected, no service, no host, closed)
type
enum
Windows
macOS
–
Type of the connection (tcp, udp)
device_activity
A device_activity is a device activity (boot or activity).
Platforms:
Name
Type
Operating system
Properties
Description
boot_type
enum
Windows
macOS
NU
Boot type of the boot activity
duration
millisecond
Windows
–
Boot duration (timed between kernel start and launch of 'logonui.exe' process) or online duration
id
identifier
Windows
macOS
–
Boot event identifier
time
datetime
Windows
macOS
–
Time of boot
type
enum
Windows
macOS
–
Activity event information
device_error
A device_error is a critical system errors (system crash, hard reset, or disk error).
Platforms:
Name
Type
Operating system
Properties
Description
error_code
integer
Windows
macOS
–
Error code
error_label
string
Windows
macOS
–
Error label
id
identifier
Windows
macOS
–
Problem identifier
start_time
datetime
Windows
macOS
–
Time of error
type
enum
Windows
macOS
–
Indicates the device error type, with the following possible values:
system crash: Windows bluescreen or macOS kernel panic;
hard reset: the device was abruptly stopped and then rebooted. It might be caused by pressing the reset button, a power failure or a crash;
SMART disk failure: a disk error was detected on a disk with SMART technology.
device_performance
A device_performance reports the average IOPS, CPU and memory of a device during one hours.
Platforms:
Name
Type
Operating system
Properties
Description
average_cpu_usage
permill
Windows
–
Average CPU usage on the period
average_memory_usage
byte
Windows
–
Average memory usage on the period
cpu_queue_length
integer
Windows
–
Average CPU queue length on the period
duration
millisecond
Windows
–
Total report duration
end_time
datetime
Windows
–
Report end time
id
identifier
Windows
–
Unique report identifier
normalized_cpu_usage
permill
Windows
–
Average CPU usage on the period normalized by the available logical CPUs
read_operations
integer
Windows
NU
Total disk read operations accumulated during the period
start_time
datetime
Windows
–
Start time
write_operations
integer
Windows
NU
Total disk write operations accumulated during the period
device_warning
A device_warning is a peak in device resource usage (CPU, memory or I/O).
Platforms:
Name
Type
Operating system
Properties
Description
duration
millisecond
Windows
macOS
–
Performance event duration
end_time
datetime
Windows
macOS
–
Performance event end time
id
identifier
Windows
macOS
–
Unique performance event identifier
info
string
Windows
macOS
–
Performance event information
start_time
datetime
Windows
macOS
–
Performance event start time
type
enum
Windows
macOS
–
Type of the device warning, one of:
'high overall cpu usage'
'high cpu usage' (deprecated)
'high io usage'
'high memory usage'
'high number of page faults'.
value
percent
Windows
macOS
–
Performance percentage
warning_duration
millisecond
Windows
macOS
–
Indicates the duration of the warning. This duration can be shorter than the event duration when the warning is not continuous.
execution
An execution is a process executing on a device. Serveral executions of the same process are merged when in close succession.
Platforms:
Name
Type
Operating system
Properties
Description
average_memory_usage
byte
Windows
macOS
–
Average memory usage per execution
binary_path
path
Windows
macOS
–
Executed binary path
cardinality
integer
Windows
macOS
–
Number of underlying processes, consolidated over time
duration
millisecond
Windows
macOS
–
Total execution duration
end_time
datetime
Windows
macOS
–
Execution end time
focus_time
millisecond
Windows
macOS
NU
Focus time
id
identifier
Windows
macOS
–
Unique execution identifier
incoming_tcp_traffic
byte
Windows
macOS
–
Incoming TCP traffic
incoming_udp_traffic
byte
Windows
macOS
–
Incoming UDP traffic
memory_usage
byte
Windows
macOS
–
Average memory usage
outgoing_tcp_traffic
byte
Windows
macOS
–
Outgoing TCP traffic
outgoing_udp_traffic
byte
Windows
macOS
–
Outgoing UDP traffic
privilege_level
enum
Windows
macOS
–
Privilege level of the execution (user, power user, administrator)
start_time
datetime
Windows
macOS
–
Execution start time
startup_duration
millisecond
Windows
NU
Startup duration
status
enum
Windows
macOS
–
Status of the execution (started, stopped)
total_cpu_time
millisecond
Windows
macOS
–
Total CPU time
execution_error
An execution_error is application errors (crash or not responding)
Platforms:
Name
Type
Operating system
Properties
Description
id
identifier
Windows
macOS
–
Error identifier
info
string
Windows
macOS
–
Error event information
time
datetime
Windows
macOS
–
Time of error
type
enum
Windows
macOS
–
Type of the execution error (application not responding, crash)
execution_warning
An execution_warning is a peak in application resource usage (CPU or memory).
Platforms:
Name
Type
Operating system
Properties
Description
duration
millisecond
Windows
macOS
–
Performance event duration
end_time
datetime
Windows
macOS
–
Performance event end time
id
identifier
Windows
macOS
–
Unique performance event identifier
info
string
Windows
macOS
–
Performance event information
start_time
datetime
Windows
macOS
–
Performance event start time
type
enum
Windows
macOS
–
Type of the execution warning (high cpu usage, high memory usage)
value
percent
Windows
macOS
–
Performance percentage
warning_duration
millisecond
Windows
macOS
–
Indicates the duration of the warning. This duration can be shorter than the event duration when the warning is not continuous.
installation
A installation is the installation or uninstallation of a Software packages (programs or updates).
Platforms:
Name
Type
Operating system
Properties
Description
id
identifier
Windows
macOS
–
Unique deployment identifier
time
datetime
Windows
macOS
–
Installation start time
type
enum
Windows
macOS
–
Type of operation (installation, uninstallation)
network_scan
A network scan is a sequence of failed TCP connections or UDP packets made to the same port to more than 50 destinations within a few seconds.
Platforms:
Name
Type
Operating system
Properties
Description
cardinality
integer
Windows
macOS
–
Number of underlying connections, consolidated over time
device_ip_address
ip_address
Windows
macOS
–
IP address of the connection source
duration
millisecond
Windows
macOS
–
The time between the start of the first connection and end of the last underlying connection
end_time
datetime
Windows
macOS
–
Scanning end time, corresponding to the moment when the last underlying connection was closed.
id
identifier
Windows
macOS
–
Unique scanning identifier
network
ip_network
Windows
macOS
–
Minimum IP network including all scanned destinations
start_time
datetime
Windows
macOS
–
Scanning start time
status
enum
Windows
macOS
–
Status of the Scanning (established, closed)
type
enum
Windows
macOS
–
Type of the port scanning (tcp, udp)
port_scan
A port scan is a sequence of failed TCP connections or UDP packets made to the same destination to more than 50 ports within a few seconds.
Platforms:
Name
Type
Operating system
Properties
Description
cardinality
integer
Windows
macOS
–
Number of underlying connections, consolidated over time
destination_ip_address
ip_address
Windows
macOS
–
IP address of the scanned destination
device_ip_address
ip_address
Windows
macOS
–
IP address of the connection source
duration
millisecond
Windows
macOS
–
The time between the start of the first connection and end of the last underlying connection.
end_time
datetime
Windows
macOS
–
Scanning end time, corresponding to the moment when the last underlying connection was closed.
first_scanned_port
port
Windows
macOS
–
First port scanning
id
identifier
Windows
macOS
–
Unique scanning identifier
last_scanned_port
port
Windows
macOS
–
Last port scanning
start_time
datetime
Windows
macOS
–
Scanning start time
status
enum
Windows
macOS
–
Status of the Scanning (established, closed)
type
enum
Windows
macOS
–
Type of the port scanning (tcp, udp)
printout
A printout is a print job processed by a printer.
Platforms:
Name
Type
Operating system
Properties
Description
color_print
boolean
Windows
–
Color print
document_type
string
Windows
–
Type of printed document
duplex
boolean
Windows
–
Indicates whether the pages are printed on both sides of the sheet.
id
identifier
Windows
–
Unique print job identifier
number_of_printed_pages
integer
Windows
NU
Number of printed pages
page_size
string
Windows
–
Paper size for printed pages
print_quality
enum
Windows
–
Print quality
size
byte
Windows
NU
Print job size in bytes
status
enum
Windows
–
Print job status(success, error, timeout)
time
datetime
Windows
–
Print job time
session_performance
Sessions of a user logged on a device.
Platforms:
Name
Type
Operating system
Properties
Description
cardinality
integer
Windows
–
Number of underlaying sessions consolidated in a bucket period
citrix_rtt
millisecond
Windows
NU
Citrix RTT
client_ip
ip_address
Windows
–
Client IP
duration
millisecond
Windows
–
Session performance bucket period duration
end_time
datetime
Windows
–
Session performance bucket end time
id
identifier
Windows
–
Unique session performance identifier
session_network_latency
millisecond
Windows
NU
Session network latency
session_protocol
enum
Windows
NU
User input delay
start_time
datetime
Windows
–
Execution start time
user_activity
A user_activity is a user activity (logon or interactive activity).
Platforms:
Name
Type
Operating system
Properties
Description
duration
millisecond
Windows
macOS
–
Indicates the time between the user logging on and the desktop being shown.
id
identifier
Windows
macOS
–
User logon event identifier
real_duration
millisecond
Windows
macOS
–
Indicates the time between the user logging on and the device being ready to use. Desktops and laptops are considered fully functional once the CPU usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%.
time
datetime
Windows
macOS
–
Time of user logon
type
enum
Windows
macOS
–
Activity event information
web_request
A web_request is a HTTP or TLS requests.
Platforms:
Name
Type
Operating system
Properties
Description
cardinality
integer
Windows
macOS
–
Number of underlying web requests, consolidated over time
connections_duration
millisecond
Windows
macOS
–
The time between start of the first connection and end of the last underlying connection
end_time
datetime
Windows
macOS
–
Web request end time, corresponding to the moment when the last underlying TCP connection was closed.
http_status
http_status_code
Windows
macOS
NU
HTTP response status code
id
identifier
Windows
macOS
–
Unique request identifier
incoming_traffic
byte
Windows
macOS
–
Incoming web traffic of all underlying web requests, consolidated over time
network_response_time
microsecond
Windows
macOS
–
Average TCP connection establishment time of all underlying connections, consolidated over time
outgoing_traffic
byte
Windows
macOS
–
Outgoing web traffic of all underlying web requests, consolidated over time
protocol
enum
Windows
macOS
–
Web request protocol (HTTP, TLS)
protocol_version
enum
Windows
macOS
–
Web request protocol version
service_related
boolean
Windows
macOS
–
Indicates whether the web request is related to a configured service:
yes: These requests are always visible by all users;
no: Depending on the privacy settings, requests not related to a service might not be visible by everyone.
start_time
datetime
Windows
macOS
–
Web request start time
web_request_duration
millisecond
Windows
macOS
–
Average time between request and last response byte of all underlying requests, consolidated over time
Relationships
A relationships is a link between object and event tables and is specified in a with clause.
connection
device
user
binary
executable
application
destination
port
service
device_activity
device
device_error
device
device_performance
device
device_warning
device
execution
device
user
binary
executable
application
execution_error
device
user
binary
executable
application
execution_warning
device
user
binary
executable
application
installation
device
package
network_scan
device
user
binary
executable
application
port
port_scan
device
user
binary
executable
application
destination
printout
device
user
printer
session_performance
device
user
user_activity
device
user
web_request
device
user
binary
executable
application
destination
port
domain
url_path
service
package
device
package
Aggregates
connection
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
FP
Number of devices
number_of_users
integer
Windows
macOS
FP
Number of users
number_of_applications
integer
Windows
macOS
FP
Number of applications
number_of_executables
integer
Windows
macOS
FP
Number of executables
number_of_binaries
integer
Windows
macOS
FP
Number of binaries
number_of_destinations
integer
Windows
macOS
–
Number of destinations
number_of_ports
integer
Windows
macOS
–
Number of ports
number_of_connections
integer
Windows
macOS
–
Number of connections
cumulated_connection_duration
millisecond
Windows
macOS
–
Cumulated duration of TCP connections
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
incoming_traffic
byte
Windows
macOS
NU
Total network incoming traffic
outgoing_traffic
byte
Windows
macOS
NU
Total network outgoing traffic
average_network_response_time
microsecond
Windows
macOS
–
Average TCP connection establishment time
successful_connections_ratio
permill
Windows
macOS
NU
Percentage of successful TCP connections
network_availability_level
availability_level
Windows
macOS
NU
Graded ratio of successful TCP connections (high, medium, low)
average_incoming_bitrate
bps
Windows
macOS
NU
Average incoming network bitrate
average_outgoing_bitrate
bps
Windows
macOS
NU
Average outgoing network bitrate
highest_local_privilege_reached
privileges_level
Windows
macOS
NU
Highest local privilege level reached for executions (user, power user, administrator)
number_of_events
integer
Windows
macOS
NU
Number of events
incoming_network_traffic_per_device
byte
Windows
macOS
NU
Device average incoming network traffic
outgoing_network_traffic_per_device
byte
Windows
macOS
NU
Device average outgoing network traffic
total_network_traffic
byte
Windows
macOS
NU
Network traffic
device_activity
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
–
Number of devices
average_boot_duration
millisecond
Windows
NU
Average boot duration
average_logon_duration
millisecond
Windows
NU
Average user logon duration
average_extended_logon_duration
millisecond
Windows
NU
Average extended logon duration
number_of_boots
integer
Windows
macOS
NU
Number of boots
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
uptime
millisecond
Windows
macOS
NU
Amount of time the machine has been running
cumulated_interaction_duration
millisecond
Windows
macOS
NU
Cumulated time with user interaction (mouse or keyboard events)
number_of_events
integer
Windows
macOS
NU
Number of events
device_error
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
–
Number of devices
number_of_errors
integer
Windows
macOS
–
Number of system errors
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
number_of_events
integer
Windows
macOS
NU
Number of events
device_performance
Name
Type
Operating system
Properties
Description
average_read_operations
integer
Windows
–
Average read IPOS
average_write_operations
integer
Windows
–
Average write IPOS
average_cpu_queue_length
integer
Windows
–
Average CPU queue length
average_memory_usage
byte
Windows
NU
Average memory usage
average_cpu_usage
percent
Windows
–
Average CPU usage
average_normalized_cpu_usage
percent
Windows
–
Average normalized CPU usage
device_warning
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
–
Number of devices
number_of_warnings
integer
Windows
macOS
–
Number of warnings
cumulated_warning_duration
millisecond
Windows
macOS
NU
Cumulated duration of the warning events
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
number_of_events
integer
Windows
macOS
NU
Number of events
high_device_overall_cpu_time_ratio
permill
Windows
macOS
NU
Indicates the ratio between the time the device is in high overall CPU usage and its uptime.
high_device_memory_time_ratio
permill
Windows
macOS
NU
Indicates the ratio between the time the device is in high memory usage and its uptime.
high_device_io_throughput_time_ratio
permill
Windows
NU
Indicates the ratio between the time the device is in high IO throughput and its uptime.
high_device_page_faults_time_ratio
permill
Windows
NU
Indicates the ratio between the time the device is in high page faults and its uptime.
execution
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
FP
Number of devices
number_of_users
integer
Windows
macOS
FP
Number of users
number_of_applications
integer
Windows
macOS
FP
Number of applications
number_of_executables
integer
Windows
macOS
FP
Number of executables
number_of_binaries
integer
Windows
macOS
FP
Number of binaries
number_of_executions
integer
Windows
macOS
–
Number of executions
cumulated_execution_duration
millisecond
Windows
macOS
NU
Cumulated duration of executions
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
incoming_traffic
byte
Windows
macOS
NU
Total network incoming traffic
outgoing_traffic
byte
Windows
macOS
NU
Total network outgoing traffic
highest_local_privilege_reached
privileges_level
Windows
macOS
NU
Highest local privilege level reached for executions (user, power user, administrator)
number_of_events
integer
Windows
macOS
NU
Number of events
average_memory_usage_per_execution
byte
Windows
macOS
NU
Average memory usage per execution
memory_usage
byte
Windows
macOS
NU
Memory usage
focus_time
millisecond
Windows
macOS
NU
Focus time
cpu_usage_ratio
permill
Windows
macOS
NU
Average CPU usage
total_cpu_time
millisecond
Windows
macOS
NU
Total CPU time
average_process_start_time
millisecond
Windows
NU
Average process start time
incoming_network_traffic_per_device
byte
Windows
macOS
NU
Device average incoming network traffic
outgoing_network_traffic_per_device
byte
Windows
macOS
NU
Device average outgoing network traffic
total_network_traffic
byte
Windows
macOS
NU
Network traffic
execution_error
Name
Type
Operating system
Properties
Description
application_not_responding_event_ratio
permill
Windows
macOS
NU
Application not responding event ratio
application_crash_ratio
permill
Windows
macOS
NU
Application crash ratio
number_of_application_not_responding_events
integer
Windows
macOS
–
Number of application not responding events
number_of_application_crashes
integer
Windows
macOS
–
Number of application crashes
number_of_devices
integer
Windows
macOS
–
Number of devices
number_of_users
integer
Windows
macOS
–
Number of users
number_of_applications
integer
Windows
macOS
–
Number of applications
number_of_executables
integer
Windows
macOS
–
Number of executables
number_of_binaries
integer
Windows
macOS
–
Number of binaries
number_of_errors
integer
Windows
macOS
–
Number of errors
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
number_of_events
integer
Windows
macOS
NU
Number of events
execution_warning
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
–
Number of devices
number_of_users
integer
Windows
macOS
–
Number of users
number_of_applications
integer
Windows
macOS
–
Number of applications
number_of_executables
integer
Windows
macOS
–
Number of executables
number_of_binaries
integer
Windows
macOS
–
Number of binaries
number_of_warnings
integer
Windows
macOS
–
Number of warnings
cumulated_warning_duration
millisecond
Windows
macOS
NU
Cumulated duration of the warning events
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
number_of_events
integer
Windows
macOS
NU
Number of events
high_application_thread_cpu_time_ratio
permill
Windows
macOS
NU
High application thread CPU time ratio
installation
Name
Type
Operating system
Properties
Description
number_of_packages
integer
Windows
macOS
–
Number of packages
number_of_devices
integer
Windows
macOS
–
Number of devices
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
number_of_installations
integer
Windows
macOS
–
Number of installations
number_of_events
integer
Windows
macOS
NU
Number of events
network_scan
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
–
Number of devices
number_of_users
integer
Windows
macOS
–
Number of users
number_of_applications
integer
Windows
macOS
–
Number of applications
number_of_executables
integer
Windows
macOS
–
Number of executables
number_of_binaries
integer
Windows
macOS
–
Number of binaries
number_of_ports
integer
Windows
macOS
–
Number of ports
number_of_connections
integer
Windows
macOS
–
Number of connections
cumulated_scan_duration
millisecond
Windows
macOS
NU
Cumulated duration of the network scan
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
incoming_traffic
byte
Windows
macOS
NU
Total network incoming traffic
outgoing_traffic
byte
Windows
macOS
NU
Total network outgoing traffic
number_of_events
integer
Windows
macOS
NU
Number of events
incoming_network_traffic_per_device
byte
Windows
macOS
NU
Device average incoming network traffic
outgoing_network_traffic_per_device
byte
Windows
macOS
NU
Device average outgoing network traffic
total_network_traffic
byte
Windows
macOS
NU
Network traffic
package
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
FP
Number of devices
number_of_packages
integer
Windows
macOS
FP
Number of packages
port_scan
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
macOS
–
Number of devices
number_of_users
integer
Windows
macOS
–
Number of users
number_of_applications
integer
Windows
macOS
–
Number of applications
number_of_executables
integer
Windows
macOS
–
Number of executables
number_of_binaries
integer
Windows
macOS
–
Number of binaries
number_of_connections
integer
Windows
macOS
–
Number of connections
number_of_destinations
integer
Windows
macOS
–
Number of destinations
cumulated_scan_duration
millisecond
Windows
macOS
NU
Cumulated duration of the network scan
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
incoming_traffic
byte
Windows
macOS
NU
Total network incoming traffic
outgoing_traffic
byte
Windows
macOS
NU
Total network outgoing traffic
number_of_events
integer
Windows
macOS
NU
Number of events
incoming_network_traffic_per_device
byte
Windows
macOS
NU
Device average incoming network traffic
outgoing_network_traffic_per_device
byte
Windows
macOS
NU
Device average outgoing network traffic
total_network_traffic
byte
Windows
macOS
NU
Network traffic
printout
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
–
Number of devices
number_of_users
integer
Windows
–
Number of users
number_of_printers
integer
Windows
–
Number of printers
number_of_printed_pages
integer
Windows
–
Number of printed pages
number_of_printouts
integer
Windows
–
Number of print jobs
activity_start_time
datetime
Windows
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
NU
Stop time of investigated activity
number_of_events
integer
Windows
macOS
NU
Number of events
session_performance
Name
Type
Operating system
Properties
Description
session_duration
millisecond
Windows
NU
Session duration
average_citrix_rtt
millisecond
Windows
NU
Average Citrix RTT
average_session_network_latency
millisecond
Windows
NU
Average session network latency
user_activity
Name
Type
Operating system
Properties
Description
number_of_devices
integer
Windows
–
Number of devices
number_of_users
integer
Windows
macOS
–
Number of users
number_of_logons
integer
Windows
–
Number of user logons
activity_start_time
datetime
Windows
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
NU
Stop time of investigated activity
cumulated_interaction_duration
millisecond
Windows
NU
Cumulated time with user interaction (mouse or keyboard events)
average_logon_duration
millisecond
Windows
NU
Average user logon duration
average_extended_logon_duration
millisecond
Windows
NU
Average extended logon duration
number_of_events
integer
Windows
macOS
NU
Number of events
web_request
Name
Type
Operating system
Properties
Description
total_web_traffic
byte
Windows
macOS
NU
Web traffic
outgoing_web_traffic_per_device
byte
Windows
macOS
NU
Outgoing web traffic per device
incoming_web_traffic_per_device
byte
Windows
macOS
NU
Incoming web traffic per device
number_of_devices
integer
Windows
macOS
FP
Number of devices
number_of_domains
integer
Windows
macOS
FP
Number of domains
number_of_users
integer
Windows
macOS
FP
Number of users
number_of_applications
integer
Windows
macOS
FP/NU
Number of applications
number_of_executables
integer
Windows
macOS
FP
Number of executables
number_of_binaries
integer
Windows
macOS
FP
Number of binaries
number_of_destinations
integer
Windows
macOS
–
Number of destinations
number_of_ports
integer
Windows
macOS
–
Number of ports
activity_start_time
datetime
Windows
macOS
NU
Start time of investigated activity
activity_stop_time
datetime
Windows
macOS
NU
Stop time of investigated activity
average_network_response_time
microsecond
Windows
macOS
–
Average TCP connection establishment time
highest_local_privilege_reached
privileges_level
Windows
macOS
NU
Highest local privilege level reached for executions (user, power user, administrator)
number_of_web_requests
integer
Windows
macOS
–
Number of web requests
protocols_used_in_requests
web_protocol_combination
Windows
macOS
NU
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
lowest_protocol_version
min_web_protocol_version
Windows
macOS
NU
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
incoming_traffic
byte
Windows
macOS
NU
Total web incoming traffic
outgoing_traffic
byte
Windows
macOS
NU
Total web outgoing traffic
average_incoming_bitrate
bps
Windows
macOS
NU
Average incoming bitrate of all underlying web requests, consolidated over time
average_outgoing_bitrate
bps
Windows
macOS
NU
Average outgoing bitrate of all underlying web requests, consolidated over time
cumulated_web_request_duration
millisecond
Windows
macOS
NU
Cumulated duration of web requests
cumulated_web_interaction_duration
millisecond
Windows
macOS
NU
Cumulated time during which web requests occurred, counted with a 5 minutes resolution.
average_request_size
byte
Windows
macOS
NU
Average size of web requests
average_response_size
byte
Windows
macOS
NU
Average size of web responses
average_request_duration
millisecond
Windows
macOS
–
Average time between request and last response byte
successful_http_requests_ratio
permill
Windows
macOS
NU
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
number_of_events
integer
Windows
macOS
NU
Number of events
Definitions
The following document lists all objects, fields and aggregates available through NXQL. Each field and aggregate have a name, a type, properties and a description.
Platforms can have the following values:
W: The field, aggregate or table is available on the Windows platform.
X: The field, aggregate or table is available on the Mac OS platform.
M: The field, aggregate or table is available on the Mobile platform.
Properties can have the following values:
DE: The field or aggregate is deprecated.
PB: The field or aggregate is in Public Beta.
FP: The field or aggregate can be used without a between clause.
NU: The field or aggregate can be nil.
SE: The field or aggregate is only available with a license containing the security feature.
WE: The field or aggregate is only available with a license containing the web monitoring feature.
NC: The field is not comparable.
Last updated
Was this helpful?