Data Model

Contents

Data Model

This reference article contains the complete description of Nexthink's data model.

Objects

Objects represent items recognized by Nexthink.

User

Users of devices (domain, local or system)


Field Group Type Windows black.png Mac black.png Mobile black.png
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Application crash ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application crashes per 100 executions.
Application not responding event ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application not responding events per 100 executions.
Average incoming network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average incoming network bitrate
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average memory usage per execution Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average memory usage of all underlying executions before aggregation. The value is the average

memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
Average network response time Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

Average outgoing network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing network bitrate
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Binary paths Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
List of executed binary paths (max. 50 paths)
CPU usage ratio Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided

by their total duration.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
Cumulated execution duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of executions
Cumulated network connection duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
Department Properties Field Windows black.png Mac black.png Mobile black.png
User department as listed in Active Directory
Distinguished name Properties Field Windows black.png Mac black.png Mobile black.png
Active Directory distinguished name (DN)
First seen Properties Field Windows black.png Mac black.png Mobile black.png
First time activity of the user was recorded on any device
Full name Properties Field Windows black.png Mac black.png Mobile black.png
Full user name as listed in Active Directory
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
ID Properties Field Windows black.png Mac black.png Mobile black.png
Unique user identifier code
Incoming network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network incoming traffic
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Job title Properties Field Windows black.png Mac black.png Mobile black.png
Job title as listed in Active Directory
Last seen Properties Field Windows black.png Mac black.png Mobile black.png
Last time activity of the user was recorded on any device
Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
Name Properties Field Windows black.png Mac black.png Mobile black.png
User logon name
Network availability level Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio of successful TCP connections. The possible values are:
  • high: the ratio is greater or equal to 98%
  • medium: the ratio is greater or equal to 90% and less than 98%
  • low: the ratio is lower than 90%
Number of application crashes Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application crashes
Number of application not responding events Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application not responding events
Number of applications Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
Number of binaries Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
Number of connections Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
Number of days since last seen Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the number of days since the last time the user was seen by Nexthink. The field is updated every hour.
Number of destinations Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of domains Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of domains
Number of executables Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
Number of executions Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executions
Number of ports Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
Number of print jobs Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of print jobs
Number of printed pages Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printed pages
Number of printers Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printers
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
Outgoing network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network outgoing traffic
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
SID Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the Windows security identifier for the user.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory.
Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Successful network connections ratio Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of successful TCP connections
Total active days Activity Field Windows black.png Mac black.png Mobile black.png
Total number of days the user was active
Total CPU time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
Total network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network traffic (incoming and outgoing)
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
Type Properties Field Windows black.png Mac black.png Mobile black.png
Type of user (local/domain/system)
UID Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the universally unique identifier (based on user SID).
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

Device

Devices are Windows, Mac OS or mobile endpoints


Field Group Type Windows black.png Mac black.png Mobile black.png
Access state Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether the device can access the Exchange ActiveSync server. The possible states are:
  • allowed: the device has access
  • blocked: the device is blocked
  • discovery: the device is temporarily quarantined while it is being identified by the Exchange ActiveSync server
  • quarantined: the device is waiting for Exchange ActiveSync administrator approval
Access state reason Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the reason for the device access state. The possible values are:
  • global: caused by the global access settings
  • device rule: caused by a device access rule
  • individual: caused by an individual exemption
  • policy: caused by Exchange ActiveSync policy
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Administrator account status Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether the local Administrator account is enabled or disabled
All antispyware Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Summary information about all the detected antispyware:
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

All antiviruses Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Summary information about all the detected antiviruses:
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

All firewalls Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Summary information about all the detected firewalls:
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Antispyware display name Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the main antispyware

Note: this field is not available for Windows Server operating systems.

Antispyware RTP Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antispyware real time protection (RTP) is active:
  • on: indicates that RTP is active
  • off: indicates that either RTP is not active or no antivirus has been detected
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Antispyware up-to-date Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antispyware is up-to-date:
  • yes: indicates that antispyware is up-to-date
  • no: indicates that either the antispyware is not up-to-date or no antispyware has been detected
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Antivirus display name Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the main antivirus

Note: this field is not available for Windows Server operating systems.

Antivirus RTP Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antivirus real time protection (RTP) is active:
  • on: indicates that RTP is active
  • off: indicates that either RTP is not active or no antivirus has been detected
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Antivirus up-to-date Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antivirus is up-to-date:
  • yes: indicates that antivirus is up-to-date
  • no: indicates that either the antivirus is not up-to-date or no antivirus has been detected
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Application crash ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application crashes per 100 executions.
Application not responding event ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application not responding events per 100 executions.
Audit account logon events Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account
Audit account management Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each event of account management on a computer
Audit directory service access Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified
Audit logon events Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each instance of a user logging on to or logging off from a computer
Audit object access Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit the event of a user accessing an object, e.g. a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified
Audit policy change Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies
Audit privilege use Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each instance of a user exercising a user right
Audit process tracking Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access
Audit system events Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log
Average extended logon duration Startup Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average extended logon duration.
Average incoming network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average incoming network bitrate
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average logon duration Startup Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average logon duration.
Average memory usage per execution Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average memory usage of all underlying executions before aggregation. The value is the average

memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
Average network response time Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

Average outgoing network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing network bitrate
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average system boot duration Startup Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average system boot duration.
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Binary paths Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
List of executed binary paths (max. 50 paths)
BIOS serial number Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
BIOS serial number
Chassis serial number Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Chassis serial number
Collector installation log Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the link to the last Nexthink Collector installation error log.
Collector status Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the status of the Nexthink Collector package installed on the device:
  • unmanaged: the Collector is not automatically updated
  • up-to-date: the Collector is up-to-date
  • outdated: a newer Collector version is available.
Collector tag Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Collector installation tag.
Collector update group Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the update group of Nexthink Collector:
  • manual: the Collector is manually updated
  • pilot: the Collector is updated as part of the pilot group
  • main: the Collector is updated as part of the main group.
Collector update status Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the status of the Nexthink Collector updater.
Collector version Nexthink Collector Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the version of the Nexthink Collector installed on the device.
CPU frequency Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
CPU frequency
CPU model Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
CPU model
CPU usage ratio Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided

by their total duration.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
Cumulated execution duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of executions
Cumulated interaction time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated time with user interaction (mouse or keyboard events)
Cumulated network connection duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
Database usage Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the percentage of the Engine database used by the device.
Device access rule Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the name of the Exchange ActiveSync device access rule and if the rule allows, blocks or quarantines the device.
Device encryption required Policy Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether device encryption is required.
Device identity Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the identity of the device in Exchange ActiveSync server.
Device manufacturer Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the device manufacturer.
Device model Hardware Field Windows black.png Mac black.png Mobile black.png
Indicates the model of the device.
Device password required Policy Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether a password is required on the device.
Device product ID Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Device product ID
Device product version Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Device product version
Device serial number Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the device serial number.
Device type Hardware Field Windows black.png Mac black.png Mobile black.png
Indicates the device type:
  • desktop
  • laptop
  • server
  • mobile
Device UUID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the device universally unique identifier (UUID).
Disks S.M.A.R.T. index Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest S.M.A.R.T. index of installed hard disks (index is based on S.M.A.R.T. attributes)
Distinguished name Properties Field Windows black.png Mac gray disabled.png Mobile black.png
Indicates the distinguished name (DN) as seen:
  • For Windows: in Active Directory (AD); if no connection with AD is set up, a '-' is displayed
  • For Mobile: in the Exchange ActiveSync server
Email attachment enabled Policy Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether attachments can be downloaded to the mobile device through the Exchange ActiveSync protocol.
Enforce password history Policy Field Windows black.png Mac gray disabled.png Mobile black.png
Indicates the number of unique password that have to be associated with a user account before an old password can be reused:
  • Windows: as set up in the group policy
  • Mobile: as set up in security policies
Entity Properties Field Windows black.png Mac black.png Mobile black.png
Entity to which the device belongs
Exemption Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether a personal exemption is set for the device and its user. Possible values are:
  • none
  • allow
  • block
Extended logon duration baseline Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the extended logon duration averaged over the last logons. In the calculation, recent logons weigh more than older logons (exponentially

weighted moving average).

Firewall display name Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the main firewall

Note: this field is not available for Windows Server operating systems.

Firewall RTP Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the firewall real time protection (RTP) is active:
  • on: indicates that RTP is active
  • off: indicates that either RTP is not active or no antivirus has been detected
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

First seen Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the first time when the activity of the device was recorded:
  • For Windows and Mac OS: the first time Collector reported activity
  • For Mobile: the first time the device was reported with a successful synchronization
Graphical card RAM Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Amount of RAM of the graphical card with most RAM
Graphical cards Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Installed graphical cards
Group name Network Field Windows black.png Mac black.png Mobile gray disabled.png
Name of computer domain or workgroup
Guest account status Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines if the Guest account is enabled or disabled
Hard disks Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
List of all hard disks
Hard disks manufacturers Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the list of hard disk manufacturers
High device overall CPU time ratio Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the ratio between the time that the device is in high overall CPU usage and its uptime.
High device thread CPU time ratio (deprecated) Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the ratio between the time that the device is in high thread CPU usage and its uptime.
High IO throughput time Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of time with high IO throughput
High memory time Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of time with high memory usage
High page faults time Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of time with high page faults (disk swapping)
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
ID Properties Field Windows black.png Mac black.png Mobile black.png
Unique device identifier code
Incoming network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network incoming traffic
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Interaction time ratio Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of time with user interaction (mouse or keyboard events)
Internet security settings Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Internet security settings (ok, at risk or unknown)
IP addresses Network Field Windows black.png Mac black.png Mobile gray disabled.png
List of IP addresses for the device
Last extended logon duration Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the last recorded value for the time between the user logging on and the device is ready.
Last IP address Network Field Windows black.png Mac black.png Mobile gray disabled.png
Last IP address assigned to the device
Last logged on user Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Last logged on user
Last logged on user's privileges Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Privileges of the last logged on user (user, power user, administrator)
Last logon duration Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the last recorded value for the time between the user logging on and the desktop is displayed.
Last logon time Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time of the last logon.
Last policy update Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the last time the Exchange ActiveSync policy was updated on the device.
Last seen Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the last time when the activity of the device was recorded:
  • For Windows and Mac OS: the last time Collector reported activity
  • For Mobile: the last time the device was reported with a successful synchronization
Last system boot duration Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Duration of last system boot
Last system boot time Startup Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the time of the last system boot.
Last system update Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Time of last system update
Last update Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the last Collector update time.
Last update status Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the status of the last Collector update:
  • '-': the Collector was never updated
  • successful installation: the last Collector installation was successful
  • package download error: the Collector was not able to download the Collector package from Nexthink Appliance
  • package digital signature error: the Collector was not able to check the Collector package digital signature
  • device reboot required: the device needs to be rebooted to complete the Collector installation
  • package error: the Collector package installation has failed
  • internal error: the Collector package installation has failed for an unexpected reason.
Last Updater request Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the last time the Nexthink Updater has checked for updates.
Local Administrators Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Users and groups which are members of the Local Administrators group on the device
Local Power Users Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Users and groups which are members of the Local Powers Users group on the device
Logical drives Local drives Field Windows black.png Mac black.png Mobile gray disabled.png
List of all logical drives
Logon duration baseline Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the logon duration averaged over the last logons. In the calculation, recent logons weigh more than older logons (exponentially

weighted moving average).

Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
MAC addresses Network Field Windows black.png Mac black.png Mobile gray disabled.png
List of MAC addresses for the device
Maximum password age Policy Field Windows black.png Mac gray disabled.png Mobile black.png
Indicates the period in time (in days) during which the password can be used before the system requires the user to change it:
  • Windows: as set up in the group policy
  • Mobile: as set up in security policies
Membership type Network Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Type of computer membership (domain/workgroup)
Minimum password age Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Period of time (in days) that a password must be used before the user can change it
Minimum password length Policy Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Least number of characters that a password for a user account may contain
Monitor models Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Models of connected monitors
Monitor resolutions Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Screen resolutions of connected monitors
Monitors Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Connected monitors
Monitors serial numbers Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Serial numbers of connected monitors (ordered as in 'Monitors')
Name Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Network availability level Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio of successful TCP connections. The possible values are:
  • high: the ratio is greater or equal to 98%
  • medium: the ratio is greater or equal to 90% and less than 98%
  • low: the ratio is lower than 90%
Number of antispyware Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of antispyware detected:
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Number of antiviruses Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of antiviruses detected:
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Number of application crashes Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application crashes
Number of application not responding events Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application not responding events
Number of applications Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
Number of binaries Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
Number of connections Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
Number of cores Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the number of CPUs multiplied by the number of cores that are available on each CPU.
Number of CPUs Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the number of central processing units (CPUs), also known as the number of sockets.
Number of days since first seen Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the number of complete days since the device was first seen. The value is updated every hour.
Number of days since last logon Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of days since last logon
Number of days since last policy update Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the number of days since the last Exchange ActiveSync policy update.
Number of days since last seen Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the number of days since the last time the device was seen by Nexthink. The field is updated every hour.
Number of days since last system boot Startup Field Windows black.png Mac black.png Mobile gray disabled.png
Number of days since last system boot
Number of days since last system update Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of days since last system update
Number of destinations Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
Number of domains Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of domains
Number of executables Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
Number of executions Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executions
Number of firewalls Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of firewalls detected:
  • unknown: indicates that the information could not be retrieved
  • N/A: this field is not available on this operating system
  • '-' : no data, incompatible collector version or the data is not yet available

Note: this field is not available for Windows Server operating systems.

Number of graphical cards Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of installed graphical cards
Number of hard resets Errors Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of hard resets
Number of installations Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of installations
Number of logical processors Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the number of cores multiplied by the number of threads that can run on each core through the use of hyperthreading.
Number of logons Startup Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of logons
Number of monitors Hardware Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of connected monitors
Number of packages Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of packages
Number of ports Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
Number of print jobs Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of print jobs
Number of printed pages Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printed pages
Number of printers Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printers
Number of system boots Startup Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of system boots
Number of system crashes Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of Windows bluescreens.
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
OS architecture Operating system Field Windows black.png Mac black.png Mobile gray disabled.png
Architecture of device operating system (x86/x64)
OS version Operating system (deprecated) Field Windows black.png Mac black.png Mobile black.png
Version of device operating system
OS version and architecture Operating system Field Windows black.png Mac black.png Mobile black.png
Indicates name, version and architecture (when applicable) of the operating system:
  • Unknown: the OS version could not be retrieved or it could not be mapped to a recognized value
Outgoing network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network outgoing traffic
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Password complexity requirements enabled Policy Field Windows black.png Mac gray disabled.png Mobile black.png
Indicates whether password complexity is required:
  • Windows: the password must meet complexity requirements as defined in the group policy
  • Mobile: no simple passwords are allowed or a minimum password length is set, as defined in the security policy
Platform Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the platform of the device. A platform is a set of operating system families on which the same objects, activities, events and properties can be retrieved. The possible values are:
  • Windows
  • Mac OS
  • Mobile
Policy allows non provisionable devices Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether a device which does not fully support the policy is still allowed to connect to the Exchange Exchange ActiveSync server.
  • If 'yes', the security policy is not guaranteed to be applied, even if the field 'ActiveSync policy application status' value is 'applied in full'
Policy application status Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether the Exchange ActiveSync policy is applied or not. Possible values are:
  • not applied
  • applied in full: the policy is applied (unless the field 'Allow non provisionable devices' value is 'yes')
  • partially applied
Policy name Exchange Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the name of the Exchange ActiveSync policy applied to the user's mailbox.
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
SD card encryption required Policy Field Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether SD card encryption is required.
SID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier for the device
Storage policy Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the event storage policy for the device. Possible values are:
  • all: web requests, connections and executions are stored
  • connections and executions
  • executions
  • none: no activity is recorded
  • remove: the device will be removed from Engine during the next cleanup, as long as it is no longer sending data

Note that available events depend on the device platform

Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Successful network connections ratio Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of successful TCP connections
System boot duration baseline Startup Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the system boot duration averaged over the last boots. In the calculation, recent boots weigh more than older boots (exponentially weighted moving average).
System drive capacity Local drives Field Windows black.png Mac black.png Mobile gray disabled.png
Total capacity of system drive
System drive free space Local drives Field Windows black.png Mac black.png Mobile gray disabled.png
Total available free space on system drive
System drive usage Local drives Field Windows black.png Mac black.png Mobile gray disabled.png
Use percentage of system drive
Target version Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Collector package version that is targeted.
Total active days Activity Field Windows black.png Mac black.png Mobile black.png
Indicates the total number of days the device has been active. The value is updated every night.
Total CPU time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
Total drive capacity Local drives Field Windows black.png Mac black.png Mobile gray disabled.png
Total capacity of all drives
Total drive free space Local drives Field Windows black.png Mac black.png Mobile gray disabled.png
Total free space on all drives
Total drive usage Local drives Field Windows black.png Mac black.png Mobile gray disabled.png
Total use percentage of all drives
Total network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network traffic (incoming and outgoing)
Total non-system drive capacity Local drives Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total capacity of all non-system drives
Total non-system drive free space Local drives Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total free space on all non-system drives
Total non-system drive usage Local drives Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total use percentage of all non-system drives
Total RAM Hardware Field Windows black.png Mac black.png Mobile gray disabled.png
Total amount of RAM
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
UID Properties Field Windows black.png Mac black.png Mobile black.png
Indicates the universally unique identifier (based on Engine name and device ID).
Updater error Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the last Nexthink Collector Updater error.
Updater version Nexthink Collector Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Nexthink Collector Updater version.
Uptime Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Amount of time the machine has been running
User account control status Security Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
User account control status (ok, at risk or unknown)
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
Windows license key Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows license key
Windows Update status Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows Update status (ok, at risk or unknown)
WMI status Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows WMI service status (ok, failure)

Package

Software packages (programs or updates)


Field Group Type Windows black.png Mac black.png Mobile black.png
First installation Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Date of the first package installation on any device. This field is based on data reported by the operating system and requires devices date and time to be properly set
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique package identifier code
Name Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Package name
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of updates Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of updates (for programs)
Package status Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Package status (installed/removed)
Platform Properties Field Windows black.png Mac black.png Mobile black.png
The platform (operating system family) on which the package is installed
Program Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Package program
Publisher Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Package publisher
Status Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Package status (installed/removed)
Type Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Package type:
  • program
  • update (Windows only)
UID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the universally unique identifier (based on package name and package publisher).
Version Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Package version
Windows 7 (32-bit) compatibility Nexthink Library (deprecated) Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows 7 (32-bit) compatibility of the package:
  • '-' : not yet tagged
  • No information available: not known by Nexthink Library
  • Compatible: compatible with Windows 7
Windows 7 (64-bit) compatibility Nexthink Library (deprecated) Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows 7 (64-bit) compatibility of the package:
  • '-' : not yet tagged
  • No information available: not known by Nexthink Library
  • Compatible: compatible with Windows 7

Application

Sets of executables (e.g. 'Microsoft Office')


Field Group Type Windows black.png Mac black.png Mobile black.png
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Application crash ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application crashes per 100 executions.
Application not responding event ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application not responding events per 100 executions.
Average incoming network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average incoming network bitrate
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average memory usage per execution Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average memory usage of all underlying executions before aggregation. The value is the average

memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
Average network response time Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

Average outgoing network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing network bitrate
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Binary paths Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
List of executed binary paths (max. 50 paths)
Company Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Company producing the application
CPU usage ratio Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided

by their total duration.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
Cumulated execution duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of executions
Cumulated network connection duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
Database usage Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the percentage of the Engine database used by the application.
Description Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Application description
First seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
First time activity of the application was recorded on any device
High application thread CPU time ratio Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique application identifier code
Incoming network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network incoming traffic
Incoming network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming network traffic divided by the number of devices.
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Incoming web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming web traffic divided by the number of devices.
Known packages Properties Field Windows black.png Mac black.png Mobile gray disabled.png
List of packages known to contain the application. This list is not exhaustive: the presence of a package does not necessarily imply that on a given device the application was installed through that package
Last seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Last time activity of the application was recorded on any device
Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
Name Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Application name
Network availability level Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio of successful TCP connections. The possible values are:
  • high: the ratio is greater or equal to 98%
  • medium: the ratio is greater or equal to 90% and less than 98%
  • low: the ratio is lower than 90%
Number of application crashes Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application crashes
Number of application not responding events Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application not responding events
Number of binaries Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
Number of connections Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
Number of destinations Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of domains Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of domains
Number of executables Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
Number of executions Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executions
Number of ports Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
Outgoing network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network outgoing traffic
Outgoing network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing network traffic divided by the number of devices.
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Outgoing web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing web traffic divided by the number of devices.
Platform Properties Field Windows black.png Mac black.png Mobile black.png
The platform (operating system family) on which the application is running
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
Storage policy Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the event storage policy for the application. Possible values are:
  • all: web requests, connections and executions are stored
  • connections and executions
  • executions
  • none: no activity is recorded
Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Successful network connections ratio Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of successful TCP connections
Total active days Activity Field Windows black.png Mac black.png Mobile gray disabled.png
Total number of days the application was active
Total CPU time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
Total network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network traffic (incoming and outgoing)
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
UID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the universally unique identifier (based on package name and application company).
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

Executable

Executable programs (e.g. 'winword.exe')


Field Group Type Windows black.png Mac black.png Mobile black.png
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Application company Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Application company
Application crash ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application crashes per 100 executions.
Application name Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Application name
Application not responding event ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application not responding events per 100 executions.
Average incoming network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average incoming network bitrate
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average memory usage per execution Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average memory usage of all underlying executions before aggregation. The value is the average

memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
Average network response time Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

Average outgoing network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing network bitrate
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Binary paths Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
List of executed binary paths (max. 50 paths)
CPU usage ratio Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided

by their total duration.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
Cumulated execution duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of executions
Cumulated network connection duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
Database usage Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the percentage of the Engine database used by the executable.
Description Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Executable description
First seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
First time activity of the executable was recorded on any device
High application thread CPU time ratio Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique executable identifier code
Incoming network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network incoming traffic
Incoming network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming network traffic divided by the number of devices.
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Incoming web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming web traffic divided by the number of devices.
Known packages Properties Field Windows black.png Mac black.png Mobile gray disabled.png
List of packages known to contain the executable. This list is not exhaustive: the presence of a package does not necessarily imply that on a given device the executable was installed through that package
Last seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Last time activity of the executable was recorded on any device
Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
Name Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Executable name
Network availability level Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio of successful TCP connections. The possible values are:
  • high: the ratio is greater or equal to 98%
  • medium: the ratio is greater or equal to 90% and less than 98%
  • low: the ratio is lower than 90%
Number of application crashes Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application crashes
Number of application not responding events Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application not responding events
Number of binaries Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
Number of connections Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
Number of destinations Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of domains Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of domains
Number of executions Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executions
Number of ports Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
Outgoing network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network outgoing traffic
Outgoing network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing network traffic divided by the number of devices.
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Outgoing web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing web traffic divided by the number of devices.
Platform Properties Field Windows black.png Mac black.png Mobile black.png
The platform (operating system family) on which the executable is running
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
Storage policy Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the event storage policy for the executable. Possible values are:
  • all: web requests, connections and executions are stored
  • connections and executions
  • executions
  • none: no activity is recorded
Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Successful network connections ratio Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of successful TCP connections
Total active days Activity Field Windows black.png Mac black.png Mobile gray disabled.png
Total number of days the executable was active
Total CPU time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
Total network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network traffic (incoming and outgoing)
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
UID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the universally unique identifier (based on application name, application company and executable name).
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

Binary

Executable binary files (e.g. 'winword.exe - 10.0.6843')


Field Group Type Windows black.png Mac black.png Mobile black.png
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Application category Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the category of the application:
  • '-' : not yet tagged
  • Unknown: not categorized by Nexthink Library
Application company Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Application company
Application crash ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application crashes per 100 executions.
Application name Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Application name
Application not responding event ratio Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the number of application not responding events per 100 executions.
Average CPU usage (deprecated) Activity Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average CPU usage over all logical processors since the first time the binary was seen. The value is the average CPU usage

sampled every 5 minutes for each execution divided by the number of samples.

Average incoming network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average incoming network bitrate
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average memory usage (deprecated) Activity Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average memory usage since the first time the binary was seen. The value is the sum of the memory usage

sampled every 5 minutes for each execution divided by the number of samples.

Average memory usage per execution Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average memory usage of all underlying executions before aggregation. The value is the average

memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
Average network response time Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

Average number of graphical handles Activity Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average number of graphical handles (GDI)
Average outgoing network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing network bitrate
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Binary paths Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
List of executed binary paths (max. 50 paths)
CPU usage ratio Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided

by their total duration.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
Cumulated execution duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of executions
Cumulated network connection duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
Database usage Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the percentage of the Engine database used by the binary.
Description Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Description as it appears in the binary file
Executable name Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Executable name
File size Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Binary file size
First seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
First time activity of the binary was recorded on any device
High application thread CPU time ratio Warnings Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique binary identifier code
Incoming network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network incoming traffic
Incoming network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming network traffic divided by the number of devices.
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Incoming web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming web traffic divided by the number of devices.
Last seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Last time activity of the binary was recorded on any device
Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
MD5 hash Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the MD5 hash of the binary.
Network availability level Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio of successful TCP connections. The possible values are:
  • high: the ratio is greater or equal to 98%
  • medium: the ratio is greater or equal to 90% and less than 98%
  • low: the ratio is lower than 90%
Number of application crashes Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application crashes
Number of application not responding events Errors Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of application not responding events
Number of connections Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
Number of destinations Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of domains Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of domains
Number of executions Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executions
Number of ports Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
Outgoing network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network outgoing traffic
Outgoing network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing network traffic divided by the number of devices.
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Outgoing web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing web traffic divided by the number of devices.
Paths Properties Field Windows black.png Mac black.png Mobile gray disabled.png
List of paths of the binary
Platform Properties Field Windows black.png Mac black.png Mobile gray disabled.png
The platform (operating system family) on which the binary is running
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
SHA-1 hash Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the SHA-1 hash of the binary.
Storage policy Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the event storage policy for the binary. Possible values are:
  • all: web requests, connections and executions are stored
  • connections and executions
  • executions
  • none: no activity is recorded
Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Successful network connections ratio Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of successful TCP connections
Threat level Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the threat level of the binary:
  • '-' : not yet tagged
  • none detected: no known threat
  • low: low threat
  • intermediate: intermediate threat
  • high: high threat
Total active days Activity Field Windows black.png Mac black.png Mobile gray disabled.png
Total number of days the binary was active
Total CPU time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
Total network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network traffic (incoming and outgoing)
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
UID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the universally unique identifier (based on binary hash).
User interface Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Application has interactive user interface
Version Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Version of the binary
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

Port

Connection ports (TCP or UDP)


Field Group Type Windows black.png Mac black.png Mobile black.png
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Average incoming network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average incoming network bitrate
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average network response time Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

Average outgoing network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing network bitrate
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Cumulated network connection duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
First seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
First time activity of the port was recorded on any device
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique port identifier code
Incoming network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network incoming traffic
Incoming network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming network traffic divided by the number of devices.
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Incoming web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming web traffic divided by the number of devices.
Last seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Last time activity of the port was recorded on any device
Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
Network availability level Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio of successful TCP connections. The possible values are:
  • high: the ratio is greater or equal to 98%
  • medium: the ratio is greater or equal to 90% and less than 98%
  • low: the ratio is lower than 90%
Number of applications Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
Number of binaries Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
Number of connections Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
Number of destinations Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of domains Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of domains
Number of executables Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
Outgoing network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network outgoing traffic
Outgoing network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing network traffic divided by the number of devices.
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Outgoing web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing web traffic divided by the number of devices.
Port number Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Port number
Port type Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Port type (tcp, udp, tcp port scan, udp port scan)
Port type/Port number Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Port value for tagging
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Successful network connections ratio Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of successful TCP connections
Total network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network traffic (incoming and outgoing)
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
UID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the universally unique identifier (based on port number).
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

Destination

Devices receiving connections


Field Group Type Windows black.png Mac black.png Mobile black.png
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Average incoming network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average incoming network bitrate
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average network response time Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

Average outgoing network bitrate Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing network bitrate
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Cumulated network connection duration Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
Database usage Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the percentage of the Engine database used by the destination.
First seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
First time activity to the destination was recorded on any device
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique destination identifier code
Incoming network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network incoming traffic
Incoming network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming network traffic divided by the number of devices.
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Incoming web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming web traffic divided by the number of devices.
IP address Properties Field Windows black.png Mac black.png Mobile gray disabled.png
IP address for the destination
Last seen Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Last time activity to the destination was recorded on any device
Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
Name Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Reverse lookup name
Network availability level Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio of successful TCP connections. The possible values are:
  • high: the ratio is greater or equal to 98%
  • medium: the ratio is greater or equal to 90% and less than 98%
  • low: the ratio is lower than 90%
Number of applications Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
Number of binaries Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
Number of connections Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of domains Inventory Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of domains
Number of executables Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
Number of ports Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
Outgoing network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network outgoing traffic
Outgoing network traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing network traffic divided by the number of devices.
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Outgoing web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing web traffic divided by the number of devices.
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Successful network connections ratio Availability Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Percentage of successful TCP connections
Total network traffic Traffic Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Total network traffic (incoming and outgoing)
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
UID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the universally unique identifier (based on destination ip address).
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

Domain

Domain names


Field Group Type Windows black.png Mac black.png Mobile black.png
Activity start time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Start time of investigated activity
Activity stop time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Stop time of investigated activity
Average incoming web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average incoming bitrate of all underlying web requests, consolidated over time
Average outgoing web bitrate Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average outgoing bitrate of all underlying web requests, consolidated over time
Average web request duration Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
Average web request size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web requests
Average web response size Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average size of web responses
Database usage Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the percentage of the Engine database used by the domain.
Domain category Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the category of the domain:
  • '-' : not yet tagged or internal domain
First seen Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
The first time the domain has been seen
Highest local privilege level reached Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Highest local privilege level reached for executions (user, power user, administrator)
Hosting country Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates in which country the domain is hosted:
  • '-' : not yet tagged, internal domain or not known by Nexthink Library
Hostname Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
The hostname of the fully qualified domain name
ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique domain identifier code
Incoming web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
Incoming web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the incoming web traffic divided by the number of devices.
Internal domain Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the domain is considered internal:
  • yes: the domain is not reported to Nexthink Library and subdomains are not compressed using the '*' pattern
  • no: the domain is reported to the Nexthink Library (if the license includes the Security module); complex subdomains are compressed using the '*' pattern
Last seen Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
The last time the domain has been seen
Lowest observed web protocol version Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
Name Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
The fully qualified domain name
Number of applications Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
Number of binaries Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
Number of destinations Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of executables Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
Number of ports Inventory Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Number of web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
Outgoing web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web outgoing traffic
Outgoing web traffic per device Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the outgoing web traffic divided by the number of devices.
Protocols used in web requests Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
Storage policy Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Event storage policy for the domain (web request or none)
Successful HTTP requests ratio Availability Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
Threat level Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the threat level of the domain:
  • '-' : not yet tagged or internal domain
  • none detected: no known threat
  • low: low threat
  • intermediate: intermediate threat
  • high: high threat
Total web traffic Traffic Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web traffic (incoming and outgoing)
UID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the universally unique identifier (based on domain name).
Web interaction time Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

Printer

Installed printers (local, network, shared or virtual)


Field Group Type Windows black.png Mac black.png Mobile black.png
Display name Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Most frequently seen display name
First seen Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
First time activity of the printer was recorded on any device
Hostname Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates where the printer is hosted:
  • for local and smb printers: the hostname of the device the printer is connected to
  • for tcp/ip and wsd printers: usually the hostname of the printer itself
ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique print identifier code
Last seen Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Last time activity of the printer was recorded on any device
Location Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Printer location
Model Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Printer model
Name Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique printer name
Number of devices Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of devices
Number of print jobs Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of print jobs
Number of printed pages Activity Aggregate Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printed pages
Number of users Inventory Aggregate Windows black.png Mac black.png Mobile black.png
Number of users
Type Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
The type of the printer:
  • local: a locally connected or virtual printer
  • tcp/ip: a printer connected through a TCP/IP port
  • smb: a printer connected through a SMB (Server Message Block) port
  • wsd: a printer connected through a WSD (Web Services for Devices) port
UID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the universally unique identifier (based on printer name and model).


Activities

Activities represent actions performed by Objects.

Installation

Installations or uninstallations of software packages


Field Group Type Windows black.png Mac black.png Mobile black.png
Device ID Device Field Windows black.png Mac black.png Mobile gray disabled.png
Unique identifier code of the installation target device
Device name Device Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the installation target device
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique installation identifier code
Operation type Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Type of operation (installation, uninstallation)
Package ID Package Field Windows black.png Mac black.png Mobile gray disabled.png
Unique identifier code of the installed package
Package name Package Field Windows black.png Mac black.png Mobile gray disabled.png
Name of the installed package
Package program Package Field Windows black.png Mac black.png Mobile gray disabled.png
Program of the installed package
Package publisher Package Field Windows black.png Mac black.png Mobile gray disabled.png
Name of the installed package publisher
Package type Package Field Windows black.png Mac black.png Mobile gray disabled.png
Package type:
  • program
  • update (Windows only)
Package version Package Field Windows black.png Mac black.png Mobile gray disabled.png
Version of the installed package
Time of installation Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Installation start time

Execution

Executing processes (merged when in close succession)


Field Group Type Windows black.png Mac black.png Mobile black.png
Application name Application Field Windows black.png Mac black.png Mobile gray disabled.png
Executed application name
Average memory usage Activity Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the average memory usage of the underlying executions before aggregation with a sampling resolution of 5 minutes.
  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a single Chrome tab.
Binary path Application Field Windows black.png Mac black.png Mobile gray disabled.png
Executed binary path
Binary version Application Field Windows black.png Mac black.png Mobile gray disabled.png
Executed binary version
Cardinality Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Number of underlying processes, consolidated over time
Device ID Device Field Windows black.png Mac black.png Mobile gray disabled.png
Unique identifier code of the executing device
Device IP addresses Device Field Windows black.png Mac black.png Mobile gray disabled.png
List of IP addresses of the executing device
Device name Device Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the executing device
Duration Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Total execution duration
End time Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Execution end time
Executable name Application Field Windows black.png Mac black.png Mobile gray disabled.png
Executed executable name
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique execution identifier code
Incoming TCP traffic Traffic Field Windows black.png Mac black.png Mobile gray disabled.png
Incoming TCP traffic
Lifespan Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Execution lifespan in relation to investigation time frame
Outgoing TCP traffic Traffic Field Windows black.png Mac black.png Mobile gray disabled.png
Outgoing TCP traffic
Outgoing UDP traffic Traffic Field Windows black.png Mac black.png Mobile gray disabled.png
Outgoing UDP traffic
Privilege level Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Privilege level of the execution (user, power user, administrator)
Signature ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
ID of the related execution signature, i.e. a user executing a certain process on a particular device
Start time Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Execution start time
Status Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Status of the execution (started, stopped)
Total CPU time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions (before aggregation by the Engine) over all logical processors.
  • Example: if we consider two executions that are launched at the same time (hence aggregated by the Engine), with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
User ID User Field Windows black.png Mac black.png Mobile gray disabled.png
Unique identifier code of the executing user
User name User Field Windows black.png Mac black.png Mobile gray disabled.png
Name of the executing user
User SID User Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the Windows security identifier for the user.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

Connection

TCP or UDP connections (merged when in close succession)


Field Group Type Windows black.png Mac black.png Mobile black.png
Application name Application Field Windows black.png Mac black.png Mobile gray disabled.png
Name of the connecting application
Average network response time Availability Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average TCP connection establishment time. The value is the average over

all underlying connections before aggregation.

Binary paths Application Field Windows black.png Mac black.png Mobile gray disabled.png
Paths of the connecting binary
Binary version Application Field Windows black.png Mac black.png Mobile gray disabled.png
Version of the connecting binary
Cardinality Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Number of underlying connections, consolidated over time
Connection type Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Type of the connection (tcp, udp, tcp network scan, tcp port scan, udp network scan, udp port scan)
Destination IP address Destination Field Windows black.png Mac black.png Mobile gray disabled.png
IP address of the connection destination
Destination name Destination Field Windows black.png Mac black.png Mobile gray disabled.png
Name of the connection destination
Device ID Device Field Windows black.png Mac black.png Mobile gray disabled.png
Unique identifier code of the connecting device
Device IP address Device Field Windows black.png Mac black.png Mobile gray disabled.png
IP address of the connecting device
Device name Device Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier for the connecting device
Duration Properties Field Windows black.png Mac black.png Mobile gray disabled.png
The time between the start of the first connection and end of the last underlying connection
End time Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Connection end time, corresponding to the moment when the last underlying TCP connection was closed
Executable name Application Field Windows black.png Mac black.png Mobile gray disabled.png
Name of the connecting executable
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Unique connection identifier code
Incoming bitrate Availability Field Windows black.png Mac black.png Mobile gray disabled.png
Average incoming bitrate of all underlying connections, consolidated over time
Incoming TCP traffic Traffic Field Windows black.png Mac black.png Mobile gray disabled.png
Incoming TCP traffic
Lifespan Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Connection lifespan in relation to investigation time frame
Outgoing bitrate Availability Field Windows black.png Mac black.png Mobile gray disabled.png
Average outgoing bitrate of all underlying connections, consolidated over time
Outgoing TCP traffic Traffic Field Windows black.png Mac black.png Mobile gray disabled.png
Outgoing TCP traffic
Outgoing UDP traffic Traffic Field Windows black.png Mac black.png Mobile gray disabled.png
Outgoing UDP traffic
Port number Port Field Windows black.png Mac black.png Mobile gray disabled.png
Port number of the connection
Signature ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
ID of the related connection signature, i.e. a user executing a certain process on a particular device which connects to a certain destination/port
Start time Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Connection start time
Status Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Status of the connection (established, rejected, no service, no host, closed)
User ID User Field Windows black.png Mac black.png Mobile gray disabled.png
Unique identifier code of the connecting user
User name User Field Windows black.png Mac black.png Mobile gray disabled.png
Name of connecting user
User SID User Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the Windows security identifier for the user.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

Web request

HTTP or TLS requests


Field Group Type Windows black.png Mac black.png Mobile black.png
Application name Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the application which made the web request
Binary paths Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Paths of the binary which made the web request
Binary version Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Version of the binary which made the web request
Cardinality Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of underlying web requests, consolidated over time
Connections duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
The time between start of the first connection and end of the last underlying connection
Device ID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique identifier code of the web request source
Device name Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the web request source
Domain name Domain Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the web request destination domain
End time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request end time, corresponding to the moment when the last underlying TCP connection was closed
Executable name Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the executable which made the web request
HTTP status Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
HTTP response status code
ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique request identifier code
Incoming web traffic Traffic Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Incoming web traffic of all underlying web requests, consolidated over time
Network response time Availability Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average TCP connection establishment time of all underlying connections, consolidated over time
Outgoing web traffic Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Outgoing web traffic of all underlying web requests, consolidated over time
Port number Port Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Port number of the web request
Protocol Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request protocol (HTTP, TLS)
Protocol version Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request protocol version
Service related Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the web request is related to a configured service:
  • yes: these requests are always visible by all users
  • no: depending on the privacy settings, requests not related to a service might not be visible by everyone
Signature ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
ID of the related web request signature, i.e. a user executing a certain process on a particular device which emits requests to a specific domain
Start time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request start time
URL path Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the expression used to match the web request against web-based services with URL path:
'-': the web request did not match against any service with URL path
User ID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique identifier code of the user who made the web request
User name User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the user who made the web request
User SID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows security identifier for the user who made the web request.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory
Web request duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte of all underlying requests, consolidated over time

Print job

Print job submissions to printer drivers


Field Group Type Windows black.png Mac black.png Mobile black.png
Color enabled Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the print job has the capability to print in color. Color settings defined by the application performing the print job (usually through the application print dialog) are not taken into account.
Device ID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique identifier of the print job source
Device name Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the print job source
Document type Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Type of printed document
Duplex print Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the pages are printed on both sides of the sheet.
ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique print job identifier
Number of pages Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printed pages
Paper size Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Paper size for printed pages
Print quality Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Print quality
Printer model Printer Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Model of printer
Printer name Printer Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of printer
Size Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Print job size in bytes
Status Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Status of the print job:
  • success: the job has been successfully sent to the printer
  • error: an error was detected during the print; the job might have been partially printed
  • unknown: the status of the print job could not be detected
Time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Print job time
User ID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique identifier code of the printing user
User name User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of the printing user
User SID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows security identifier for the user.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

System boot

System boots (timed between kernel start and launch of 'logonui.exe' process)


Field Group Type Windows black.png Mac black.png Mobile black.png
Device ID Device Field Windows black.png Mac black.png Mobile gray disabled.png
Unique device identifier
Device IP addresses Device Field Windows black.png Mac black.png Mobile gray disabled.png
List of IP addresses for the device
Device name Device Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the device
Duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time between the kernel start and the launch of the 'logonui.exe' process
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Boot event identifier
Time Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Time of boot

User logon

User logons


Field Group Type Windows black.png Mac black.png Mobile black.png
Device ID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique device identifier code
Device IP addresses Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
List of IP addresses for the device
Device name Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the device
Duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time between the user logging on and the desktop being shown.
Extended duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the time between the user logging on and the device being ready to use. Desktops and laptops are considered fully functional once the CPU

usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%.

ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
User logon event identifier code
Time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Time of user logon
User ID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique user identifier code
User name User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of user
User SID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows security identifier for the user.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory


Events

Events are warning or errors.

Device warning

Peaks in system resource usage (CPU, memory or I/O)


Field Group Type Windows black.png Mac black.png Mobile black.png
Device ID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique device identifier
Device IP addresses Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
List of IP addresses for the device
Device name Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the device
Duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the duration of the event.
End time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Performance event end time
Event info Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Performance event information
High io usage Warnings Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
High io usage
High memory usage Warnings Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
High memory usage
High overall CPU usage Warnings Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
High overall CPU usage.
High page faults Warnings Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
High number of page faults
High thread CPU usage (deprecated) Warnings Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
High thread CPU usage (deprecated).
ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique performance event identifier
Start time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Performance event start time
Warning duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the effective duration of the warning; it can be shorter than the event duration when the high

CPU usage is not continuous.

  • Example: a high CPU usage warning started at 08:00 and lasted until 08:15 (event duration is 15 min). During this 15min, the device was effectively in high CPU usage once during 60s, twice during 120s and once during 30s; the warning duration is therefore 5min 30s.

Device error

Critical system errors (system crash, hard reset, or disk failure)


Field Group Type Windows black.png Mac black.png Mobile black.png
Device ID Device Field Windows black.png Mac black.png Mobile gray disabled.png
Unique device identifier code
Device IP addresses Device Field Windows black.png Mac black.png Mobile gray disabled.png
List of IP addresses for the device
Device name Device Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the device
Error code Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the error code for system crashes (Windows bluescreens).
Error label Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the error label for system crashes (Windows bluescreens).
ID Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Problem identifier code
Time Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Time of error
Type Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the device error type, with the following possible values:
  • system crash: a Windows bluescreen
  • hard reset: the device was abruptly stopped and then rebooted. It might be caused by pressing the reset button, a power failure or a crash
  • SMART disk failure: a disk error was detected on a disk with SMART technology

Execution warning

Peaks in application resource usage (CPU or memory)


Field Group Type Windows black.png Mac black.png Mobile black.png
Application name Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of application
Binary version Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Version of binary
Device ID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique device identifier
Device IP addresses Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
List of IP addresses for the device
Device name Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the device
Duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the duration of the event.
End time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Performance event end time
Event info Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Performance event information
Executable name Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of executable
High memory usage Warnings Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
High memory usage
High thread CPU usage Warnings Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
High thread CPU usage
ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique performance event identifier code
Signature ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
ID of the related execution event signature, i.e. a user executing a certain process on a particular device
Start time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Performance event start time
User ID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique user identifier code
User name User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of user
User SID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows security identifier for the user.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory
Warning duration Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the effective duration of the warning; it can be shorter than the event duration when the high

CPU usage is not continuous.

  • Example: a high CPU usage warning started at 08:00 and lasted until 08:15 (event duration is 15 min). During this 15min, the device was effectively in high CPU usage once during 60s, twice during 120s and once during 30s; the warning duration is therefore 5min 30s.

Execution error

Application errors (crash or not responding)


Field Group Type Windows black.png Mac black.png Mobile black.png
Application name Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of application
Binary version Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Version of binary
Device ID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique device identifier code
Device IP addresses Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
List of IP addresses for the device
Device name Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the name of the device:
  • For Windows: NetBios Name
  • For Mac OS: computer name used on the network
  • For Mobile: composed by mailbox name and device friendly name
Device SID Device Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows security identifier of the device
Executable name Application Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of executable
ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Error identifier code
Signature ID Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
ID of the related execution error signature, i.e. a user executing a certain process on a particular device
Time Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Time of error
Type Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Error type
User ID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique user identifier code
User name User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Name of user
User SID User Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows security identifier for the user.
  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory