NXQL Data Model

Contents

NXQL Data Model

Objects

application

An application is a sets of executables e.g. 'Microsoft Office'. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
company string Windows black.png Mac black.png Mobile gray disabled.png
Company producing the application
database_usage permill Windows black.png Mac black.png Mobile gray disabled.png
Percentage of the database used by information related with the application
description string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Application description
first_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
First time activity of the application was recorded on any device.
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique application identifier
known_packages string Windows black.png Mac black.png Mobile gray disabled.png
List of packages known to contain the application. This list is not exhaustive: The presence of a package does not necessarily imply that on a given device the application was installed through that package.
last_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Last time activity of the application was recorded on any device.
name string Windows black.png Mac black.png Mobile gray disabled.png
Application name
platform enum Windows black.png Mac black.png Mobile gray disabled.png
The platform (operating system family) on which the application is running.
storage_policy enum Windows black.png Mac black.png Mobile gray disabled.png
Indicates the event storage policy for the application. Possible values are:
  • all: web requests, connections and executions are stored;
  • connections and executions;
  • executions;
  • none: no activity is recorded.
total_active_days day Windows black.png Mac black.png Mobile gray disabled.png
Total number of days the application was active.

binary

A binary is an executable binary files identified by its hash code. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
application_category string Windows black.png Mac black.png Mobile gray disabled.png SE
Indicates the category of the application:
  • '-': Not yet tagged;
  • Unknown: Not categorized by Nexthink Library.
application_company string Windows black.png Mac black.png Mobile gray disabled.png
Application company
application_name string Windows black.png Mac black.png Mobile gray disabled.png
Application name
architecture enum Windows black.png Mac black.png Mobile gray disabled.png
Executable architecture (32/64 bit)
average_cpu_usage permill Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average CPU usage for the binary
average_memory_usage byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average memory usage for the binary
average_number_of_graphical_handles integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average number of graphical handles (GDI)
company string Windows black.png Mac black.png Mobile gray disabled.png
Executable company
database_usage permill Windows black.png Mac black.png Mobile gray disabled.png
Percentage of the database used by information related with the binary.
description string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Description as it appears in the binary file.
executable_name string Windows black.png Mac black.png Mobile gray disabled.png
Executable name
file_size byte Windows black.png Mac black.png Mobile gray disabled.png
Binary file size
first_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
First time activity of the binary was recorded on any device.
hash md5 Windows black.png Mac black.png Mobile gray disabled.png
Hash code of the binary (MD5)
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique binary identifier
last_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Last time activity of the binary was recorded on any device.
paths path Windows black.png Mac black.png Mobile gray disabled.png
List of paths of the binary
platform enum Windows black.png Mac black.png Mobile gray disabled.png
The platform (operating system family) on which the binary is running.
sha1 sha1 Windows black.png Mac black.png Mobile gray disabled.png
SHA-1 hash code of the binary
sha256 sha256 Windows black.png Mac black.png Mobile gray disabled.png
SHA-256 hash code of the binary
storage_policy enum Windows black.png Mac black.png Mobile gray disabled.png
Event storage policy for the binary (connection and execution, execution-only or none)
threat_level enum Windows black.png Mac black.png Mobile gray disabled.png SE
Indicates the threat level of the binary:
  • '-': Not yet tagged;
  • none detected: No known threat;
  • low: low threat;
  • intermediate: Intermediate threat;
  • high: high threat.
total_active_days day Windows black.png Mac black.png Mobile gray disabled.png
Total number of days the binary was active.
user_interface boolean Windows black.png Mac gray disabled.png Mobile gray disabled.png
Application has interactive user interface
version version Windows black.png Mac black.png Mobile gray disabled.png
Version of the binary

destination

A destination is a device or server receiving TCP/UDP connections. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
database_usage permill Windows black.png Mac black.png Mobile gray disabled.png
Percentage of the database used by information related with the destination
first_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
First time activity to the destination was recorded on any device.
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique destination identifier
ip_address ip_address Windows black.png Mac black.png Mobile gray disabled.png
IP address for the destination
last_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Last time activity to the destination was recorded on any device.
name string Windows black.png Mac black.png Mobile gray disabled.png
Reverse lookup name

device

A device is Windows physical or virtual machine monitored by a Nexthink Collector. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
administrator_account_status enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether the local Administrator account is enabled or disabled.
all_antispywares string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Summary information about all the detected antispyware:
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
all_antiviruses string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Summary information about all the detected antiviruses:
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
all_firewalls string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Summary information about all the detected firewalls:
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
allow_non_provisionable_devices boolean Windows gray disabled.png Mac gray disabled.png Mobile black.png NU
Indicates whether a device which does not fully support the policy is still allowed to connect to the Exchange Exchange ActiveSync server. If 'yes', the security policy is not guaranteed to be applied, even if the field 'ActiveSync policy application status' value is 'applied in full'
antispyware_name string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Name of the main antispyware
antispyware_rtp enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antispyware real time protection (RTP) is active:
  • on: Indicates that RTP is active;
  • off: Indicates that either RTP is not active or no antivirus has been detected;
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
antispyware_up_to_date enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antispyware is up-to-date:
  • yes: Indicates that antispyware is up-to-date;
  • no: Indicates that either the antispyware is not up-to-date or no antispyware has been detected;
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
antivirus_name string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Name of the main antivirus
antivirus_rtp enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antivirus real time protection (RTP) is active:
  • on: Indicates that RTP is active;
  • off: Indicates that either RTP is not active or no antivirus has been detected;
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
antivirus_up_to_date enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the antivirus is up-to-date:
  • yes: Indicates that antivirus is up-to-date;
  • no: Indicates that either the antivirus is not up-to-date or no antivirus has been detected;
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
audit_account_logon_events enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.
audit_account_management enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each event of account management on a computer.
audit_directory_service_access enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
audit_logon_events enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each instance of a user logging on to or logging off from a computer.
audit_object_access enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit the event of a user accessing an object, e.g. a file, folder, registry key, printer, and so forth - that has its own system access control list (SACL) specified.
audit_policy_change enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
audit_privilege_use enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit each instance of a user exercising a user right.
audit_process_tracking enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
audit_system_events enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
average_boot_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
System boot duration baseline
average_logon_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
User logon duration baseline
bios_serial_number string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
BIOS serial number
chassis_serial_number string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Chassis serial number
collector_distinguished_name string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Indicates the distinguished name (DN) as seen:
  • For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;
  • For Mobile: In the Exchange ActiveSync server Note that this DN is reported by the Collector.
collector_installation_log string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Link to the last Nexthink Collector installation error log
collector_package_target_version version Windows black.png Mac black.png Mobile black.png NU
Indicates the Collector package version that is targeted.
collector_status enum Windows black.png Mac black.png Mobile black.png NU
Indicates the status of the Nexthink Collector package installed on the device:
  • unmanaged: the Collector is not automatically updated
  • up-to-date: the Collector is up-to-date
  • outdated: a newer Collector version is available.
collector_tag integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Collector installation tag
collector_update_status enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Current status of Nexthink Collector Updater
collector_version version Windows black.png Mac black.png Mobile gray disabled.png
Version number of Nexthink Collector installation
cpu_frequency mhz Windows black.png Mac black.png Mobile gray disabled.png NU
CPU frequency
cpu_model string Windows black.png Mac black.png Mobile gray disabled.png NU
CPU model
database_usage permill Windows black.png Mac black.png Mobile black.png
Percentage of the database used by information related with the device
device_encryption_required boolean Windows gray disabled.png Mac gray disabled.png Mobile black.png NU
Indicates whether device encryption is required.
device_manufacturer string Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the device manufacturer.
device_model string Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the model of the device.
device_password_required boolean Windows gray disabled.png Mac gray disabled.png Mobile black.png NU
Indicates whether a password is required on the device.
device_product_id string Windows black.png Mac black.png Mobile gray disabled.png NU
Device product ID
device_product_version string Windows black.png Mac black.png Mobile gray disabled.png NU
Device product version
device_serial_number string Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the device serial number.
device_type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of device (desktop, laptop, server, mobile)
device_uid md5 Windows black.png Mac black.png Mobile black.png
Indicates the universally unique identifier (based on Engine name and device ID)
device_uuid string Windows black.png Mac black.png Mobile black.png
Indicates the device universally unique identifier (UUID)
directory_service_site string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Site (or location) of an Active Directory (AD) service
disks_manufacturers string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Hard disks manufacturers
disks_smart_index percent Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Lowest S.M.A.R.T. index of installed hard disks (index is based on S.M.A.R.T. attributes)
distinguished_name string Windows black.png Mac gray disabled.png Mobile black.png NU
Indicates the distinguished name (DN) as seen:
  • For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;
  • For Mobile: In the Exchange ActiveSync server
eas_access_state enum Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether the device can access the Exchange ActiveSync server. The possible states are:
  • allowed: the device has access;
  • blocked: the device is blocked;
  • discovery: the device is temporary quarantined while it is being identified by the Exchange ActiveSync server;
  • quarantined: the device is waiting for Exchange ActiveSync administrator approval.
eas_access_state_reason enum Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the reason for the device access state. The possible values are:
  • global: caused by the global access settings;
  • device rule: caused by a device access rule;
  • individual: caused by an individual exemption;
  • policy: caused by Exchange ActiveSync policy.
eas_device_access_rule string Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the name of the access rule. An access rule allows, blocks or quarantines devices based on the device type, model, OS or user agent characteristics.
eas_device_identity string Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the identity of the device in Exchange ActiveSync Server.
eas_exemption enum Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether a personal exemption is set for the device and its user. Possible values are:
  • none;
  • allow;
  • block.
eas_policy_application_status enum Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates whether the Exchange ActiveSync policy is applied or not. Possible values are:
  • not applied;
  • applied in full: the policy is applied (unless the field 'Allow non provisionable devices' value is 'yes');
  • partially applied.
eas_policy_name string Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the name of the Exchange ActiveSync policy applied to the user's mailbox.
eas_policy_update datetime Windows gray disabled.png Mac gray disabled.png Mobile black.png
Indicates the last time the Exchange ActiveSync policy was updated on the device.
email_attachment_enabled boolean Windows gray disabled.png Mac gray disabled.png Mobile black.png NU
Indicates whether attachments can be downloaded to the mobile device through the Exchange ActiveSync protocol.
enforce_password_history integer Windows black.png Mac gray disabled.png Mobile black.png NU
Indicates the number of unique passwords that have to be associated with a user account before an old password can be reused.
entity string Windows black.png Mac black.png Mobile black.png
Entity
extended_logon_duration_baseline millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Extended logon duration baseline
firewall_name string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Name of the main firewall
firewall_rtp enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the firewall real time protection (RTP) is active:
  • on: Indicates that RTP is active;
  • off: Indicates that either RTP is not active or no antivirus has been detected;
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
first_seen datetime Windows black.png Mac black.png Mobile black.png NU
Indicates the first time when the activity of the device was recorded:
  • For Windows and Mac OS: The first time Collector reported activity;
  • For Mobile: The first time the device was reported with a successful synchronization.
graphical_card_ram byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Amount of RAM of the graphical card with most RAM
graphical_cards string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Installed graphical cards
group_name string Windows black.png Mac black.png Mobile gray disabled.png NU
Name of computer domain or workgroup
guest_account_status enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Determines if the Guest account is enabled or disabled.
hard_disks string Windows black.png Mac black.png Mobile gray disabled.png NC
List of all hard disks
id identifier Windows black.png Mac black.png Mobile black.png
Unique device identifier
internet_security_settings enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Internet security settings (ok, at risk or unknown)
ip_addresses ip_address Windows black.png Mac black.png Mobile gray disabled.png
List of IP addresses for the device
is_collector_distinguished_name_truncated boolean Windows black.png Mac gray disabled.png Mobile gray disabled.png
Flag indicating whether the collector DN is truncated or not
is_directory_service_site_truncated boolean Windows black.png Mac gray disabled.png Mobile gray disabled.png
Flag indicating whether the DS site is truncated or not
last_boot_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Duration of last system boot
last_extended_logon_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Last extended logon duration
last_ip_address ip_address Windows black.png Mac black.png Mobile gray disabled.png NU
Last IP address assigned to the device
last_known_connection_status enum Windows black.png Mac black.png Mobile black.png NU
Indicates the last known connection status of the device:
  • 'UDP': the device successfully connected via UDP but not TCP.
  • 'TCP': the device successfully connected via TCP but not UDP.
  • 'UDP+TCP': the device successfully connected via both UDP and TCP.
  • '-': Collector version is below V6.6.
last_logged_on_user string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Last logged on user
last_logon_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Last user logon duration
last_logon_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Last logon time
last_seen datetime Windows black.png Mac black.png Mobile black.png NU
Indicates the last time that activity on the device was reported:
  • For Windows and Mac OS: The last time Collector reported activity through the UDP channel,
  • For Mobile: The last time the device successfully synchronized with the Mobile Bridge.
last_seen_on_tcp datetime Windows black.png Mac black.png Mobile black.png NU
Indicates the last time that the device was successfully connected through the TCP channel.
  • '-': The Collector is an older version that does not support TCP.
last_system_boot datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Time of last system boot
last_update datetime Windows black.png Mac black.png Mobile black.png NU
Indicates the last Collector update time.
last_update_status enum Windows black.png Mac black.png Mobile black.png NU
Indicates the status of the last Collector update:
  • '-': the Collector was never updated
  • successful installation: the last Collector installation was successful
  • package download error: the Collector was not able to download the Collector package from Nexthink Appliance
  • package digital signature error: the Collector was not able to check the Collector package digital signature
  • device reboot required: the device needs to be rebooted to complete the Collector installation
  • package error: the Collector package installation has failed
  • internal error: the Collector package installation has failed for an unexpected reason.
last_updater_request datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Last time Nexthink Updater checked for updates
last_windows_update datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Time of last system Update
local_administrators string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Users and groups which are members of the Local Administrators group on the device.
local_power_users string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Users and groups which are members of the Local Powers Users group on the device.
logical_cpu_number integer Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the number of cores multiplied by the number of threads that can run on each core through the use of hyperthreading.
logical_drives string Windows black.png Mac black.png Mobile gray disabled.png
List of all logical drives
mac_addresses mac_address Windows black.png Mac black.png Mobile gray disabled.png
List of MAC addresses for the device
maximum_password_age integer Windows black.png Mac gray disabled.png Mobile black.png NU
Indicates the period in time (in days) during which the password can be used before the system requires the user to change it:
  • Windows: As set up in the group policy;
  • Mobile: As set up in security policies.
membership_type enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Type of computer membership (domain/workgroup)
minimum_password_age integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Period of time (in days) that a password must be used before the user can change it.
minimum_password_length integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Least number of characters that a password for a user account may contain.
monitor_models string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Models of connected monitors
monitor_resolutions string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Screen resolutions of connected monitors
monitors string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Connected monitors
monitors_serial_numbers string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Serial numbers of connected monitors (ordered as in 'Monitors')
name string Windows black.png Mac black.png Mobile black.png
Indicates the name of the device:
  • For Windows: NetBios Name;
  • For Mac OS: Computer name used on the network;
  • For Mobile: Composed by mailbox name and device friendly name.
number_of_antispyware enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of antispyware detected:
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
number_of_antiviruses enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of antiviruses detected:
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
number_of_cores integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of cores
number_of_cpus integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of CPUs
number_of_days_since_first_seen integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of days since activity of the device was first recorded in the system.
number_of_days_since_last_boot integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of days since last system boot
number_of_days_since_last_eas_policy_update integer Windows gray disabled.png Mac gray disabled.png Mobile black.png NU
Indicates the number of days since the last Exchange ActiveSync policy update.
number_of_days_since_last_logon integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Number of days since last logon
number_of_days_since_last_seen integer Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the number of days since the last time the device was seen by Nexthink. The field is updated whenever device activity is detected:
  • For Windows and Mac OS: seen through the UDP channel,
  • For Mobile: seen through the Mobile Bridge.
number_of_days_since_last_seen_on_tcp integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Indicates the number of days since the last time the device was successfully connected through the TCP channel. '-': The Collector is an older version that does not support TCP.
number_of_days_since_last_windows_update integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Number of days since last system Update
number_of_firewalls enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of firewalls detected:
  • unknown: Indicates that the information could not be retrieved;
  • N/A: This field is not available on this operating system;
  • '-': No data, incompatible collector version or the data is not yet available.
number_of_graphical_cards integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of installed graphical cards
number_of_monitors integer Windows black.png Mac black.png Mobile gray disabled.png
Number of connected monitors
os_architecture enum Windows black.png Mac black.png Mobile gray disabled.png
Architecture of device operating system (x86/x64)
os_build version Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the build number of the operating system.
os_version_and_architecture string Windows black.png Mac black.png Mobile black.png NU
Indicates name, version and architecture (when applicable) of the operating system.
  • unknown: the OS version could not be retrieved or it could not be mapped to a recognized value.
password_complexity_requirements enum Windows black.png Mac gray disabled.png Mobile black.png
Indicates whether password complexity is required:
  • Windows: The password must meet complexity requirements as defined in the group policy;
  • Mobile: No simple passwords are allowed or a minimum password length is set, as defined in the security policy.
platform enum Windows black.png Mac black.png Mobile black.png
Indicates the platform of the device. A platform is a set of operating system families on which the same objects, activities, events and properties can be retrieved. The possible values are:
  • Windows;
  • Mac OS;
  • Mobile.
privileges_of_last_logged_on_users enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Privileges of the last logged on user (user, power user, administrator)
sd_card_encryption_required boolean Windows gray disabled.png Mac gray disabled.png Mobile black.png NU
Indicates whether SD card encryption is required.
sid sid Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Windows security identifier for the device.
storage_policy enum Windows black.png Mac black.png Mobile black.png
Indicates the event storage policy for the device. Possible values are:
  • all: web requests, connections and executions are stored
  • connections and executions;
  • executions;
  • none: no activity is recorded;
  • remove: The device will be removed from Engine during the next cleanup, as long as it is no longer sending data; Note that available events depend on the device platform.
system_drive_capacity byte Windows black.png Mac black.png Mobile gray disabled.png
Total capacity of system drive
system_drive_free_space byte Windows black.png Mac black.png Mobile gray disabled.png
Total available free space on system drive
system_drive_usage percent Windows black.png Mac black.png Mobile gray disabled.png NU
Use percentage of system drive
total_active_days day Windows black.png Mac black.png Mobile gray disabled.png
Total number of days the device was active.
total_drive_capacity byte Windows black.png Mac black.png Mobile gray disabled.png
Total capacity of all drives
total_drive_free_space byte Windows black.png Mac black.png Mobile gray disabled.png
Total free space on all drives
total_drive_usage permill Windows black.png Mac black.png Mobile gray disabled.png NU
Total use percentage of all drives
total_nonsystem_drive_capacity byte Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total capacity of all non-system drives
total_nonsystem_drive_free_space byte Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total free space on all non-system drives
total_nonsystem_drive_usage percent Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Total use percentage of all non-system drives
total_ram byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total amount of RAM
updater_error string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Last Nexthink Collector Updater error
updater_version version Windows black.png Mac gray disabled.png Mobile gray disabled.png
Nexthink Collector Updater version
upgrade_group enum Windows black.png Mac black.png Mobile black.png NU
Indicates the update group of Nexthink Collector:
  • manual: the Collector is manually updated
  • pilot: the Collector is updated as part of the pilot group
  • main: the Collector is updated as part of the main group.
user_account_control_status enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
User account control status (ok, at risk or unknown)
windows_license_key string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Windows license key
windows_updates_status enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows update status (ok, at risk or unknown)
wmi_status enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Windows WMI service status (ok, failure)

domain

A domain is a domain name e.g. www.nexthink.com. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
database_usage permill Windows black.png Mac gray disabled.png Mobile gray disabled.png
Percentage of the database used by information related with the domain
domain_category string Windows black.png Mac gray disabled.png Mobile gray disabled.png SE
Indicates the category of the domain:
  • '-': Not yet tagged or internal domain.
first_seen datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
The first time the domain has been seen.
hosting_country string Windows black.png Mac gray disabled.png Mobile gray disabled.png SE
Indicates in which country the domain is hosted:
  • '-': Not yet tagged, internal domain or not known by Nexthink Library.
hostname string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
The hostname of the fully qualified domain name
id identifier Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique domain identifier
internal_domain boolean Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the domain is considered internal:
  • yes: The domain is not reported to Nexthink Library and subdomains are not compressed using the '*' pattern;
  • no: The domain is reported to the Nexthink Library (if the license includes the Security module); complex subdomains are compressed using the '*' pattern.
last_seen datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
The last time the domain has been seen.
name string Windows black.png Mac gray disabled.png Mobile gray disabled.png
The fully qualified domain name
protocol enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
response_size byte Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total web incoming traffic
storage enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Event storage policy for the domain (web request or none)
threat_level enum Windows black.png Mac gray disabled.png Mobile gray disabled.png SE
Indicates the threat level of the domain:
  • '-': Not yet tagged or internal domain;
  • none detected: No known threat;
  • low: low threat;
  • intermediate: Intermediate threat;
  • high: High threat.

executable

An application is a executable programs e.g. 'winword.exe'. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
application_company string Windows black.png Mac black.png Mobile gray disabled.png
Application company
application_name string Windows black.png Mac black.png Mobile gray disabled.png
Application name
database_usage permill Windows black.png Mac black.png Mobile gray disabled.png
Percentage of the database used by information related with the executable.
description string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Executable description
first_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
First time activity of the executable was recorded on any device.
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique executable identifier
known_packages string Windows black.png Mac black.png Mobile gray disabled.png
List of packages known to contain the executable. This list is not exhaustive: The presence of a package does not necessarily imply that on a given device the executable was installed through that package.
last_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Last time activity of the executable was recorded on any device.
name string Windows black.png Mac black.png Mobile gray disabled.png
Executable name
platform enum Windows black.png Mac black.png Mobile gray disabled.png
The platform (operating system family) on which the executable is running.
storage_policy enum Windows black.png Mac black.png Mobile gray disabled.png
Indicates the event storage policy for the executable. Possible values are:
  • all: web requests, connections and executions are stored;
  • connections and executions;
  • executions;
  • none: no activity is recorded.
total_active_days day Windows black.png Mac black.png Mobile gray disabled.png
Total number of days the executable was active.

package

A package is a software packages (programs or updates). Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
first_installation datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Time of first installation
first_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
The first time the package has been seen.
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique package identifier
name string Windows black.png Mac black.png Mobile gray disabled.png
Package name
number_of_updates integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of updates (for programs)
platform enum Windows black.png Mac black.png Mobile gray disabled.png
The platform (operating system family) on which the package is installed.
program string Windows black.png Mac black.png Mobile gray disabled.png
Package program
publisher string Windows black.png Mac black.png Mobile gray disabled.png NU
Package publisher
status enum Windows black.png Mac black.png Mobile gray disabled.png
Package status (installed/removed)
type enum Windows black.png Mac black.png Mobile gray disabled.png
Package type (program/update)
version string Windows black.png Mac black.png Mobile gray disabled.png NU
Package version
windows_7_32bit_compatibility string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows 7 (32-bit) compatibility of the package:
  • '-': Not yet tagged;
  • No information available: Not known by Nexthink Library;
  • Compatible: Compatible with Windows 7.
windows_7_64bit_compatibility string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the Windows 7 (64-bit) compatibility of the package:
  • '-': Not yet tagged;
  • No information available: Not known by Nexthink Library;
  • Compatible: Compatible with Windows 7.

port

A port is a TCP or UDP connection ports. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
first_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
First time activity of the port was recorded on any device.
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique port identifier
last_seen datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Last time activity of the port was recorded on any device.
port_number integer Windows black.png Mac black.png Mobile gray disabled.png
Port number
port_type enum Windows black.png Mac black.png Mobile gray disabled.png
Port type (tcp, udp, tcp port scan, udp port scan)
port_value port Windows black.png Mac black.png Mobile gray disabled.png
Port value for tagging

printer

A printer is an installed printers (local, network, shared or virtual). Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
first_seen datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
First time activity of the printer was recorded on any device.
host_name string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Host name
id identifier Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique print identifier
last_seen datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Last time activity of the printer was recorded on any device.
location string Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Printer location
model string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Printer model
name string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Printer name
real_name string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Most frequently seen display name
type enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Printer type (local/remote)

service

A service represents an IT service in your organization, such as the mail service or the directory service. Services are either based on TCP connections (for Windows and Mac devices) or on web requests (for Windows devices only). Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
id integer Windows black.png Mac black.png Mobile gray disabled.png
Unique service identifier
name string Windows black.png Mac black.png Mobile gray disabled.png
Service name
status enum Windows black.png Mac black.png Mobile gray disabled.png
Service status (active, error)
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of service (network, web)

url_path

A url_path is a URL path after the domain name e.g. [www.nexthink.com]/awards/. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
id identifier Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique url path identifier
path string Windows black.png Mac gray disabled.png Mobile gray disabled.png
The URL path

user

A user is an object that represents an individual account in a device (local user) or in a group of devices (domain user). The account may identify a physical user or a system user. Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
database_usage permill Windows black.png Mac black.png Mobile black.png
Percentage of the database used by information related with the binary
department string Windows black.png Mac black.png Mobile black.png
User department as listed in active directory
distinguished_name string Windows black.png Mac black.png Mobile black.png NU
Active directory distinguished name (DN)
first_seen datetime Windows black.png Mac black.png Mobile black.png NU
First time activity of the user was recorded on any device.
full_name string Windows black.png Mac black.png Mobile black.png NU
Full user name as listed in active directory
id identifier Windows black.png Mac black.png Mobile black.png
Unique user identifier
job_title string Windows black.png Mac black.png Mobile black.png NU
Job title as listed in active directory
last_seen datetime Windows black.png Mac black.png Mobile black.png NU
Last time activity of the user was recorded on any device.
name string Windows black.png Mac black.png Mobile black.png
User logon name
number_of_days_since_last_seen integer Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the number of days since the last time the user was seen by Nexthink. The field is updated whenever user activity is detected.
seen_on_mac_os boolean Windows black.png Mac black.png Mobile black.png
Indicates if the user has been seen on a Mac device.
seen_on_mobile boolean Windows black.png Mac black.png Mobile black.png
Indicates if the user has been seen on a Mobile device.
seen_on_windows boolean Windows black.png Mac black.png Mobile black.png
Indicates if the user has been seen on a Windows device.
sid sid Windows black.png Mac black.png Mobile black.png NU
Indicates the Windows security identifier for the user. For Mac OS, '-' means that the user is not in Active Directory.
total_active_days day Windows black.png Mac black.png Mobile black.png
Total number of days the user was active.
type enum Windows black.png Mac black.png Mobile black.png
Type of user (local/domain/system)

Events

connection 

A connection is a TCP connection or a UDP packet. Several identical TCP connections or UDP packets are merged when in close succession.

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
cardinality integer Windows black.png Mac black.png Mobile gray disabled.png
Number of underlying connections, consolidated over time
destination_ip_address ip_address Windows black.png Mac black.png Mobile gray disabled.png
IP address of the connection destination
device_ip_address ip_address Windows black.png Mac black.png Mobile gray disabled.png
IP address of the connection source
duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
The time between the start of the first connection and the end of the last underlying connection.
end_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Connection end time, corresponding to the moment when the last underlying connection was closed.
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique connection identifier
incoming_bitrate bps Windows black.png Mac black.png Mobile gray disabled.png NU
Average incoming bitrate of all underlying connections, consolidated over time
incoming_traffic byte Windows black.png Mac black.png Mobile gray disabled.png
Incoming traffic
network_interface_iana_code string Windows black.png Mac black.png Mobile gray disabled.png
(beta) Indicates the network interface IANA code.
network_interface_index integer Windows black.png Mac black.png Mobile gray disabled.png
(beta) Indicates the network interface index.
network_interface_type enum Windows black.png Mac black.png Mobile gray disabled.png
(beta) Indicates the network interface type. Possible values are:
  • wifi
  • ethernet
  • mobile
  • other
  • unknown: the Collector is not supporting interface type.
network_response_time microsecond Windows black.png Mac black.png Mobile gray disabled.png
TCP connection establishment time
outgoing_bitrate bps Windows black.png Mac black.png Mobile gray disabled.png NU
Average outgoing bitrate of all underlying connections, consolidated over time
outgoing_traffic byte Windows black.png Mac black.png Mobile gray disabled.png
Outgoing traffic
start_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Connection start time
status enum Windows black.png Mac black.png Mobile gray disabled.png
Status of the connection (established, rejected, no service, no host, closed)
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of the connection (tcp, udp)

device_activity 

A device_activity is a device activity (boot or activity).

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
Boot duration (timed between kernel start and launch of 'logonui.exe' process) or online duration
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Boot event identifier
time datetime Windows black.png Mac black.png Mobile gray disabled.png
Time of boot
type enum Windows black.png Mac black.png Mobile gray disabled.png
Activity event information

device_error 

A device_error is a critical system errors (system crash, hard reset, or disk error).

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
error_code integer Windows black.png Mac black.png Mobile gray disabled.png
Error code
error_label string Windows black.png Mac black.png Mobile gray disabled.png
Error label
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Problem identifier
start_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Time of error
type enum Windows black.png Mac black.png Mobile gray disabled.png
Indicates the device error type, with the following possible values:
  • system crash: a windows bluescreen of death;
  • hard reset: the device was abruptly stopped and then rebooted. It might be caused by pressing the reset button, a power failure or a crash;
  • SMART disk failure: a disk error was detected on a disk with SMART technology.

device_performance (Public Beta) 

An device_performance reports the average IOPS, CPU and memory of a device during one hours.

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
average_cpu_usage percent Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average CPU usage on the period
average_memory_usage byte Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average memory usage on the period
duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png
Total report duration
end_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png
Report end time
id identifier Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique report identifier
read_bytes byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Total disk read bytes accumulated during the period
read_operations integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Total disk read operations accumulated during the period
time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png
Start time
write_bytes byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Total disk write bytes accumulated during the period
write_operations integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Total disk write operations accumulated during the period

device_warning 

A device_warning is a peak in device resource usage (CPU, memory or I/O).

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
Performance event duration
end_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Performance event end time
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique performance event identifier
info string Windows black.png Mac black.png Mobile gray disabled.png
Performance event information
start_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Performance event start time
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of the device warning (high cpu usage, high io usage, high memory usage or high number of page faults).
value percent Windows black.png Mac black.png Mobile gray disabled.png
Performance percentage
warning_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
Indicates the duration of the warning. This duration can be shorter than the event duration when the warning is not continuous.

execution 

An execution is a process executing on a device. Serveral executions of the same process are merged when in close succession.

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
average_memory_usage byte Windows black.png Mac black.png Mobile gray disabled.png
Average memory usage
binary_path path Windows black.png Mac black.png Mobile gray disabled.png
Executed binary path
cardinality integer Windows black.png Mac black.png Mobile gray disabled.png
Number of underlying processes, consolidated over time
duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
Total execution duration
end_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Execution end time
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique execution identifier
incoming_tcp_traffic byte Windows black.png Mac black.png Mobile gray disabled.png
Incoming TCP traffic
incoming_udp_traffic byte Windows black.png Mac black.png Mobile gray disabled.png
Incoming UDP traffic
outgoing_tcp_traffic byte Windows black.png Mac black.png Mobile gray disabled.png
Outgoing TCP traffic
outgoing_udp_traffic byte Windows black.png Mac black.png Mobile gray disabled.png
Outgoing UDP traffic
privilege_level enum Windows black.png Mac black.png Mobile gray disabled.png
Privilege level of the execution (user, power user, administrator)
start_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Execution start time
status enum Windows black.png Mac black.png Mobile gray disabled.png
Status of the execution (started, stopped)
total_cpu_time millisecond Windows black.png Mac black.png Mobile gray disabled.png
Total CPU time

execution_error 

An execution_error is application errors (crash or not responding)

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Error identifier
info string Windows black.png Mac black.png Mobile gray disabled.png
Error event information
time datetime Windows black.png Mac black.png Mobile gray disabled.png
Time of error
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of the execution error (application not responding, crash)

execution_warning 

An execution_warning is a peak in application resource usage (CPU or memory).

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
Performance event duration
end_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Performance event end time
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique performance event identifier
info string Windows black.png Mac black.png Mobile gray disabled.png
Performance event information
start_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Performance event start time
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of the execution warning (high cpu usage, high memory usage)
value percent Windows black.png Mac black.png Mobile gray disabled.png
Performance percentage
warning_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
Indicates the duration of the warning. This duration can be shorter than the event duration when the warning is not continuous.

installation 

A installation is the installation or uninstallation of a Software packages (programs or updates).

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique deployment identifier
time datetime Windows black.png Mac black.png Mobile gray disabled.png
Installation start time
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of operation (installation, uninstallation)

network_scan 

A network scan is a sequence of failed TCP connections or UDP packets made to the same port to more than 50 destinations within a few seconds.

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
cardinality integer Windows black.png Mac black.png Mobile gray disabled.png
Number of underlying connections, consolidated over time
device_ip_address ip_address Windows black.png Mac black.png Mobile gray disabled.png
IP address of the connection source
duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
The time between the start of the first connection and end of the last underlying connection
end_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Scanning end time, corresponding to the moment when the last underlying connection was closed.
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique scanning identifier
network ip_network Windows black.png Mac black.png Mobile gray disabled.png
Minimum IP network including all scanned destinations
start_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Scanning start time
status enum Windows black.png Mac black.png Mobile gray disabled.png
Status of the Scanning (established, closed)
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of the port scanning (tcp, udp)

port_scan 

A port scan is a sequence of failed TCP connections or UDP packets made to the same destination to more than 50 ports within a few seconds.

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
cardinality integer Windows black.png Mac black.png Mobile gray disabled.png
Number of underlying connections, consolidated over time
destination_ip_address ip_address Windows black.png Mac black.png Mobile gray disabled.png
IP address of the scanned destination
device_ip_address ip_address Windows black.png Mac black.png Mobile gray disabled.png
IP address of the connection source
duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
The time between the start of the first connection and end of the last underlying connection.
end_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Scanning end time, corresponding to the moment when the last underlying connection was closed.
first_scanned_port port Windows black.png Mac black.png Mobile gray disabled.png
First port scanning
id identifier Windows black.png Mac black.png Mobile gray disabled.png
Unique scanning identifier
last_scanned_port port Windows black.png Mac black.png Mobile gray disabled.png
Last port scanning
start_time datetime Windows black.png Mac black.png Mobile gray disabled.png
Scanning start time
status enum Windows black.png Mac black.png Mobile gray disabled.png
Status of the Scanning (established, closed)
type enum Windows black.png Mac black.png Mobile gray disabled.png
Type of the port scanning (tcp, udp)

printout 

A printout is a print job processed by a printer.

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
color_print boolean Windows black.png Mac gray disabled.png Mobile gray disabled.png
Color print
document_type string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Type of printed document
duplex boolean Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the pages are printed on both sides of the sheet.
id identifier Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique print job identifier
number_of_printed_pages integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Number of printed pages
page_size string Windows black.png Mac gray disabled.png Mobile gray disabled.png
Paper size for printed pages
print_quality enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Print quality
size byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Print job size in bytes
status enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Print job status(success, error, timeout)
time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png
Print job time

user_activity 

A user_activity is a user activity (logon or interactive activity).

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
duration millisecond Windows black.png Mac black.png Mobile black.png
Indicates the time between the user logging on and the desktop being shown.
id identifier Windows black.png Mac black.png Mobile black.png
User logon event identifier
real_duration millisecond Windows black.png Mac black.png Mobile black.png
Indicates the time between the user logging on and the device being ready to use. Desktops and laptops are considered fully functional once the CPU usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%.
time datetime Windows black.png Mac black.png Mobile black.png
Time of user logon
type enum Windows black.png Mac black.png Mobile black.png
Activity event information

web_request 

A web_request is a HTTP or TLS requests.

Platforms:

Name Type Windows black.png Mac black.png Mobile black.png Properties
cardinality integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of underlying web requests, consolidated over time
connections_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png
The time between start of the first connection and end of the last underlying connection
end_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request end time, corresponding to the moment when the last underlying TCP connection was closed.
http_status http_status_code Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
HTTP response status code
id identifier Windows black.png Mac gray disabled.png Mobile gray disabled.png
Unique request identifier
incoming_traffic byte Windows black.png Mac gray disabled.png Mobile gray disabled.png
Incoming web traffic of all underlying web requests, consolidated over time
network_response_time microsecond Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average TCP connection establishment time of all underlying connections, consolidated over time
outgoing_traffic byte Windows black.png Mac gray disabled.png Mobile gray disabled.png
Outgoing web traffic of all underlying web requests, consolidated over time
protocol enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request protocol (HTTP, TLS)
protocol_version enum Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request protocol version
service_related boolean Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates whether the web request is related to a configured service:
  • yes: These requests are always visible by all users;
  • no: Depending on the privacy settings, requests not related to a service might not be visible by everyone.
start_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png
Web request start time
web_request_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte of all underlying requests, consolidated over time

Relationships

A relationships is a link between object and event tables and is specified in a with clause.

connection  

  • device
  • user
  • binary
  • executable
  • application
  • destination
  • port
  • service


device_activity  

  • device


device_error  

  • device


device_performance  

  • device
  • user


device_warning  

  • device


execution  

  • device
  • user
  • binary
  • executable
  • application


execution_error  

  • device
  • user
  • binary
  • executable
  • application


execution_warning  

  • device
  • user
  • binary
  • executable
  • application


installation  

  • device
  • package


network_scan  

  • device
  • user
  • binary
  • executable
  • application
  • port


port_scan  

  • device
  • user
  • binary
  • executable
  • application
  • destination


printout  

  • device
  • user
  • printer


user_activity  

  • device
  • user


web_request  

  • device
  • user
  • binary
  • executable
  • application
  • destination
  • port
  • domain
  • url_path
  • service


package  

  • device
  • package

Aggregates

connection   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of devices
number_of_users integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of users
number_of_applications integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of applications
number_of_executables integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of executables
number_of_binaries integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of binaries
number_of_destinations integer Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
number_of_ports integer Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
number_of_connections integer Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
cumulated_connection_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png
Cumulated duration of TCP connections
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
incoming_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network incoming traffic
outgoing_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network outgoing traffic
average_network_response_time microsecond Windows black.png Mac black.png Mobile gray disabled.png
Average TCP connection establishment time
successful_connections_ratio permill Windows black.png Mac black.png Mobile gray disabled.png NU
Percentage of successful TCP connections
network_availability_level availability_level Windows black.png Mac black.png Mobile gray disabled.png NU
Graded ratio of successful TCP connections (high, medium, low)
average_incoming_bitrate bps Windows black.png Mac black.png Mobile gray disabled.png NU
Average incoming network bitrate
average_outgoing_bitrate bps Windows black.png Mac black.png Mobile gray disabled.png NU
Average outgoing network bitrate
highest_local_privilege_reached privileges_level Windows black.png Mac black.png Mobile gray disabled.png NU
Highest local privilege level reached for executions (user, power user, administrator)
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events
incoming_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average incoming network traffic
outgoing_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average outgoing network traffic
total_network_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Network traffic




device_activity   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile black.png
Number of devices
average_boot_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average system boot duration
average_logon_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average user logon duration
average_extended_logon_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average extended logon duration
number_of_boots integer Windows black.png Mac black.png Mobile gray disabled.png
Number of system boots
activity_start_time datetime Windows black.png Mac black.png Mobile black.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile black.png NU
Stop time of investigated activity
uptime millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Amount of time the machine has been running
cumulated_interaction_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Cumulated time with user interaction (mouse or keyboard events)
number_of_events integer Windows black.png Mac black.png Mobile black.png NU
Number of events


device_error   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png
Number of devices
number_of_errors integer Windows black.png Mac black.png Mobile gray disabled.png
Number of system errors
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events


device_performance   

Name Type Windows black.png Mac black.png Mobile black.png Properties
total_read_bytes byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU/PB
Total read bytes
total_write_bytes byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU/PB
Total write bytes
total_read_operations integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU/PB
Average read IPOS
total_write_operations integer Windows black.png Mac gray disabled.png Mobile gray disabled.png NU/PB
Average write IPOS
cumulated_measured_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU/PB
Average read/write IPOS
average_memory_usage byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU/PB
Average memory usage
average_cpu_usage percent Windows black.png Mac gray disabled.png Mobile gray disabled.png NU/PB
Average CPU usage
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU/PB
Number of events


device_warning   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png
Number of devices
number_of_warnings integer Windows black.png Mac black.png Mobile gray disabled.png
Number of warnings
cumulated_warning_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Cumulated duration of the warning events
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events
high_device_overall_cpu_time_ratio permill Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the ratio between the time the device is in high overall CPU usage and its uptime.
high_device_memory_time_ratio permill Windows black.png Mac black.png Mobile gray disabled.png NU
Indicates the ratio between the time the device is in high memory usage and its uptime.
high_device_io_throughput_time_ratio permill Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Indicates the ratio between the time the device is in high IO throughput and its uptime.
high_device_page_faults_time_ratio permill Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Indicates the ratio between the time the device is in high page faults and its uptime.




execution   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of devices
number_of_users integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of users
number_of_applications integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of applications
number_of_executables integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of executables
number_of_binaries integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of binaries
number_of_executions integer Windows black.png Mac black.png Mobile gray disabled.png
Number of executions
cumulated_execution_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Cumulated duration of executions
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
incoming_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network incoming traffic
outgoing_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network outgoing traffic
highest_local_privilege_reached privileges_level Windows black.png Mac black.png Mobile gray disabled.png NU
Highest local privilege level reached for executions (user, power user, administrator)
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events
average_memory_usage_per_execution byte Windows black.png Mac black.png Mobile gray disabled.png NU
Average memory usage per execution
cpu_usage_ratio permill Windows black.png Mac black.png Mobile gray disabled.png NU
Average CPU usage
total_cpu_time millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Total CPU time
incoming_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average incoming network traffic
outgoing_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average outgoing network traffic
total_network_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Network traffic


execution_error   

Name Type Windows black.png Mac black.png Mobile black.png Properties
application_not_responding_event_ratio permill Windows black.png Mac black.png Mobile gray disabled.png NU
Application not responding event ratio
application_crash_ratio permill Windows black.png Mac black.png Mobile gray disabled.png NU
Application crash ratio
number_of_application_not_responding_events integer Windows black.png Mac black.png Mobile gray disabled.png
Number of application not responding events
number_of_application_crashes integer Windows black.png Mac black.png Mobile gray disabled.png
Number of application crashes
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png
Number of devices
number_of_users integer Windows black.png Mac black.png Mobile gray disabled.png
Number of users
number_of_applications integer Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
number_of_executables integer Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
number_of_binaries integer Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
number_of_errors integer Windows black.png Mac black.png Mobile gray disabled.png
Number of errors
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events


execution_warning   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png
Number of devices
number_of_users integer Windows black.png Mac black.png Mobile gray disabled.png
Number of users
number_of_applications integer Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
number_of_executables integer Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
number_of_binaries integer Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
number_of_warnings integer Windows black.png Mac black.png Mobile gray disabled.png
Number of warnings
cumulated_warning_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Cumulated duration of the warning events
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events
high_application_thread_cpu_time_ratio permill Windows black.png Mac black.png Mobile gray disabled.png NU
High application thread CPU time ratio


installation   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_packages integer Windows black.png Mac black.png Mobile gray disabled.png
Number of packages
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png
Number of devices
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
number_of_installations integer Windows black.png Mac black.png Mobile gray disabled.png
Number of installations
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events


network_scan   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png
Number of devices
number_of_users integer Windows black.png Mac black.png Mobile gray disabled.png
Number of users
number_of_applications integer Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
number_of_executables integer Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
number_of_binaries integer Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
number_of_ports integer Windows black.png Mac black.png Mobile gray disabled.png
Number of ports
number_of_connections integer Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
cumulated_scan_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Cumulated duration of the network scan
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
incoming_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network incoming traffic
outgoing_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network outgoing traffic
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events
incoming_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average incoming network traffic
outgoing_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average outgoing network traffic
total_network_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Network traffic


package   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of devices
number_of_packages integer Windows black.png Mac black.png Mobile gray disabled.png FP
Number of packages



port_scan   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac black.png Mobile gray disabled.png
Number of devices
number_of_users integer Windows black.png Mac black.png Mobile gray disabled.png
Number of users
number_of_applications integer Windows black.png Mac black.png Mobile gray disabled.png
Number of applications
number_of_executables integer Windows black.png Mac black.png Mobile gray disabled.png
Number of executables
number_of_binaries integer Windows black.png Mac black.png Mobile gray disabled.png
Number of binaries
number_of_connections integer Windows black.png Mac black.png Mobile gray disabled.png
Number of connections
number_of_destinations integer Windows black.png Mac black.png Mobile gray disabled.png
Number of destinations
cumulated_scan_duration millisecond Windows black.png Mac black.png Mobile gray disabled.png NU
Cumulated duration of the network scan
activity_start_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac black.png Mobile gray disabled.png NU
Stop time of investigated activity
incoming_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network incoming traffic
outgoing_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Total network outgoing traffic
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events
incoming_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average incoming network traffic
outgoing_network_traffic_per_device byte Windows black.png Mac black.png Mobile gray disabled.png NU
Device average outgoing network traffic
total_network_traffic byte Windows black.png Mac black.png Mobile gray disabled.png NU
Network traffic



printout   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of devices
number_of_users integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of users
number_of_printers integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printers
number_of_printed_pages integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of printed pages
number_of_printouts integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of print jobs
activity_start_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Stop time of investigated activity
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events





user_activity   

Name Type Windows black.png Mac black.png Mobile black.png Properties
number_of_devices integer Windows black.png Mac gray disabled.png Mobile black.png
Number of devices
number_of_users integer Windows black.png Mac gray disabled.png Mobile black.png
Number of users
number_of_logons integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of user logons
activity_start_time datetime Windows black.png Mac gray disabled.png Mobile black.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac gray disabled.png Mobile black.png NU
Stop time of investigated activity
cumulated_interaction_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Cumulated time with user interaction (mouse or keyboard events)
average_logon_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average user logon duration
average_extended_logon_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average extended logon duration
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events


web_request   

Name Type Windows black.png Mac black.png Mobile black.png Properties
total_web_traffic byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Web traffic
outgoing_web_traffic_per_device byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Outgoing web traffic per device
incoming_web_traffic_per_device byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Incoming web traffic per device
number_of_devices integer Windows black.png Mac gray disabled.png Mobile gray disabled.png FP
Number of devices
number_of_domains integer Windows black.png Mac gray disabled.png Mobile gray disabled.png FP
Number of domains
number_of_users integer Windows black.png Mac gray disabled.png Mobile gray disabled.png FP
Number of users
number_of_applications integer Windows black.png Mac gray disabled.png Mobile gray disabled.png FP/NU
Number of applications
number_of_executables integer Windows black.png Mac gray disabled.png Mobile gray disabled.png FP
Number of executables
number_of_binaries integer Windows black.png Mac gray disabled.png Mobile gray disabled.png FP
Number of binaries
number_of_destinations integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of destinations
number_of_ports integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of ports
activity_start_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Start time of investigated activity
activity_stop_time datetime Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Stop time of investigated activity
average_network_response_time microsecond Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average TCP connection establishment time
highest_local_privilege_reached privileges_level Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Highest local privilege level reached for executions (user, power user, administrator)
number_of_web_requests integer Windows black.png Mac gray disabled.png Mobile gray disabled.png
Number of web requests
protocols_used_in_requests web_protocol_combination Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Protocols used in web requests (HTTP, TLS, HTTP/TLS)
lowest_protocol_version min_web_protocol_version Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
incoming_traffic byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Total web incoming traffic
outgoing_traffic byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Total web outgoing traffic
average_incoming_bitrate bps Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average incoming bitrate of all underlying web requests, consolidated over time
average_outgoing_bitrate bps Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average outgoing bitrate of all underlying web requests, consolidated over time
cumulated_web_request_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Cumulated duration of web requests
cumulated_web_interaction_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Cumulated time during which web requests occurred, counted with a 5 minutes resolution.
average_request_size byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average size of web requests
average_response_size byte Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Average size of web responses
average_request_duration millisecond Windows black.png Mac gray disabled.png Mobile gray disabled.png
Average time between request and last response byte
successful_http_requests_ratio permill Windows black.png Mac gray disabled.png Mobile gray disabled.png NU
Percentage of successful HTTP requests (1xx, 2xx and 3xx)
number_of_events integer Windows black.png Mac black.png Mobile gray disabled.png NU
Number of events


Definitions

The following document lists all objects, fields and aggregates available through NXQL. Each field and aggregate have a name, a type, properties and a description.

Platforms can have the following values:

  • W: The field, aggregate or table is available on the Windows platform.
  • X: The field, aggregate or table is available on the Mac OS platform.
  • M: The field, aggregate or table is available on the Mobile platform.

Properties can have the following values:

  • DE: The field or aggregate is deprecated.
  • PB: The field or aggregate is in Public Beta.
  • FP: The field or aggregate can be used without a between clause.
  • NU: The field or aggregate can be nil.
  • SE: The field or aggregate is only available with a license containing the security feature.
  • WE: The field or aggregate is only available with a license containing the web monitoring feature.
  • NC: The field is not comparable.