Data model
Contents |
Data model
This reference article contains the complete description of Nexthink's data model.
Objects
Objects represent items recognized by Nexthink.
User
Users of devices (domain, local or system)
| Field | Group | Type | 
| 
| 
|
|---|---|---|---|---|---|
| Activity start time | Activity | Aggregate |
|
| 
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| Application crash ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application crashes per 100 executions. | |||||
| NXQL ID: | application_crash_ratio | ||||
| Application not responding event ratio | Errors | Aggregate |
| 
|
|
| Indicates the number of application not responding events per 100 executions. | |||||
| NXQL ID: | application_not_responding_event_ratio | ||||
| Average incoming network bitrate | Availability | Aggregate |
|
|
|
| Average incoming network bitrate | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average memory usage per execution | Activity | Aggregate |
|
|
|
| Indicates the average memory usage of all underlying executions before aggregation. The value is the average
memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.
| |||||
| NXQL ID: | average_memory_usage_per_execution | ||||
| Average network response time | Availability | Aggregate |
|
|
|
| Indicates the average TCP connection establishment time of all underlying connections. The value is
the average TCP connection establishment time of all executions weighted by their cardinality. | |||||
| NXQL ID: | average_network_response_time | ||||
| Average outgoing network bitrate | Availability | Aggregate |
|
|
|
| Average outgoing network bitrate | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Binary paths | Activity | Aggregate |
|
|
|
| List of executed binary paths (max. 50 paths) | |||||
| CPU usage ratio | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | cpu_usage_ratio | ||||
| Cumulated execution duration | Activity | Aggregate |
|
|
|
| Cumulated duration of executions | |||||
| NXQL ID: | cumulated_execution_duration | ||||
| Cumulated network connection duration | Activity | Aggregate |
|
|
|
| Cumulated duration of TCP connections | |||||
| NXQL ID: | cumulated_connection_duration | ||||
| Department | Properties | Field |
|
|
|
| User department as listed in Active Directory | |||||
| NXQL ID: | department | ||||
| Distinguished name | Properties | Field |
|
|
|
| Active Directory distinguished name (DN) | |||||
| NXQL ID: | distinguished_name | ||||
| First seen | Properties | Field |
|
|
|
| First time activity of the user was recorded on any device | |||||
| NXQL ID: | first_seen | ||||
| Full name | Properties | Field |
|
|
|
| Full user name as listed in Active Directory | |||||
| NXQL ID: | full_name | ||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Incoming network traffic | Traffic | Aggregate |
|
|
|
| Total network incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Job title | Properties | Field |
|
|
|
| Job title as listed in Active Directory | |||||
| NXQL ID: | job_title | ||||
| Last seen | Properties | Field |
|
|
|
| Last time activity of the user was recorded on any device | |||||
| NXQL ID: | last_seen | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| Name | Properties | Field |
|
|
|
| User logon name | |||||
| NXQL ID: | name | ||||
| Network availability level | Availability | Aggregate |
|
|
|
Indicates the ratio of successful TCP connections. The possible values are:
| |||||
| NXQL ID: | network_availability_level | ||||
| Number of application crashes | Errors | Aggregate |
|
|
|
| Number of application crashes | |||||
| NXQL ID: | number_of_application_crashes | ||||
| Number of application not responding events | Errors | Aggregate |
|
|
|
| Number of application not responding events | |||||
| NXQL ID: | number_of_application_not_responding_events | ||||
| Number of applications | Inventory | Aggregate |
|
|
|
| Number of applications | |||||
| NXQL ID: | number_of_applications | ||||
| Number of binaries | Inventory | Aggregate |
|
|
|
| Number of binaries | |||||
| NXQL ID: | number_of_binaries | ||||
| Number of connections | Activity | Aggregate |
|
|
|
| Number of connections | |||||
| NXQL ID: | number_of_connections | ||||
| Number of days since last seen | Properties | Field |
|
|
|
| Indicates the number of days since the last time the user was seen by Nexthink. The field is updated every hour. | |||||
| NXQL ID: | number_of_days_since_last_seen | ||||
| Number of destinations | Inventory | Aggregate |
|
|
|
| Number of destinations | |||||
| NXQL ID: | number_of_destinations | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of domains | Inventory | Aggregate |
|
|
|
| Number of domains | |||||
| NXQL ID: | number_of_domains | ||||
| Number of executables | Inventory | Aggregate |
|
|
|
| Number of executables | |||||
| NXQL ID: | number_of_executables | ||||
| Number of executions | Activity | Aggregate |
|
|
|
| Number of executions | |||||
| NXQL ID: | number_of_executions | ||||
| Number of ports | Inventory | Aggregate |
|
|
|
| Number of ports | |||||
| NXQL ID: | number_of_ports | ||||
| Number of print jobs | Activity | Aggregate |
|
|
|
| Number of print jobs | |||||
| NXQL ID: | number_of_printouts | ||||
| Number of printed pages | Activity | Aggregate |
|
|
|
| Number of printed pages | |||||
| NXQL ID: | number_of_printed_pages | ||||
| Number of printers | Inventory | Aggregate |
|
|
|
| Number of printers | |||||
| NXQL ID: | number_of_printers | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| Outgoing network traffic | Traffic | Aggregate |
|
|
|
| Total network outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| SID | Properties | Field |
|
|
|
Indicates the Windows security identifier for the user.
| |||||
| NXQL ID: | sid | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Successful network connections ratio | Availability | Aggregate |
|
|
|
| Percentage of successful TCP connections | |||||
| NXQL ID: | successful_connections_ratio | ||||
| Total active days | Activity | Field |
|
|
|
| Total number of days the user was active | |||||
| NXQL ID: | total_active_days | ||||
| Total CPU time | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | total_cpu_time | ||||
| Total network traffic | Traffic | Aggregate |
|
|
|
| Total network traffic (incoming and outgoing) | |||||
| NXQL ID: | total_network_traffic | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| Type | Properties | Field |
|
|
|
| Type of user (local/domain/system) | |||||
| NXQL ID: | type | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on user SID). | |||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
Device
Devices are Windows, Mac OS or mobile endpoints
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Access state | Exchange | Field | 
|
|
|
Indicates whether the device can access the Exchange ActiveSync server. The possible states are:
| |||||
| NXQL ID: | eas_access_state | ||||
| Access state reason | Exchange | Field |
|
|
|
Indicates the reason for the device access state. The possible values are:
| |||||
| NXQL ID: | eas_access_state_reason | ||||
| Activity start time | Activity | Aggregate |
|
|
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| AD site | Properties | Field |
|
|
|
| Indicates the AD site of the device as configured in the Active Directory.
A '-' is displayed if the Collector is older than version 6.19 or if the device is not part of a domain. | |||||
| NXQL ID: | directory_service_site | ||||
| Administrator account status | Policy | Field |
|
|
|
| Determines whether the local Administrator account is enabled or disabled | |||||
| NXQL ID: | administrator_account_status | ||||
| All antispyware | Security | Field |
|
|
|
Summary information about all the detected antispyware:
| |||||
| NXQL ID: | all_antispywares
Note: this field is not available for Windows Server operating systems. | ||||
| All antiviruses | Security | Field |
|
|
|
Summary information about all the detected antiviruses:
| |||||
| NXQL ID: | all_antiviruses
Note: this field is not available for Windows Server operating systems. | ||||
| All firewalls | Security | Field |
|
|
|
Summary information about all the detected firewalls:
| |||||
| NXQL ID: | all_firewalls
Note: this field is not available for Windows Server operating systems. | ||||
| Antispyware display name | Security | Field |
|
|
|
| Name of the main antispyware | |||||
| NXQL ID: | antispyware_name
Note: this field is not available for Windows Server operating systems. | ||||
| Antispyware RTP | Security | Field |
|
|
|
Indicates whether the antispyware real time protection (RTP) is active:
| |||||
| NXQL ID: | antispyware_rtp
Note: this field is not available for Windows Server operating systems. | ||||
| Antispyware up-to-date | Security | Field |
|
|
|
Indicates whether the antispyware is up-to-date:
| |||||
| NXQL ID: | antispyware_up_to_date
Note: this field is not available for Windows Server operating systems. | ||||
| Antivirus display name | Security | Field |
|
|
|
| Name of the main antivirus | |||||
| NXQL ID: | antivirus_name
Note: this field is not available for Windows Server operating systems. | ||||
| Antivirus RTP | Security | Field |
|
|
|
Indicates whether the antivirus real time protection (RTP) is active:
| |||||
| NXQL ID: | antivirus_rtp
Note: this field is not available for Windows Server operating systems. | ||||
| Antivirus up-to-date | Security | Field |
|
|
|
Indicates whether the antivirus is up-to-date:
| |||||
| NXQL ID: | antivirus_up_to_date
Note: this field is not available for Windows Server operating systems. | ||||
| Application crash ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application crashes per 100 executions. | |||||
| NXQL ID: | application_crash_ratio | ||||
| Application not responding event ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application not responding events per 100 executions. | |||||
| NXQL ID: | application_not_responding_event_ratio | ||||
| Audit account logon events | Policy | Field |
|
|
|
| Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account | |||||
| NXQL ID: | audit_account_logon_events | ||||
| Audit account management | Policy | Field |
|
|
|
| Determines whether to audit each event of account management on a computer | |||||
| NXQL ID: | audit_account_management | ||||
| Audit directory service access | Policy | Field |
|
|
|
| Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified | |||||
| NXQL ID: | audit_directory_service_access | ||||
| Audit logon events | Policy | Field |
|
|
|
| Determines whether to audit each instance of a user logging on to or logging off from a computer | |||||
| NXQL ID: | audit_logon_events | ||||
| Audit object access | Policy | Field |
|
|
|
| Determines whether to audit the event of a user accessing an object, e.g. a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified | |||||
| NXQL ID: | audit_object_access | ||||
| Audit policy change | Policy | Field |
|
|
|
| Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies | |||||
| NXQL ID: | audit_policy_change | ||||
| Audit privilege use | Policy | Field |
|
|
|
| Determines whether to audit each instance of a user exercising a user right | |||||
| NXQL ID: | audit_privilege_use | ||||
| Audit process tracking | Policy | Field |
|
|
|
| Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access | |||||
| NXQL ID: | audit_process_tracking | ||||
| Audit system events | Policy | Field |
|
|
|
| Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log | |||||
| NXQL ID: | audit_system_events | ||||
| Average extended logon duration | Startup | Aggregate |
|
|
|
| Indicates the average extended logon duration. | |||||
| NXQL ID: | average_extended_logon_duration | ||||
| Average incoming network bitrate | Availability | Aggregate |
|
|
|
| Average incoming network bitrate | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average logon duration | Startup | Aggregate |
|
|
|
| Indicates the average logon duration. | |||||
| NXQL ID: | average_logon_duration | ||||
| Average memory usage per execution | Activity | Aggregate |
|
|
|
| Indicates the average memory usage of all underlying executions before aggregation. The value is the average
memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.
| |||||
| NXQL ID: | average_memory_usage_per_execution | ||||
| Average network response time | Availability | Aggregate |
|
|
|
| Indicates the average TCP connection establishment time of all underlying connections. The value is
the average TCP connection establishment time of all executions weighted by their cardinality. | |||||
| NXQL ID: | average_network_response_time | ||||
| Average outgoing network bitrate | Availability | Aggregate |
|
|
|
| Average outgoing network bitrate | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average system boot duration | Startup | Aggregate |
|
|
|
| Indicates the average system boot duration. | |||||
| NXQL ID: | average_boot_duration | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Binary paths | Activity | Aggregate |
|
|
|
| List of executed binary paths (max. 50 paths) | |||||
| BIOS serial number | Hardware | Field |
|
|
|
| BIOS serial number | |||||
| NXQL ID: | bios_serial_number | ||||
| Chassis serial number | Hardware | Field |
|
|
|
| Chassis serial number | |||||
| NXQL ID: | chassis_serial_number | ||||
| Collector installation log | Nexthink Collector | Field |
|
|
|
| Indicates the link to the last Nexthink Collector installation error log. | |||||
| NXQL ID: | collector_installation_log | ||||
| Collector status | Nexthink Collector | Field |
|
|
|
Indicates the status of the Nexthink Collector package installed on the device:
| |||||
| NXQL ID: | collector_status | ||||
| Collector tag | Nexthink Collector | Field |
|
|
|
| Indicates the Collector installation tag. | |||||
| NXQL ID: | collector_tag | ||||
| Collector update group | Nexthink Collector | Field |
|
|
|
Indicates the update group of Nexthink Collector:
| |||||
| NXQL ID: | upgrade_group | ||||
| Collector update status | Nexthink Collector | Field |
|
|
|
| Indicates the status of the Nexthink Collector updater. | |||||
| NXQL ID: | collector_update_status | ||||
| Collector version | Nexthink Collector | Field |
|
|
|
| Indicates the version of the Nexthink Collector installed on the device. | |||||
| NXQL ID: | collector_version | ||||
| CPU frequency | Hardware | Field |
|
|
|
| CPU frequency | |||||
| NXQL ID: | cpu_frequency | ||||
| CPU model | Hardware | Field |
|
|
|
| CPU model | |||||
| NXQL ID: | cpu_model | ||||
| CPU usage ratio | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | cpu_usage_ratio | ||||
| Cumulated execution duration | Activity | Aggregate |
|
|
|
| Cumulated duration of executions | |||||
| NXQL ID: | cumulated_execution_duration | ||||
| Cumulated interaction time | Activity | Aggregate |
|
|
|
| Cumulated time with user interaction (mouse or keyboard events) | |||||
| NXQL ID: | cumulated_interaction_duration | ||||
| Cumulated network connection duration | Activity | Aggregate |
|
|
|
| Cumulated duration of TCP connections | |||||
| NXQL ID: | cumulated_connection_duration | ||||
| Database usage | Properties | Field |
|
|
|
| Indicates the percentage of the Engine database used by the device. | |||||
| NXQL ID: | database_usage | ||||
| Device access rule | Exchange | Field |
|
|
|
| Indicates the name of the Exchange ActiveSync device access rule and if the rule allows, blocks or quarantines the device. | |||||
| NXQL ID: | eas_device_access_rule | ||||
| Device encryption required | Policy | Field |
|
|
|
| Indicates whether device encryption is required. | |||||
| NXQL ID: | device_encryption_required | ||||
| Device identity | Exchange | Field |
|
|
|
| Indicates the identity of the device in Exchange ActiveSync server. | |||||
| NXQL ID: | eas_device_identity | ||||
| Device manufacturer | Hardware | Field |
|
|
|
| Indicates the device manufacturer. | |||||
| NXQL ID: | device_manufacturer | ||||
| Device model | Hardware | Field |
|
|
|
| Indicates the model of the device. | |||||
| NXQL ID: | device_model | ||||
| Device password required | Policy | Field |
|
|
|
| Indicates whether a password is required on the device. | |||||
| NXQL ID: | device_password_required | ||||
| Device product ID | Hardware | Field |
|
|
|
| Device product ID | |||||
| NXQL ID: | device_product_id | ||||
| Device product version | Hardware | Field |
|
|
|
| Device product version | |||||
| NXQL ID: | device_product_version | ||||
| Device serial number | Hardware | Field |
|
|
|
| Indicates the device serial number. | |||||
| NXQL ID: | device_serial_number | ||||
| Device type | Hardware | Field |
|
|
|
Indicates the device type:
| |||||
| NXQL ID: | device_type | ||||
| Device UUID | Properties | Field |
|
|
|
| Indicates the device universally unique identifier (UUID). | |||||
| NXQL ID: | device_uuid | ||||
| Disks S.M.A.R.T. index | Hardware | Field |
|
|
|
| Lowest S.M.A.R.T. index of installed hard disks (index is based on S.M.A.R.T. attributes) | |||||
| NXQL ID: | disks_smart_index | ||||
| Distinguished name | Properties | Field |
|
|
|
Indicates the distinguished name (DN) as seen:
| |||||
| NXQL ID: | distinguished_name | ||||
| Distinguished name reported by Collector | Properties | Field |
|
|
|
| Indicates the distinguished name as reported by the Collector.
A '-' is displayed if the device is not part of a domain. | |||||
| NXQL ID: | collector_distinguished_name | ||||
| Email attachment enabled | Policy | Field |
|
|
|
| Indicates whether attachments can be downloaded to the mobile device through the Exchange ActiveSync protocol. | |||||
| NXQL ID: | email_attachment_enabled | ||||
| Enforce password history | Policy | Field |
|
|
|
Indicates the number of unique password that have to be associated with a user account before an old password can be reused:
| |||||
| NXQL ID: | enforce_password_history | ||||
| Entity | Properties | Field |
|
|
|
| Entity to which the device belongs | |||||
| NXQL ID: | entity | ||||
| Exemption | Exchange | Field |
|
|
|
Indicates whether a personal exemption is set for the device and its user. Possible values are:
| |||||
| NXQL ID: | eas_exemption | ||||
| Extended logon duration baseline | Startup | Field |
|
|
|
| Indicates the extended logon duration averaged over the last logons. In the calculation, recent logons weigh more than older logons (exponentially
weighted moving average). | |||||
| NXQL ID: | extended_logon_duration_baseline | ||||
| Firewall display name | Security | Field |
|
|
|
| Name of the main firewall | |||||
| NXQL ID: | firewall_name
Note: this field is not available for Windows Server operating systems. | ||||
| Firewall RTP | Security | Field |
|
|
|
Indicates whether the firewall real time protection (RTP) is active:
| |||||
| NXQL ID: | firewall_rtp
Note: this field is not available for Windows Server operating systems. | ||||
| First seen | Properties | Field |
|
|
|
Indicates the first time when the activity of the device was recorded:
| |||||
| NXQL ID: | first_seen | ||||
| Graphical card RAM | Hardware | Field |
|
|
|
| Amount of RAM of the graphical card with most RAM | |||||
| NXQL ID: | graphical_card_ram | ||||
| Graphical cards | Hardware | Field |
|
|
|
| Installed graphical cards | |||||
| NXQL ID: | graphical_cards | ||||
| Group name | Network | Field |
|
|
|
| Name of computer domain or workgroup | |||||
| NXQL ID: | group_name | ||||
| Guest account status | Policy | Field |
|
|
|
| Determines if the Guest account is enabled or disabled | |||||
| NXQL ID: | guest_account_status | ||||
| Hard disks | Hardware | Field |
|
|
|
| List of all hard disks | |||||
| NXQL ID: | hard_disks | ||||
| Hard disks manufacturers | Hardware | Field |
|
|
|
| Indicates the list of hard disk manufacturers | |||||
| NXQL ID: | disks_manufacturers | ||||
| High device IO throughput time ratio | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time the device is in high IO throughput and its uptime. | |||||
| NXQL ID: | high_device_io_throughput_time_ratio | ||||
| High device memory time ratio | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time the device is in high memory usage and its uptime. | |||||
| NXQL ID: | high_device_memory_time_ratio | ||||
| High device overall CPU time ratio | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time the device is in high overall CPU usage and its uptime. | |||||
| NXQL ID: | high_device_overall_cpu_time_ratio | ||||
| High device page faults time ratio | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time the device is in high page faults and its uptime. | |||||
| NXQL ID: | high_device_page_faults_time_ratio | ||||
| High device thread CPU time ratio (deprecated) | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time that the device is in high thread CPU usage and its uptime. | |||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Incoming network traffic | Traffic | Aggregate |
|
|
|
| Total network incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Interaction time ratio | Activity | Aggregate |
|
|
|
| Percentage of time with user interaction (mouse or keyboard events) | |||||
| Internet security settings | Security | Field |
|
|
|
| Internet security settings (ok, at risk or unknown) | |||||
| NXQL ID: | internet_security_settings | ||||
| IP addresses | Network | Field |
|
|
|
| List of IP addresses for the device | |||||
| NXQL ID: | ip_addresses | ||||
| Last extended logon duration | Startup | Field |
|
|
|
| Indicates the last recorded value for the time between the user logging on and the device is ready. | |||||
| NXQL ID: | last_extended_logon_duration | ||||
| Last IP address | Network | Field |
|
|
|
| Last IP address assigned to the device | |||||
| NXQL ID: | last_ip_address | ||||
| Last known connection status | Nexthink Collector | Field |
|
|
|
Indicates the last known connection status of the device:
| |||||
| NXQL ID: | last_known_connection_status | ||||
| Last logged on user | Startup | Field |
|
|
|
| Last logged on user | |||||
| NXQL ID: | last_logged_on_user | ||||
| Last logged on user's privileges | Startup | Field |
|
|
|
| Privileges of the last logged on user (user, power user, administrator) | |||||
| NXQL ID: | privileges_of_last_logged_on_users | ||||
| Last logon duration | Startup | Field |
|
|
|
| Indicates the last recorded value for the time between the user logging on and the desktop is displayed. | |||||
| NXQL ID: | last_logon_duration | ||||
| Last logon time | Startup | Field |
|
|
|
| Indicates the time of the last logon. | |||||
| NXQL ID: | last_logon_time | ||||
| Last policy update | Exchange | Field |
|
|
|
| Indicates the last time the Exchange ActiveSync policy was updated on the device. | |||||
| NXQL ID: | eas_policy_update | ||||
| Last seen | Properties | Field |
|
|
|
Indicates the last time that activity on the device was reported:
| |||||
| NXQL ID: | last_seen | ||||
| Last seen on TCP | Nexthink Collector | Field |
|
|
|
Indicates the last time that the device was successfully connected through the TCP channel.
| |||||
| NXQL ID: | last_seen_on_tcp | ||||
| Last system boot duration | Startup | Field |
|
|
|
| Duration of last system boot | |||||
| NXQL ID: | last_boot_duration | ||||
| Last system boot time | Startup | Field |
|
|
|
| Indicates the time of the last system boot. | |||||
| NXQL ID: | last_system_boot | ||||
| Last system update | Operating system | Field |
|
|
|
| Time of last system update | |||||
| NXQL ID: | last_windows_update | ||||
| Last update | Nexthink Collector | Field |
|
|
|
| Indicates the last Collector update time. | |||||
| NXQL ID: | last_update | ||||
| Last update status | Nexthink Collector | Field |
|
|
|
Indicates the status of the last Collector update:
| |||||
| NXQL ID: | last_update_status | ||||
| Last Updater request | Nexthink Collector | Field |
|
|
|
| Indicates the last time the Nexthink Updater has checked for updates. | |||||
| NXQL ID: | last_updater_request | ||||
| Local Administrators | Operating system | Field |
|
|
|
| Users and groups which are members of the Local Administrators group on the device | |||||
| NXQL ID: | local_administrators | ||||
| Local Power Users | Operating system | Field |
|
|
|
| Users and groups which are members of the Local Powers Users group on the device | |||||
| NXQL ID: | local_power_users | ||||
| Logical drives | Local drives | Field |
|
|
|
| List of all logical drives | |||||
| NXQL ID: | logical_drives | ||||
| Logon duration baseline | Startup | Field |
|
|
|
| Indicates the logon duration averaged over the last logons. In the calculation, recent logons weigh more than older logons (exponentially
weighted moving average). | |||||
| NXQL ID: | average_logon_duration | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| MAC addresses | Network | Field |
|
|
|
| List of MAC addresses for the device | |||||
| NXQL ID: | mac_addresses | ||||
| Maximum password age | Policy | Field |
|
|
|
Indicates the period in time (in days) during which the password can be used before the system requires the user to change it:
| |||||
| NXQL ID: | maximum_password_age | ||||
| Membership type | Network | Field |
|
|
|
| Type of computer membership (domain/workgroup) | |||||
| NXQL ID: | membership_type | ||||
| Minimum password age | Policy | Field |
|
|
|
| Period of time (in days) that a password must be used before the user can change it | |||||
| NXQL ID: | minimum_password_age | ||||
| Minimum password length | Policy | Field |
|
|
|
| Least number of characters that a password for a user account may contain | |||||
| NXQL ID: | minimum_password_length | ||||
| Monitor models | Hardware | Field |
|
|
|
| Models of connected monitors | |||||
| NXQL ID: | monitor_models | ||||
| Monitor resolutions | Hardware | Field |
|
|
|
| Screen resolutions of connected monitors | |||||
| NXQL ID: | monitor_resolutions | ||||
| Monitors | Hardware | Field |
|
|
|
| Connected monitors | |||||
| NXQL ID: | monitors | ||||
| Monitors serial numbers | Hardware | Field |
|
|
|
| Serial numbers of connected monitors (ordered as in 'Monitors') | |||||
| NXQL ID: | monitors_serial_numbers | ||||
| Name | Properties | Field |
|
|
|
Indicates the name of the device:
| |||||
| NXQL ID: | name | ||||
| Network availability level | Availability | Aggregate |
|
|
|
Indicates the ratio of successful TCP connections. The possible values are:
| |||||
| NXQL ID: | network_availability_level | ||||
| Number of antispyware | Security | Field |
|
|
|
Number of antispyware detected:
| |||||
| NXQL ID: | number_of_antispyware
Note: this field is not available for Windows Server operating systems. | ||||
| Number of antiviruses | Security | Field |
|
|
|
Number of antiviruses detected:
| |||||
| NXQL ID: | number_of_antiviruses
Note: this field is not available for Windows Server operating systems. | ||||
| Number of application crashes | Errors | Aggregate |
|
|
|
| Number of application crashes | |||||
| NXQL ID: | number_of_application_crashes | ||||
| Number of application not responding events | Errors | Aggregate |
|
|
|
| Number of application not responding events | |||||
| NXQL ID: | number_of_application_not_responding_events | ||||
| Number of applications | Inventory | Aggregate |
|
|
|
| Number of applications | |||||
| NXQL ID: | number_of_applications | ||||
| Number of binaries | Inventory | Aggregate |
|
|
|
| Number of binaries | |||||
| NXQL ID: | number_of_binaries | ||||
| Number of connections | Activity | Aggregate |
|
|
|
| Number of connections | |||||
| NXQL ID: | number_of_connections | ||||
| Number of cores | Hardware | Field |
|
|
|
| Indicates the number of CPUs multiplied by the number of cores that are available on each CPU. | |||||
| NXQL ID: | number_of_cores | ||||
| Number of CPUs | Hardware | Field |
|
|
|
| Indicates the number of central processing units (CPUs), also known as the number of sockets. | |||||
| NXQL ID: | number_of_cpus | ||||
| Number of days since first seen | Properties | Field |
|
|
|
| Indicates the number of complete days since the device was first seen. The value is updated every hour. | |||||
| NXQL ID: | number_of_days_since_first_seen | ||||
| Number of days since last logon | Startup | Field |
|
|
|
| Number of days since last logon | |||||
| NXQL ID: | number_of_days_since_last_logon | ||||
| Number of days since last policy update | Exchange | Field |
|
|
|
| Indicates the number of days since the last Exchange ActiveSync policy update. | |||||
| NXQL ID: | number_of_days_since_last_eas_policy_update | ||||
| Number of days since last seen | Properties | Field |
|
|
|
Indicates the number of days since the last time that the device was seen by Nexthink. The field is updated every hour:
| |||||
| NXQL ID: | number_of_days_since_last_seen | ||||
| Number of days since last seen on TCP | Nexthink Collector | Field |
|
|
|
Indicates the number of days since the last time that the device was successfully connected through the TCP channel. The field is updated every hour:
| |||||
| NXQL ID: | number_of_days_since_last_seen_on_tcp | ||||
| Number of days since last system boot | Startup | Field |
|
|
|
| Number of days since last system boot | |||||
| NXQL ID: | number_of_days_since_last_boot | ||||
| Number of days since last system update | Operating system | Field |
|
|
|
| Number of days since last system update | |||||
| NXQL ID: | number_of_days_since_last_windows_update | ||||
| Number of destinations | Inventory | Aggregate |
|
|
|
| Number of destinations | |||||
| NXQL ID: | number_of_destinations | ||||
| Number of domains | Inventory | Aggregate |
|
|
|
| Number of domains | |||||
| NXQL ID: | number_of_domains | ||||
| Number of executables | Inventory | Aggregate |
|
|
|
| Number of executables | |||||
| NXQL ID: | number_of_executables | ||||
| Number of executions | Activity | Aggregate |
|
|
|
| Number of executions | |||||
| NXQL ID: | number_of_executions | ||||
| Number of firewalls | Security | Field |
|
|
|
Number of firewalls detected:
| |||||
| NXQL ID: | number_of_firewalls
Note: this field is not available for Windows Server operating systems. | ||||
| Number of graphical cards | Hardware | Field |
|
|
|
| Number of installed graphical cards | |||||
| NXQL ID: | number_of_graphical_cards | ||||
| Number of hard resets | Errors | Aggregate |
|
|
|
| Number of hard resets | |||||
| Number of installations | Activity | Aggregate |
|
|
|
| Number of installations | |||||
| NXQL ID: | number_of_installations | ||||
| Number of logical processors | Hardware | Field |
|
|
|
| Indicates the number of cores multiplied by the number of threads that can run on each core through the use of hyperthreading. | |||||
| NXQL ID: | logical_cpu_number | ||||
| Number of logons | Startup | Aggregate |
|
|
|
| Number of logons | |||||
| NXQL ID: | number_of_logons | ||||
| Number of monitors | Hardware | Field |
|
|
|
| Number of connected monitors | |||||
| NXQL ID: | number_of_monitors | ||||
| Number of packages | Inventory | Aggregate |
|
|
|
| Number of packages | |||||
| NXQL ID: | number_of_packages | ||||
| Number of ports | Inventory | Aggregate |
|
|
|
| Number of ports | |||||
| NXQL ID: | number_of_ports | ||||
| Number of print jobs | Activity | Aggregate |
|
|
|
| Number of print jobs | |||||
| NXQL ID: | number_of_printouts | ||||
| Number of printed pages | Activity | Aggregate |
|
|
|
| Number of printed pages | |||||
| NXQL ID: | number_of_printed_pages | ||||
| Number of printers | Inventory | Aggregate |
|
|
|
| Number of printers | |||||
| NXQL ID: | number_of_printers | ||||
| Number of system boots | Startup | Aggregate |
|
|
|
| Number of system boots | |||||
| NXQL ID: | number_of_boots | ||||
| Number of system crashes | Errors | Aggregate |
|
|
|
| Indicates the number of Windows bluescreens. | |||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| OS architecture | Operating system | Field |
|
|
|
| Architecture of device operating system (x86/x64) | |||||
| NXQL ID: | os_architecture | ||||
| OS build | Operating system | Field |
|
|
|
Indicates the build number of the operating system:
| |||||
| NXQL ID: | os_build | ||||
| OS version | Operating system (deprecated) | Field |
|
|
|
| Version of device operating system | |||||
| OS version and architecture | Operating system | Field |
|
|
|
Indicates name, version and architecture (when applicable) of the operating system:
| |||||
| NXQL ID: | os_version_and_architecture | ||||
| Outgoing network traffic | Traffic | Aggregate |
|
|
|
| Total network outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Password complexity requirements enabled | Policy | Field |
|
|
|
Indicates whether password complexity is required:
| |||||
| NXQL ID: | password_complexity_requirements | ||||
| Platform | Properties | Field |
|
|
|
Indicates the platform of the device. A platform is a set of operating system families on which the same objects, activities, events and properties can be retrieved. The possible values are:
| |||||
| NXQL ID: | platform | ||||
| Policy allows non provisionable devices | Exchange | Field |
|
|
|
Indicates whether a device which does not fully support the policy is still allowed to connect to the Exchange Exchange ActiveSync server.
| |||||
| NXQL ID: | allow_non_provisionable_devices | ||||
| Policy application status | Exchange | Field |
|
|
|
Indicates whether the Exchange ActiveSync policy is applied or not. Possible values are:
| |||||
| NXQL ID: | eas_policy_application_status | ||||
| Policy name | Exchange | Field |
|
|
|
| Indicates the name of the Exchange ActiveSync policy applied to the user's mailbox. | |||||
| NXQL ID: | eas_policy_name | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| SD card encryption required | Policy | Field |
|
|
|
| Indicates whether SD card encryption is required. | |||||
| NXQL ID: | sd_card_encryption_required | ||||
| SID | Properties | Field |
|
|
|
| Windows security identifier for the device | |||||
| NXQL ID: | sid | ||||
| Storage policy | Properties | Field |
|
|
|
Indicates the event storage policy for the device. Possible values are:
Note that available events depend on the device platform | |||||
| NXQL ID: | storage_policy | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Successful network connections ratio | Availability | Aggregate |
|
|
|
| Percentage of successful TCP connections | |||||
| NXQL ID: | successful_connections_ratio | ||||
| System boot duration baseline | Startup | Field |
|
|
|
| Indicates the system boot duration averaged over the last boots. In the calculation, recent boots weigh more than older boots (exponentially weighted moving average). | |||||
| NXQL ID: | average_boot_duration | ||||
| System drive capacity | Local drives | Field |
|
|
|
| Total capacity of system drive | |||||
| NXQL ID: | system_drive_capacity | ||||
| System drive free space | Local drives | Field |
|
|
|
| Total available free space on system drive | |||||
| NXQL ID: | system_drive_free_space | ||||
| System drive usage | Local drives | Field |
|
|
|
| Use percentage of system drive | |||||
| NXQL ID: | system_drive_usage | ||||
| Target version | Nexthink Collector | Field |
|
|
|
| Indicates the Collector package version that is targeted. | |||||
| NXQL ID: | collector_package_target_version | ||||
| Total active days | Activity | Field |
|
|
|
| Indicates the total number of days the device has been active. The value is updated every night. | |||||
| NXQL ID: | total_active_days | ||||
| Total CPU time | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | total_cpu_time | ||||
| Total drive capacity | Local drives | Field |
|
|
|
| Total capacity of all drives | |||||
| NXQL ID: | total_drive_capacity | ||||
| Total drive free space | Local drives | Field |
|
|
|
| Total free space on all drives | |||||
| NXQL ID: | total_drive_free_space | ||||
| Total drive usage | Local drives | Field |
|
|
|
| Total use percentage of all drives | |||||
| NXQL ID: | total_drive_usage | ||||
| Total network traffic | Traffic | Aggregate |
|
|
|
| Total network traffic (incoming and outgoing) | |||||
| NXQL ID: | total_network_traffic | ||||
| Total non-system drive capacity | Local drives | Field |
|
|
|
| Total capacity of all non-system drives | |||||
| NXQL ID: | total_nonsystem_drive_capacity | ||||
| Total non-system drive free space | Local drives | Field |
|
|
|
| Total free space on all non-system drives | |||||
| NXQL ID: | total_nonsystem_drive_free_space | ||||
| Total non-system drive usage | Local drives | Field |
|
|
|
| Total use percentage of all non-system drives | |||||
| NXQL ID: | total_nonsystem_drive_usage | ||||
| Total RAM | Hardware | Field |
|
|
|
| Total amount of RAM | |||||
| NXQL ID: | total_ram | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on Engine name and device ID). | |||||
| NXQL ID: | device_uid | ||||
| Updater error | Nexthink Collector | Field |
|
|
|
| Indicates the last Nexthink Collector Updater error. | |||||
| NXQL ID: | updater_error | ||||
| Updater version | Nexthink Collector | Field |
|
|
|
| Indicates the Nexthink Collector Updater version. | |||||
| NXQL ID: | updater_version | ||||
| Uptime | Activity | Aggregate |
|
|
|
| Amount of time the machine has been running | |||||
| NXQL ID: | uptime | ||||
| User account control status | Security | Field |
|
|
|
| User account control status (ok, at risk or unknown) | |||||
| NXQL ID: | user_account_control_status | ||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
| Windows license key | Operating system | Field |
|
|
|
Indicates the Windows license key:
| |||||
| NXQL ID: | windows_license_key | ||||
| Windows Update status | Operating system | Field |
|
|
|
| Windows Update status (ok, at risk or unknown) | |||||
| NXQL ID: | windows_updates_status | ||||
| WMI status | Operating system | Field |
|
|
|
| Windows WMI service status (ok, failure) | |||||
| NXQL ID: | wmi_status | ||||
Package
Software packages (programs or updates)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| First installation | Properties | Field |
|
|
|
| Date of the first package installation on any device. This field is based on data reported by the operating system and requires devices date and time to be properly set | |||||
| NXQL ID: | first_installation | ||||
| Name | Properties | Field |
|
|
|
| Package name | |||||
| NXQL ID: | name | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of updates | Properties | Field |
|
|
|
| Number of updates (for programs) | |||||
| NXQL ID: | number_of_updates | ||||
| Package status | Inventory | Aggregate |
|
|
|
| Package status (installed/removed) | |||||
| Platform | Properties | Field |
|
|
|
| The platform (operating system family) on which the package is installed | |||||
| NXQL ID: | platform | ||||
| Program | Properties | Field |
|
|
|
| Package program | |||||
| NXQL ID: | program | ||||
| Publisher | Properties | Field |
|
|
|
| Package publisher | |||||
| NXQL ID: | publisher | ||||
| Status | Properties | Field |
|
|
|
| Package status (installed/removed) | |||||
| NXQL ID: | status | ||||
| Type | Properties | Field |
|
|
|
Package type:
| |||||
| NXQL ID: | type | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on package name and package publisher). | |||||
| Version | Properties | Field |
|
|
|
| Package version | |||||
| NXQL ID: | version | ||||
| Windows 7 (32-bit) compatibility | Nexthink Library (deprecated) | Field |
|
|
|
Indicates the Windows 7 (32-bit) compatibility of the package:
| |||||
| NXQL ID: | windows_7_32bit_compatibility | ||||
| Windows 7 (64-bit) compatibility | Nexthink Library (deprecated) | Field |
|
|
|
Indicates the Windows 7 (64-bit) compatibility of the package:
| |||||
| NXQL ID: | windows_7_64bit_compatibility | ||||
Application
Sets of executables (e.g. 'Microsoft Office')
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Activity start time | Activity | Aggregate |
|
|
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| Application crash ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application crashes per 100 executions. | |||||
| NXQL ID: | application_crash_ratio | ||||
| Application not responding event ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application not responding events per 100 executions. | |||||
| NXQL ID: | application_not_responding_event_ratio | ||||
| Average incoming network bitrate | Availability | Aggregate |
|
|
|
| Average incoming network bitrate | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average memory usage per execution | Activity | Aggregate |
|
|
|
| Indicates the average memory usage of all underlying executions before aggregation. The value is the average
memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.
| |||||
| NXQL ID: | average_memory_usage_per_execution | ||||
| Average network response time | Availability | Aggregate |
|
|
|
| Indicates the average TCP connection establishment time of all underlying connections. The value is
the average TCP connection establishment time of all executions weighted by their cardinality. | |||||
| NXQL ID: | average_network_response_time | ||||
| Average outgoing network bitrate | Availability | Aggregate |
|
|
|
| Average outgoing network bitrate | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Binary paths | Activity | Aggregate |
|
|
|
| List of executed binary paths (max. 50 paths) | |||||
| Company | Properties | Field |
|
|
|
| Company producing the application | |||||
| NXQL ID: | company | ||||
| CPU usage ratio | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | cpu_usage_ratio | ||||
| Cumulated execution duration | Activity | Aggregate |
|
|
|
| Cumulated duration of executions | |||||
| NXQL ID: | cumulated_execution_duration | ||||
| Cumulated network connection duration | Activity | Aggregate |
|
|
|
| Cumulated duration of TCP connections | |||||
| NXQL ID: | cumulated_connection_duration | ||||
| Database usage | Properties | Field |
|
|
|
| Indicates the percentage of the Engine database used by the application. | |||||
| NXQL ID: | database_usage | ||||
| Description | Properties | Field |
|
|
|
| Application description | |||||
| NXQL ID: | description | ||||
| First seen | Properties | Field |
|
|
|
| First time activity of the application was recorded on any device | |||||
| NXQL ID: | first_seen | ||||
| High application thread CPU time ratio | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration. | |||||
| NXQL ID: | high_application_thread_cpu_time_ratio | ||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Incoming network traffic | Traffic | Aggregate |
|
|
|
| Total network incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming network traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_network_traffic_per_device | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming web traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_web_traffic_per_device | ||||
| Known packages | Properties | Field |
|
|
|
| List of packages known to contain the application. This list is not exhaustive: the presence of a package does not necessarily imply that on a given device the application was installed through that package | |||||
| NXQL ID: | known_packages | ||||
| Last seen | Properties | Field |
|
|
|
| Last time activity of the application was recorded on any device | |||||
| NXQL ID: | last_seen | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| Name | Properties | Field |
|
|
|
| Application name | |||||
| NXQL ID: | name | ||||
| Network availability level | Availability | Aggregate |
|
|
|
Indicates the ratio of successful TCP connections. The possible values are:
| |||||
| NXQL ID: | network_availability_level | ||||
| Number of application crashes | Errors | Aggregate |
|
|
|
| Number of application crashes | |||||
| NXQL ID: | number_of_application_crashes | ||||
| Number of application not responding events | Errors | Aggregate |
|
|
|
| Number of application not responding events | |||||
| NXQL ID: | number_of_application_not_responding_events | ||||
| Number of binaries | Inventory | Aggregate |
|
|
|
| Number of binaries | |||||
| NXQL ID: | number_of_binaries | ||||
| Number of connections | Activity | Aggregate |
|
|
|
| Number of connections | |||||
| NXQL ID: | number_of_connections | ||||
| Number of destinations | Inventory | Aggregate |
|
|
|
| Number of destinations | |||||
| NXQL ID: | number_of_destinations | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of domains | Inventory | Aggregate |
|
|
|
| Number of domains | |||||
| NXQL ID: | number_of_domains | ||||
| Number of executables | Inventory | Aggregate |
|
|
|
| Number of executables | |||||
| NXQL ID: | number_of_executables | ||||
| Number of executions | Activity | Aggregate |
|
|
|
| Number of executions | |||||
| NXQL ID: | number_of_executions | ||||
| Number of ports | Inventory | Aggregate |
|
|
|
| Number of ports | |||||
| NXQL ID: | number_of_ports | ||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| Outgoing network traffic | Traffic | Aggregate |
|
|
|
| Total network outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing network traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_network_traffic_per_device | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing web traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_web_traffic_per_device | ||||
| Platform | Properties | Field |
|
|
|
| The platform (operating system family) on which the application is running | |||||
| NXQL ID: | platform | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| Storage policy | Properties | Field |
|
|
|
Indicates the event storage policy for the application. Possible values are:
| |||||
| NXQL ID: | storage_policy | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Successful network connections ratio | Availability | Aggregate |
|
|
|
| Percentage of successful TCP connections | |||||
| NXQL ID: | successful_connections_ratio | ||||
| Total active days | Activity | Field |
|
|
|
| Total number of days the application was active | |||||
| NXQL ID: | total_active_days | ||||
| Total CPU time | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | total_cpu_time | ||||
| Total network traffic | Traffic | Aggregate |
|
|
|
| Total network traffic (incoming and outgoing) | |||||
| NXQL ID: | total_network_traffic | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on package name and application company). | |||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
Executable
Executable programs (e.g. 'winword.exe')
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Activity start time | Activity | Aggregate |
|
|
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| Application company | Properties | Field |
|
|
|
| Application company | |||||
| NXQL ID: | application_company | ||||
| Application crash ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application crashes per 100 executions. | |||||
| NXQL ID: | application_crash_ratio | ||||
| Application name | Properties | Field |
|
|
|
| Application name | |||||
| NXQL ID: | application_name | ||||
| Application not responding event ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application not responding events per 100 executions. | |||||
| NXQL ID: | application_not_responding_event_ratio | ||||
| Average incoming network bitrate | Availability | Aggregate |
|
|
|
| Average incoming network bitrate | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average memory usage per execution | Activity | Aggregate |
|
|
|
| Indicates the average memory usage of all underlying executions before aggregation. The value is the average
memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.
| |||||
| NXQL ID: | average_memory_usage_per_execution | ||||
| Average network response time | Availability | Aggregate |
|
|
|
| Indicates the average TCP connection establishment time of all underlying connections. The value is
the average TCP connection establishment time of all executions weighted by their cardinality. | |||||
| NXQL ID: | average_network_response_time | ||||
| Average outgoing network bitrate | Availability | Aggregate |
|
|
|
| Average outgoing network bitrate | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Binary paths | Activity | Aggregate |
|
|
|
| List of executed binary paths (max. 50 paths) | |||||
| CPU usage ratio | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | cpu_usage_ratio | ||||
| Cumulated execution duration | Activity | Aggregate |
|
|
|
| Cumulated duration of executions | |||||
| NXQL ID: | cumulated_execution_duration | ||||
| Cumulated network connection duration | Activity | Aggregate |
|
|
|
| Cumulated duration of TCP connections | |||||
| NXQL ID: | cumulated_connection_duration | ||||
| Database usage | Properties | Field |
|
|
|
| Indicates the percentage of the Engine database used by the executable. | |||||
| NXQL ID: | database_usage | ||||
| Description | Properties | Field |
|
|
|
| Executable description | |||||
| NXQL ID: | description | ||||
| First seen | Properties | Field |
|
|
|
| First time activity of the executable was recorded on any device | |||||
| NXQL ID: | first_seen | ||||
| High application thread CPU time ratio | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration. | |||||
| NXQL ID: | high_application_thread_cpu_time_ratio | ||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Incoming network traffic | Traffic | Aggregate |
|
|
|
| Total network incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming network traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_network_traffic_per_device | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming web traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_web_traffic_per_device | ||||
| Known packages | Properties | Field |
|
|
|
| List of packages known to contain the executable. This list is not exhaustive: the presence of a package does not necessarily imply that on a given device the executable was installed through that package | |||||
| NXQL ID: | known_packages | ||||
| Last seen | Properties | Field |
|
|
|
| Last time activity of the executable was recorded on any device | |||||
| NXQL ID: | last_seen | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| Name | Properties | Field |
|
|
|
| Executable name | |||||
| NXQL ID: | name | ||||
| Network availability level | Availability | Aggregate |
|
|
|
Indicates the ratio of successful TCP connections. The possible values are:
| |||||
| NXQL ID: | network_availability_level | ||||
| Number of application crashes | Errors | Aggregate |
|
|
|
| Number of application crashes | |||||
| NXQL ID: | number_of_application_crashes | ||||
| Number of application not responding events | Errors | Aggregate |
|
|
|
| Number of application not responding events | |||||
| NXQL ID: | number_of_application_not_responding_events | ||||
| Number of binaries | Inventory | Aggregate |
|
|
|
| Number of binaries | |||||
| NXQL ID: | number_of_binaries | ||||
| Number of connections | Activity | Aggregate |
|
|
|
| Number of connections | |||||
| NXQL ID: | number_of_connections | ||||
| Number of destinations | Inventory | Aggregate |
|
|
|
| Number of destinations | |||||
| NXQL ID: | number_of_destinations | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of domains | Inventory | Aggregate |
|
|
|
| Number of domains | |||||
| NXQL ID: | number_of_domains | ||||
| Number of executions | Activity | Aggregate |
|
|
|
| Number of executions | |||||
| NXQL ID: | number_of_executions | ||||
| Number of ports | Inventory | Aggregate |
|
|
|
| Number of ports | |||||
| NXQL ID: | number_of_ports | ||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| Outgoing network traffic | Traffic | Aggregate |
|
|
|
| Total network outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing network traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_network_traffic_per_device | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing web traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_web_traffic_per_device | ||||
| Platform | Properties | Field |
|
|
|
| The platform (operating system family) on which the executable is running | |||||
| NXQL ID: | platform | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| Storage policy | Properties | Field |
|
|
|
Indicates the event storage policy for the executable. Possible values are:
| |||||
| NXQL ID: | storage_policy | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Successful network connections ratio | Availability | Aggregate |
|
|
|
| Percentage of successful TCP connections | |||||
| NXQL ID: | successful_connections_ratio | ||||
| Total active days | Activity | Field |
|
|
|
| Total number of days the executable was active | |||||
| NXQL ID: | total_active_days | ||||
| Total CPU time | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | total_cpu_time | ||||
| Total network traffic | Traffic | Aggregate |
|
|
|
| Total network traffic (incoming and outgoing) | |||||
| NXQL ID: | total_network_traffic | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on application name, application company and executable name). | |||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
Binary
Executable binary files (e.g. 'winword.exe - 10.0.6843')
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Activity start time | Activity | Aggregate |
|
|
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| Application category | Properties | Field |
|
|
|
Indicates the category of the application:
| |||||
| NXQL ID: | application_category | ||||
| Application company | Properties | Field |
|
|
|
| Application company | |||||
| NXQL ID: | application_company | ||||
| Application crash ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application crashes per 100 executions. | |||||
| NXQL ID: | application_crash_ratio | ||||
| Application name | Properties | Field |
|
|
|
| Application name | |||||
| NXQL ID: | application_name | ||||
| Application not responding event ratio | Errors | Aggregate |
|
|
|
| Indicates the number of application not responding events per 100 executions. | |||||
| NXQL ID: | application_not_responding_event_ratio | ||||
| Average CPU usage (deprecated) | Activity | Field |
|
|
|
| Indicates the average CPU usage over all logical processors since the first time the binary was seen. The value is the average CPU usage
sampled every 5 minutes for each execution divided by the number of samples. | |||||
| NXQL ID: | average_cpu_usage | ||||
| Average incoming network bitrate | Availability | Aggregate |
|
|
|
| Average incoming network bitrate | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average memory usage (deprecated) | Activity | Field |
|
|
|
| Indicates the average memory usage since the first time the binary was seen. The value is the sum of the memory usage
sampled every 5 minutes for each execution divided by the number of samples. | |||||
| NXQL ID: | average_memory_usage | ||||
| Average memory usage per execution | Activity | Aggregate |
|
|
|
| Indicates the average memory usage of all underlying executions before aggregation. The value is the average
memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.
| |||||
| NXQL ID: | average_memory_usage_per_execution | ||||
| Average network response time | Availability | Aggregate |
|
|
|
| Indicates the average TCP connection establishment time of all underlying connections. The value is
the average TCP connection establishment time of all executions weighted by their cardinality. | |||||
| NXQL ID: | average_network_response_time | ||||
| Average number of graphical handles | Activity | Field |
|
|
|
| Average number of graphical handles (GDI) | |||||
| NXQL ID: | average_number_of_graphical_handles | ||||
| Average outgoing network bitrate | Availability | Aggregate |
|
|
|
| Average outgoing network bitrate | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Binary paths | Activity | Aggregate |
|
|
|
| List of executed binary paths (max. 50 paths) | |||||
| CPU usage ratio | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | cpu_usage_ratio | ||||
| Cumulated execution duration | Activity | Aggregate |
|
|
|
| Cumulated duration of executions | |||||
| NXQL ID: | cumulated_execution_duration | ||||
| Cumulated network connection duration | Activity | Aggregate |
|
|
|
| Cumulated duration of TCP connections | |||||
| NXQL ID: | cumulated_connection_duration | ||||
| Database usage | Properties | Field |
|
|
|
| Indicates the percentage of the Engine database used by the binary. | |||||
| NXQL ID: | database_usage | ||||
| Description | Properties | Field |
|
|
|
| Description as it appears in the binary file | |||||
| NXQL ID: | description | ||||
| Executable name | Properties | Field |
|
|
|
| Executable name | |||||
| NXQL ID: | executable_name | ||||
| File size | Properties | Field |
|
|
|
| Binary file size | |||||
| NXQL ID: | file_size | ||||
| First seen | Properties | Field |
|
|
|
| First time activity of the binary was recorded on any device | |||||
| NXQL ID: | first_seen | ||||
| High application thread CPU time ratio | Warnings | Aggregate |
|
|
|
| Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration. | |||||
| NXQL ID: | high_application_thread_cpu_time_ratio | ||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Incoming network traffic | Traffic | Aggregate |
|
|
|
| Total network incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming network traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_network_traffic_per_device | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming web traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_web_traffic_per_device | ||||
| Last seen | Properties | Field |
|
|
|
| Last time activity of the binary was recorded on any device | |||||
| NXQL ID: | last_seen | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| MD5 hash | Properties | Field |
|
|
|
| Indicates the MD5 hash of the binary. | |||||
| NXQL ID: | hash | ||||
| Network availability level | Availability | Aggregate |
|
|
|
Indicates the ratio of successful TCP connections. The possible values are:
| |||||
| NXQL ID: | network_availability_level | ||||
| Number of application crashes | Errors | Aggregate |
|
|
|
| Number of application crashes | |||||
| NXQL ID: | number_of_application_crashes | ||||
| Number of application not responding events | Errors | Aggregate |
|
|
|
| Number of application not responding events | |||||
| NXQL ID: | number_of_application_not_responding_events | ||||
| Number of connections | Activity | Aggregate |
|
|
|
| Number of connections | |||||
| NXQL ID: | number_of_connections | ||||
| Number of destinations | Inventory | Aggregate |
|
|
|
| Number of destinations | |||||
| NXQL ID: | number_of_destinations | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of domains | Inventory | Aggregate |
|
|
|
| Number of domains | |||||
| NXQL ID: | number_of_domains | ||||
| Number of executions | Activity | Aggregate |
|
|
|
| Number of executions | |||||
| NXQL ID: | number_of_executions | ||||
| Number of ports | Inventory | Aggregate |
|
|
|
| Number of ports | |||||
| NXQL ID: | number_of_ports | ||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| Outgoing network traffic | Traffic | Aggregate |
|
|
|
| Total network outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing network traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_network_traffic_per_device | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing web traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_web_traffic_per_device | ||||
| Paths | Properties | Field |
|
|
|
| List of paths of the binary | |||||
| NXQL ID: | paths | ||||
| Platform | Properties | Field |
|
|
|
| The platform (operating system family) on which the binary is running | |||||
| NXQL ID: | platform | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| SHA-1 hash | Properties | Field |
|
|
|
| Indicates the SHA-1 hash of the binary. | |||||
| NXQL ID: | sha1 | ||||
| SHA-256 hash | Properties | Field |
|
|
|
| Indicates the SHA-256 hash of the binary. | |||||
| NXQL ID: | sha256 | ||||
| Storage policy | Properties | Field |
|
|
|
Indicates the event storage policy for the binary. Possible values are:
| |||||
| NXQL ID: | storage_policy | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Successful network connections ratio | Availability | Aggregate |
|
|
|
| Percentage of successful TCP connections | |||||
| NXQL ID: | successful_connections_ratio | ||||
| Threat level | Properties | Field |
|
|
|
Indicates the threat level of the binary:
| |||||
| NXQL ID: | threat_level | ||||
| Total active days | Activity | Field |
|
|
|
| Total number of days the binary was active | |||||
| NXQL ID: | total_active_days | ||||
| Total CPU time | Activity | Aggregate |
|
|
|
| Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | total_cpu_time | ||||
| Total network traffic | Traffic | Aggregate |
|
|
|
| Total network traffic (incoming and outgoing) | |||||
| NXQL ID: | total_network_traffic | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on binary hash). | |||||
| User interface | Properties | Field |
|
|
|
| Application has interactive user interface | |||||
| NXQL ID: | user_interface | ||||
| Version | Properties | Field |
|
|
|
| Version of the binary | |||||
| NXQL ID: | version | ||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
Port
Connection ports (TCP or UDP)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Activity start time | Activity | Aggregate |
|
|
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| Average incoming network bitrate | Availability | Aggregate |
|
|
|
| Average incoming network bitrate | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average network response time | Availability | Aggregate |
|
|
|
| Indicates the average TCP connection establishment time of all underlying connections. The value is
the average TCP connection establishment time of all executions weighted by their cardinality. | |||||
| NXQL ID: | average_network_response_time | ||||
| Average outgoing network bitrate | Availability | Aggregate |
|
|
|
| Average outgoing network bitrate | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Cumulated network connection duration | Activity | Aggregate |
|
|
|
| Cumulated duration of TCP connections | |||||
| NXQL ID: | cumulated_connection_duration | ||||
| First seen | Properties | Field |
|
|
|
| First time activity of the port was recorded on any device | |||||
| NXQL ID: | first_seen | ||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Incoming network traffic | Traffic | Aggregate |
|
|
|
| Total network incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming network traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_network_traffic_per_device | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming web traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_web_traffic_per_device | ||||
| Last seen | Properties | Field |
|
|
|
| Last time activity of the port was recorded on any device | |||||
| NXQL ID: | last_seen | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| Network availability level | Availability | Aggregate |
|
|
|
Indicates the ratio of successful TCP connections. The possible values are:
| |||||
| NXQL ID: | network_availability_level | ||||
| Number of applications | Inventory | Aggregate |
|
|
|
| Number of applications | |||||
| NXQL ID: | number_of_applications | ||||
| Number of binaries | Inventory | Aggregate |
|
|
|
| Number of binaries | |||||
| NXQL ID: | number_of_binaries | ||||
| Number of connections | Activity | Aggregate |
|
|
|
| Number of connections | |||||
| NXQL ID: | number_of_connections | ||||
| Number of destinations | Inventory | Aggregate |
|
|
|
| Number of destinations | |||||
| NXQL ID: | number_of_destinations | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of domains | Inventory | Aggregate |
|
|
|
| Number of domains | |||||
| NXQL ID: | number_of_domains | ||||
| Number of executables | Inventory | Aggregate |
|
|
|
| Number of executables | |||||
| NXQL ID: | number_of_executables | ||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| Outgoing network traffic | Traffic | Aggregate |
|
|
|
| Total network outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing network traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_network_traffic_per_device | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing web traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_web_traffic_per_device | ||||
| Port number | Properties | Field |
|
|
|
| Port number | |||||
| NXQL ID: | port_number | ||||
| Port type | Properties | Field |
|
|
|
| Port type (tcp, udp, tcp port scan, udp port scan) | |||||
| NXQL ID: | port_type | ||||
| Port type/Port number | Properties | Field |
|
|
|
| Port value for tagging | |||||
| NXQL ID: | port_value | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Successful network connections ratio | Availability | Aggregate |
|
|
|
| Percentage of successful TCP connections | |||||
| NXQL ID: | successful_connections_ratio | ||||
| Total network traffic | Traffic | Aggregate |
|
|
|
| Total network traffic (incoming and outgoing) | |||||
| NXQL ID: | total_network_traffic | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on port number). | |||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
Destination
Devices receiving connections
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Activity start time | Activity | Aggregate |
|
|
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| Average incoming network bitrate | Availability | Aggregate |
|
|
|
| Average incoming network bitrate | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average network response time | Availability | Aggregate |
|
|
|
| Indicates the average TCP connection establishment time of all underlying connections. The value is
the average TCP connection establishment time of all executions weighted by their cardinality. | |||||
| NXQL ID: | average_network_response_time | ||||
| Average outgoing network bitrate | Availability | Aggregate |
|
|
|
| Average outgoing network bitrate | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Cumulated network connection duration | Activity | Aggregate |
|
|
|
| Cumulated duration of TCP connections | |||||
| NXQL ID: | cumulated_connection_duration | ||||
| Database usage | Properties | Field |
|
|
|
| Indicates the percentage of the Engine database used by the destination. | |||||
| NXQL ID: | database_usage | ||||
| First seen | Properties | Field |
|
|
|
| First time activity to the destination was recorded on any device | |||||
| NXQL ID: | first_seen | ||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Incoming network traffic | Traffic | Aggregate |
|
|
|
| Total network incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming network traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_network_traffic_per_device | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming web traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_web_traffic_per_device | ||||
| IP address | Properties | Field |
|
|
|
| IP address for the destination | |||||
| NXQL ID: | ip_address | ||||
| Last seen | Properties | Field |
|
|
|
| Last time activity to the destination was recorded on any device | |||||
| NXQL ID: | last_seen | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| Name | Properties | Field |
|
|
|
| Reverse lookup name | |||||
| NXQL ID: | name | ||||
| Network availability level | Availability | Aggregate |
|
|
|
Indicates the ratio of successful TCP connections. The possible values are:
| |||||
| NXQL ID: | network_availability_level | ||||
| Number of applications | Inventory | Aggregate |
|
|
|
| Number of applications | |||||
| NXQL ID: | number_of_applications | ||||
| Number of binaries | Inventory | Aggregate |
|
|
|
| Number of binaries | |||||
| NXQL ID: | number_of_binaries | ||||
| Number of connections | Activity | Aggregate |
|
|
|
| Number of connections | |||||
| NXQL ID: | number_of_connections | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of domains | Inventory | Aggregate |
|
|
|
| Number of domains | |||||
| NXQL ID: | number_of_domains | ||||
| Number of executables | Inventory | Aggregate |
|
|
|
| Number of executables | |||||
| NXQL ID: | number_of_executables | ||||
| Number of ports | Inventory | Aggregate |
|
|
|
| Number of ports | |||||
| NXQL ID: | number_of_ports | ||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| Outgoing network traffic | Traffic | Aggregate |
|
|
|
| Total network outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing network traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing network traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_network_traffic_per_device | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing web traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_web_traffic_per_device | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Successful network connections ratio | Availability | Aggregate |
|
|
|
| Percentage of successful TCP connections | |||||
| NXQL ID: | successful_connections_ratio | ||||
| Total network traffic | Traffic | Aggregate |
|
|
|
| Total network traffic (incoming and outgoing) | |||||
| NXQL ID: | total_network_traffic | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on destination ip address). | |||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
Domain
Domain names
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Activity start time | Activity | Aggregate |
|
|
|
| Start time of investigated activity | |||||
| NXQL ID: | activity_start_time | ||||
| Activity stop time | Activity | Aggregate |
|
|
|
| Stop time of investigated activity | |||||
| NXQL ID: | activity_stop_time | ||||
| Average incoming web bitrate | Availability | Aggregate |
|
|
|
| Average incoming bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_incoming_bitrate | ||||
| Average outgoing web bitrate | Availability | Aggregate |
|
|
|
| Average outgoing bitrate of all underlying web requests, consolidated over time | |||||
| NXQL ID: | average_outgoing_bitrate | ||||
| Average web request duration | Availability | Aggregate |
|
|
|
| Average time between request and last response byte | |||||
| NXQL ID: | average_request_duration | ||||
| Average web request size | Traffic | Aggregate |
|
|
|
| Average size of web requests | |||||
| NXQL ID: | average_request_size | ||||
| Average web response size | Traffic | Aggregate |
|
|
|
| Average size of web responses | |||||
| NXQL ID: | average_response_size | ||||
| Database usage | Properties | Field |
|
|
|
| Indicates the percentage of the Engine database used by the domain. | |||||
| NXQL ID: | database_usage | ||||
| Domain category | Properties | Field |
|
|
|
Indicates the category of the domain:
| |||||
| NXQL ID: | domain_category | ||||
| First seen | Properties | Field |
|
|
|
| The first time the domain has been seen | |||||
| NXQL ID: | first_seen | ||||
| Highest local privilege level reached | Activity | Aggregate |
|
|
|
| Highest local privilege level reached for executions (user, power user, administrator) | |||||
| NXQL ID: | highest_local_privilege_reached | ||||
| Hosting country | Properties | Field |
|
|
|
Indicates in which country the domain is hosted:
| |||||
| NXQL ID: | hosting_country | ||||
| Hostname | Properties | Field |
|
|
|
| The hostname of the fully qualified domain name | |||||
| NXQL ID: | hostname | ||||
| Incoming web traffic | Traffic | Aggregate |
|
|
|
| Total web incoming traffic | |||||
| NXQL ID: | incoming_traffic | ||||
| Incoming web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the incoming web traffic divided by the number of devices. | |||||
| NXQL ID: | incoming_web_traffic_per_device | ||||
| Internal domain | Properties | Field |
|
|
|
Indicates whether the domain is considered internal:
| |||||
| NXQL ID: | internal_domain | ||||
| Last seen | Properties | Field |
|
|
|
| The last time the domain has been seen | |||||
| NXQL ID: | last_seen | ||||
| Lowest observed web protocol version | Activity | Aggregate |
|
|
|
| Lowest protocol version observed in web requests (excluding web requests with unknown protocol version) | |||||
| NXQL ID: | lowest_protocol_version | ||||
| Name | Properties | Field |
|
|
|
| The fully qualified domain name | |||||
| NXQL ID: | name | ||||
| Number of applications | Inventory | Aggregate |
|
|
|
| Number of applications | |||||
| NXQL ID: | number_of_applications | ||||
| Number of binaries | Inventory | Aggregate |
|
|
|
| Number of binaries | |||||
| NXQL ID: | number_of_binaries | ||||
| Number of destinations | Inventory | Aggregate |
|
|
|
| Number of destinations | |||||
| NXQL ID: | number_of_destinations | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of executables | Inventory | Aggregate |
|
|
|
| Number of executables | |||||
| NXQL ID: | number_of_executables | ||||
| Number of ports | Inventory | Aggregate |
|
|
|
| Number of ports | |||||
| NXQL ID: | number_of_ports | ||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Number of web requests | Activity | Aggregate |
|
|
|
| Number of web requests | |||||
| NXQL ID: | number_of_web_requests | ||||
| Outgoing web traffic | Traffic | Aggregate |
|
|
|
| Total web outgoing traffic | |||||
| NXQL ID: | outgoing_traffic | ||||
| Outgoing web traffic per device | Traffic | Aggregate |
|
|
|
| Indicates the outgoing web traffic divided by the number of devices. | |||||
| NXQL ID: | outgoing_web_traffic_per_device | ||||
| Protocols used in web requests | Activity | Aggregate |
|
|
|
| Protocols used in web requests (HTTP, TLS, HTTP/TLS) | |||||
| NXQL ID: | protocols_used_in_requests | ||||
| Reputation | Properties | Field |
|
|
|
Indicates the reputation of the domain:
| |||||
| NXQL ID: | threat_level | ||||
| Storage policy | Properties | Field |
|
|
|
| Event storage policy for the domain (web request or none) | |||||
| NXQL ID: | storage | ||||
| Successful HTTP requests ratio | Availability | Aggregate |
|
|
|
| Percentage of successful HTTP requests (1xx, 2xx and 3xx) | |||||
| NXQL ID: | successful_http_requests_ratio | ||||
| Total web traffic | Traffic | Aggregate |
|
|
|
| Total web traffic (incoming and outgoing) | |||||
| NXQL ID: | total_web_traffic | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on domain name). | |||||
| Web interaction time | Activity | Aggregate |
|
|
|
| Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution. | |||||
| NXQL ID: | cumulated_web_interaction_duration | ||||
Printer
Installed printers (local, network, shared or virtual)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Display name | Properties | Field |
|
|
|
| Most frequently seen display name | |||||
| NXQL ID: | real_name | ||||
| First seen | Properties | Field |
|
|
|
| First time activity of the printer was recorded on any device | |||||
| NXQL ID: | first_seen | ||||
| Hostname | Properties | Field |
|
|
|
Indicates where the printer is hosted:
| |||||
| NXQL ID: | host_name | ||||
| Last seen | Properties | Field |
|
|
|
| Last time activity of the printer was recorded on any device | |||||
| NXQL ID: | last_seen | ||||
| Location | Properties | Field |
|
|
|
| Printer location | |||||
| NXQL ID: | location | ||||
| Model | Properties | Field |
|
|
|
| Printer model | |||||
| NXQL ID: | model | ||||
| Name | Properties | Field |
|
|
|
| Unique printer name | |||||
| NXQL ID: | name | ||||
| Number of devices | Inventory | Aggregate |
|
|
|
| Number of devices | |||||
| NXQL ID: | number_of_devices | ||||
| Number of print jobs | Activity | Aggregate |
|
|
|
| Number of print jobs | |||||
| NXQL ID: | number_of_printouts | ||||
| Number of printed pages | Activity | Aggregate |
|
|
|
| Number of printed pages | |||||
| NXQL ID: | number_of_printed_pages | ||||
| Number of users | Inventory | Aggregate |
|
|
|
| Number of users | |||||
| NXQL ID: | number_of_users | ||||
| Type | Properties | Field |
|
|
|
The type of the printer:
| |||||
| NXQL ID: | type | ||||
| UID | Properties | Field |
|
|
|
| Indicates the universally unique identifier (based on printer name and model). | |||||
Activities
Activities represent actions performed by Objects.
Installation
Installations or uninstallations of software packages
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Device ID | Device | Field |
|
|
|
| Unique identifier code of the installation target device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the installation target device | |||||
| ID | Properties | Field |
|
|
|
| Unique installation identifier code | |||||
| NXQL ID: | id | ||||
| Operation type | Properties | Field |
|
|
|
| Type of operation (installation, uninstallation) | |||||
| NXQL ID: | type | ||||
| Package ID | Package | Field |
|
|
|
| Unique identifier code of the installed package | |||||
| Package name | Package | Field |
|
|
|
| Name of the installed package | |||||
| Package program | Package | Field |
|
|
|
| Program of the installed package | |||||
| Package publisher | Package | Field |
|
|
|
| Name of the installed package publisher | |||||
| Package type | Package | Field |
|
|
|
Package type:
| |||||
| Package version | Package | Field |
|
|
|
| Version of the installed package | |||||
| Time of installation | Properties | Field |
|
|
|
| Installation start time | |||||
| NXQL ID: | time | ||||
Execution
Executing processes (merged when in close succession)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Application name | Application | Field |
|
|
|
| Executed application name | |||||
| Average memory usage | Activity | Field |
|
|
|
Indicates the average memory usage of the underlying executions before aggregation with a sampling resolution of 5 minutes.
| |||||
| NXQL ID: | average_memory_usage | ||||
| Binary path | Application | Field |
|
|
|
| Executed binary path | |||||
| NXQL ID: | binary_path | ||||
| Binary version | Application | Field |
|
|
|
| Executed binary version | |||||
| Cardinality | Properties | Field |
|
|
|
| Number of underlying processes, consolidated over time | |||||
| NXQL ID: | cardinality | ||||
| Device ID | Device | Field |
|
|
|
| Unique identifier code of the executing device | |||||
| Device IP addresses | Device | Field |
|
|
|
| List of IP addresses of the executing device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the executing device | |||||
| Duration | Properties | Field |
|
|
|
| Total execution duration | |||||
| NXQL ID: | duration | ||||
| End time | Properties | Field |
|
|
|
| Execution end time | |||||
| NXQL ID: | end_time | ||||
| Executable name | Application | Field |
|
|
|
| Executed executable name | |||||
| ID | Properties | Field |
|
|
|
| Unique execution identifier code | |||||
| NXQL ID: | id | ||||
| Incoming TCP traffic | Traffic | Field |
|
|
|
| Incoming TCP traffic | |||||
| NXQL ID: | incoming_tcp_traffic | ||||
| Lifespan | Properties | Field |
|
|
|
| Execution lifespan in relation to investigation time frame | |||||
| Outgoing TCP traffic | Traffic | Field |
|
|
|
| Outgoing TCP traffic | |||||
| NXQL ID: | outgoing_tcp_traffic | ||||
| Outgoing UDP traffic | Traffic | Field |
|
|
|
| Outgoing UDP traffic | |||||
| NXQL ID: | outgoing_udp_traffic | ||||
| Privilege level | Properties | Field |
|
|
|
| Privilege level of the execution (user, power user, administrator) | |||||
| NXQL ID: | privilege_level | ||||
| Signature ID | Properties | Field |
|
|
|
| ID of the related execution signature, i.e. a user executing a certain process on a particular device | |||||
| NXQL ID: | usage | ||||
| Start time | Properties | Field |
|
|
|
| Execution start time | |||||
| NXQL ID: | start_time | ||||
| Status | Properties | Field |
|
|
|
| Status of the execution (started, stopped) | |||||
| NXQL ID: | status | ||||
| Total CPU time | Properties | Field |
|
|
|
| Indicates the sum of the CPU time of all executions (before aggregation by the Engine) over all logical processors.
Executions shorter than 30 seconds are ignored.
| |||||
| NXQL ID: | total_cpu_time | ||||
| User ID | User | Field |
|
|
|
| Unique identifier code of the executing user | |||||
| User name | User | Field |
|
|
|
| Name of the executing user | |||||
| User SID | User | Field |
|
|
|
Indicates the Windows security identifier for the user.
| |||||
Connection
TCP or UDP connections (merged when in close succession)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Application name | Application | Field |
|
|
|
| Name of the connecting application | |||||
| Average network response time | Availability | Field |
|
|
|
| Indicates the average TCP connection establishment time. The value is the average over
all underlying connections before aggregation. | |||||
| NXQL ID: | network_response_time | ||||
| Binary paths | Application | Field |
|
|
|
| Paths of the connecting binary | |||||
| Binary version | Application | Field |
|
|
|
| Version of the connecting binary | |||||
| Cardinality | Properties | Field |
|
|
|
| Number of underlying connections, consolidated over time | |||||
| NXQL ID: | cardinality | ||||
| Connection type | Properties | Field |
|
|
|
| Type of the connection (tcp, udp, tcp network scan, tcp port scan, udp network scan, udp port scan) | |||||
| NXQL ID: | type | ||||
| Destination IP address | Destination | Field |
|
|
|
| IP address of the connection destination | |||||
| NXQL ID: | destination_ip_address | ||||
| Destination name | Destination | Field |
|
|
|
| Name of the connection destination | |||||
| Device ID | Device | Field |
|
|
|
| Unique identifier code of the connecting device | |||||
| Device IP address | Device | Field |
|
|
|
| IP address of the connecting device | |||||
| NXQL ID: | device_ip_address | ||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier for the connecting device | |||||
| Duration | Properties | Field |
|
|
|
| The time between the start of the first connection and end of the last underlying connection | |||||
| NXQL ID: | duration | ||||
| End time | Properties | Field |
|
|
|
| Connection end time, corresponding to the moment when the last underlying TCP connection was closed | |||||
| NXQL ID: | end_time | ||||
| Executable name | Application | Field |
|
|
|
| Name of the connecting executable | |||||
| ID | Properties | Field |
|
|
|
| Unique connection identifier code | |||||
| NXQL ID: | id | ||||
| Incoming bitrate | Availability | Field |
|
|
|
| Average incoming bitrate of all underlying connections, consolidated over time | |||||
| NXQL ID: | incoming_bitrate | ||||
| Incoming TCP traffic | Traffic | Field |
|
|
|
| Incoming TCP traffic | |||||
| Lifespan | Properties | Field |
|
|
|
| Connection lifespan in relation to investigation time frame | |||||
| Outgoing bitrate | Availability | Field |
|
|
|
| Average outgoing bitrate of all underlying connections, consolidated over time | |||||
| NXQL ID: | outgoing_bitrate | ||||
| Outgoing TCP traffic | Traffic | Field |
|
|
|
| Outgoing TCP traffic | |||||
| Outgoing UDP traffic | Traffic | Field |
|
|
|
| Outgoing UDP traffic | |||||
| Port number | Port | Field |
|
|
|
| Port number of the connection | |||||
| Signature ID | Properties | Field |
|
|
|
| ID of the related connection signature, i.e. a user executing a certain process on a particular device which connects to a certain destination/port | |||||
| NXQL ID: | signature_id | ||||
| Start time | Properties | Field |
|
|
|
| Connection start time | |||||
| NXQL ID: | start_time | ||||
| Status | Properties | Field |
|
|
|
| Status of the connection (established, rejected, no service, no host, closed) | |||||
| NXQL ID: | status | ||||
| User ID | User | Field |
|
|
|
| Unique identifier code of the connecting user | |||||
| User name | User | Field |
|
|
|
| Name of connecting user | |||||
| User SID | User | Field |
|
|
|
Indicates the Windows security identifier for the user.
| |||||
Web request
HTTP or TLS requests
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Application name | Application | Field |
|
|
|
| Name of the application which made the web request | |||||
| Binary paths | Application | Field |
|
|
|
| Paths of the binary which made the web request | |||||
| Binary version | Application | Field |
|
|
|
| Version of the binary which made the web request | |||||
| Cardinality | Properties | Field |
|
|
|
| Number of underlying web requests, consolidated over time | |||||
| NXQL ID: | cardinality | ||||
| Connections duration | Properties | Field |
|
|
|
| The time between start of the first connection and end of the last underlying connection | |||||
| NXQL ID: | connections_duration | ||||
| Device ID | Device | Field |
|
|
|
| Unique identifier code of the web request source | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the web request source | |||||
| Domain name | Domain | Field |
|
|
|
| Name of the web request destination domain | |||||
| End time | Properties | Field |
|
|
|
| Web request end time, corresponding to the moment when the last underlying TCP connection was closed | |||||
| NXQL ID: | end_time | ||||
| Executable name | Application | Field |
|
|
|
| Name of the executable which made the web request | |||||
| HTTP status | Properties | Field |
|
|
|
| HTTP response status code | |||||
| NXQL ID: | http_status | ||||
| ID | Properties | Field |
|
|
|
| Unique request identifier code | |||||
| NXQL ID: | id | ||||
| Incoming web traffic | Traffic | Field |
|
|
|
| Incoming web traffic of all underlying web requests, consolidated over time | |||||
| NXQL ID: | incoming_traffic | ||||
| Network response time | Availability | Field |
|
|
|
| Average TCP connection establishment time of all underlying connections, consolidated over time | |||||
| NXQL ID: | network_response_time | ||||
| Outgoing web traffic | Properties | Field |
|
|
|
| Outgoing web traffic of all underlying web requests, consolidated over time | |||||
| NXQL ID: | outgoing_traffic | ||||
| Port number | Port | Field |
|
|
|
| Port number of the web request | |||||
| Protocol | Properties | Field |
|
|
|
| Web request protocol (HTTP, TLS) | |||||
| NXQL ID: | protocol | ||||
| Protocol version | Properties | Field |
|
|
|
| Web request protocol version | |||||
| NXQL ID: | protocol_version | ||||
| Service related | Properties | Field |
|
|
|
Indicates whether the web request is related to a configured service:
| |||||
| NXQL ID: | service_related | ||||
| Signature ID | Properties | Field |
|
|
|
| ID of the related web request signature, i.e. a user executing a certain process on a particular device which emits requests to a specific domain | |||||
| NXQL ID: | signature_id | ||||
| Start time | Properties | Field |
|
|
|
| Web request start time | |||||
| NXQL ID: | start_time | ||||
| URL path | Properties | Field |
|
|
|
Indicates the expression used to match the web request against web-based services with URL path:
'-': the web request did not match against any service with URL path | |||||
| User ID | User | Field |
|
|
|
| Unique identifier code of the user who made the web request | |||||
| User name | User | Field |
|
|
|
| Name of the user who made the web request | |||||
| User SID | User | Field |
|
|
|
Indicates the Windows security identifier for the user who made the web request.
| |||||
| Web request duration | Properties | Field |
|
|
|
| Average time between request and last response byte of all underlying requests, consolidated over time | |||||
| NXQL ID: | web_request_duration | ||||
Print job
Print job submissions to printer drivers
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Color enabled | Properties | Field |
|
|
|
| Indicates whether the print job has the capability to print in color. Color settings defined by the application performing the print job (usually through the application print dialog) are not taken into account. | |||||
| NXQL ID: | color_print | ||||
| Device ID | Device | Field |
|
|
|
| Unique identifier of the print job source | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the print job source | |||||
| Document type | Properties | Field |
|
|
|
| Type of printed document | |||||
| NXQL ID: | document_type | ||||
| Duplex print | Properties | Field |
|
|
|
| Indicates whether the pages are printed on both sides of the sheet. | |||||
| NXQL ID: | duplex | ||||
| ID | Properties | Field |
|
|
|
| Unique print job identifier | |||||
| NXQL ID: | id | ||||
| Number of pages | Properties | Field |
|
|
|
| Number of printed pages | |||||
| NXQL ID: | number_of_printed_pages | ||||
| Paper size | Properties | Field |
|
|
|
| Paper size for printed pages | |||||
| NXQL ID: | page_size | ||||
| Print quality | Properties | Field |
|
|
|
| Print quality | |||||
| NXQL ID: | print_quality | ||||
| Printer model | Printer | Field |
|
|
|
| Model of printer | |||||
| Printer name | Printer | Field |
|
|
|
| Name of printer | |||||
| Size | Properties | Field |
|
|
|
| Print job size in bytes | |||||
| NXQL ID: | size | ||||
| Status | Properties | Field |
|
|
|
Status of the print job:
| |||||
| NXQL ID: | status | ||||
| Time | Properties | Field |
|
|
|
| Print job time | |||||
| NXQL ID: | time | ||||
| User ID | User | Field |
|
|
|
| Unique identifier code of the printing user | |||||
| User name | User | Field |
|
|
|
| Name of the printing user | |||||
| User SID | User | Field |
|
|
|
Indicates the Windows security identifier for the user.
| |||||
System boot
System boots (timed between kernel start and launch of 'logonui.exe' process)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Device ID | Device | Field |
|
|
|
| Unique device identifier | |||||
| Device IP addresses | Device | Field |
|
|
|
| List of IP addresses for the device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the device | |||||
| Duration | Properties | Field |
|
|
|
| Indicates the time between the kernel start and the launch of the 'logonui.exe' process | |||||
| ID | Properties | Field |
|
|
|
| Boot event identifier | |||||
| Time | Properties | Field |
|
|
|
| Time of boot | |||||
User logon
User logons
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Device ID | Device | Field |
|
|
|
| Unique device identifier code | |||||
| Device IP addresses | Device | Field |
|
|
|
| List of IP addresses for the device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the device | |||||
| Duration | Properties | Field |
|
|
|
| Indicates the time between the user logging on and the desktop being shown. | |||||
| Extended duration | Properties | Field |
|
|
|
| Indicates the time between the user logging on and the device being ready to use. Desktops and laptops are considered fully functional once the CPU
usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%. | |||||
| ID | Properties | Field |
|
|
|
| User logon event identifier code | |||||
| Time | Properties | Field |
|
|
|
| Time of user logon | |||||
| User ID | User | Field |
|
|
|
| Unique user identifier code | |||||
| User name | User | Field |
|
|
|
| Name of user | |||||
| User SID | User | Field |
|
|
|
Indicates the Windows security identifier for the user.
| |||||
Events
Events are warning or errors.
Device warning
Peaks in system resource usage (CPU, memory or I/O)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Device ID | Device | Field |
|
|
|
| Unique device identifier | |||||
| NXQL ID: | device | ||||
| Device IP addresses | Device | Field |
|
|
|
| List of IP addresses for the device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the device | |||||
| Duration | Properties | Field |
|
|
|
| Indicates the duration of the event. | |||||
| NXQL ID: | duration | ||||
| End time | Properties | Field |
|
|
|
| Performance event end time | |||||
| NXQL ID: | end_time | ||||
| Event info | Properties | Field |
|
|
|
| Performance event information | |||||
| NXQL ID: | info | ||||
| High io usage | Warnings | Field |
|
|
|
| High io usage | |||||
| High memory usage | Warnings | Field |
|
|
|
| High memory usage | |||||
| High overall CPU usage | Warnings | Field |
|
|
|
| High overall CPU usage. | |||||
| High page faults | Warnings | Field |
|
|
|
| High number of page faults | |||||
| High thread CPU usage (deprecated) | Warnings | Field |
|
|
|
| High thread CPU usage (deprecated). | |||||
| ID | Properties | Field |
|
|
|
| Unique performance event identifier | |||||
| NXQL ID: | id | ||||
| Start time | Properties | Field |
|
|
|
| Performance event start time | |||||
| NXQL ID: | start_time | ||||
| Warning duration | Properties | Field |
|
|
|
| Indicates the effective duration of the warning; it can be shorter than the event duration when the high
CPU usage is not continuous.
| |||||
| NXQL ID: | warning_duration | ||||
Device error
Critical system errors (system crash, hard reset, or disk failure)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Device ID | Device | Field |
|
|
|
| Unique device identifier code | |||||
| NXQL ID: | device | ||||
| Device IP addresses | Device | Field |
|
|
|
| List of IP addresses for the device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the device | |||||
| Error code | Properties | Field |
|
|
|
| Indicates the error code for system crashes (Windows bluescreens). | |||||
| NXQL ID: | error_code | ||||
| Error label | Properties | Field |
|
|
|
| Indicates the error label for system crashes (Windows bluescreens). | |||||
| NXQL ID: | error_label | ||||
| ID | Properties | Field |
|
|
|
| Problem identifier code | |||||
| NXQL ID: | id | ||||
| Time | Properties | Field |
|
|
|
| Time of error | |||||
| NXQL ID: | time | ||||
| Type | Properties | Field |
|
|
|
Indicates the device error type, with the following possible values:
| |||||
| NXQL ID: | type | ||||
Execution warning
Peaks in application resource usage (CPU or memory)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Application name | Application | Field |
|
|
|
| Name of application | |||||
| Binary version | Application | Field |
|
|
|
| Version of binary | |||||
| Device ID | Device | Field |
|
|
|
| Unique device identifier | |||||
| Device IP addresses | Device | Field |
|
|
|
| List of IP addresses for the device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the device | |||||
| Duration | Properties | Field |
|
|
|
| Indicates the duration of the event. | |||||
| NXQL ID: | duration | ||||
| End time | Properties | Field |
|
|
|
| Performance event end time | |||||
| NXQL ID: | end_time | ||||
| Event info | Properties | Field |
|
|
|
| Performance event information | |||||
| Executable name | Application | Field |
|
|
|
| Name of executable | |||||
| High memory usage | Warnings | Field |
|
|
|
| High memory usage | |||||
| High thread CPU usage | Warnings | Field |
|
|
|
| High thread CPU usage | |||||
| ID | Properties | Field |
|
|
|
| Unique performance event identifier code | |||||
| NXQL ID: | id | ||||
| Signature ID | Properties | Field |
|
|
|
| ID of the related execution event signature, i.e. a user executing a certain process on a particular device | |||||
| NXQL ID: | signature_id | ||||
| Start time | Properties | Field |
|
|
|
| Performance event start time | |||||
| NXQL ID: | start_time | ||||
| User ID | User | Field |
|
|
|
| Unique user identifier code | |||||
| User name | User | Field |
|
|
|
| Name of user | |||||
| User SID | User | Field |
|
|
|
Indicates the Windows security identifier for the user.
| |||||
| Warning duration | Properties | Field |
|
|
|
| Indicates the effective duration of the warning; it can be shorter than the event duration when the high
CPU usage is not continuous.
| |||||
| NXQL ID: | warning_duration | ||||
Execution error
Application errors (crash or not responding)
| Field | Group | Type |
|
|
|
|---|---|---|---|---|---|
| Application name | Application | Field |
|
|
|
| Name of application | |||||
| Binary version | Application | Field |
|
|
|
| Version of binary | |||||
| Device ID | Device | Field |
|
|
|
| Unique device identifier code | |||||
| Device IP addresses | Device | Field |
|
|
|
| List of IP addresses for the device | |||||
| Device name | Device | Field |
|
|
|
Indicates the name of the device:
| |||||
| Device SID | Device | Field |
|
|
|
| Windows security identifier of the device | |||||
| Executable name | Application | Field |
|
|
|
| Name of executable | |||||
| ID | Properties | Field |
|
|
|
| Error identifier code | |||||
| NXQL ID: | id | ||||
| Signature ID | Properties | Field |
|
|
|
| ID of the related execution error signature, i.e. a user executing a certain process on a particular device | |||||
| NXQL ID: | signature_id | ||||
| Time | Properties | Field |
|
|
|
| Time of error | |||||
| NXQL ID: | time | ||||
| Type | Properties | Field |
|
|
|
| Error type | |||||
| NXQL ID: | type | ||||
| User ID | User | Field |
|
|
|
| Unique user identifier code | |||||
| User name | User | Field |
|
|
|
| Name of user | |||||
| User SID | User | Field |
|
|
|
Indicates the Windows security identifier for the user.
| |||||