Data model

This reference article contains the complete description of Nexthink's data model.

Objects

Objects represent items recognized by Nexthink.

User

Users of devices (domain, local or system)

Field	Group	Type
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
Application crash ratio	Errors	Aggregate
	Indicates the number of application crashes per 100 executions.
	NXQL ID:	application_crash_ratio
Application not responding event ratio	Errors	Aggregate
	Indicates the number of application not responding events per 100 executions.
	NXQL ID:	application_not_responding_event_ratio
Average application startup duration	Activity	Aggregate
	Indicates the average time between the start of the process and the time a window is displayed (not taking into account the splash screen)
	NXQL ID:	average_process_start_time
Average incoming network bitrate	Availability	Aggregate
	Average incoming network bitrate
	NXQL ID:	average_incoming_bitrate
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average memory usage per execution	Activity	Aggregate
	Indicates the average memory usage of all underlying executions before aggregation. The value is the average memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality. Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
	NXQL ID:	average_memory_usage_per_execution
Average network response time	Availability	Aggregate
	Indicates the average TCP connection establishment time of all underlying connections. The value is the average TCP connection establishment time of all executions weighted by their cardinality.
	NXQL ID:	average_network_response_time
Average outgoing network bitrate	Availability	Aggregate
	Average outgoing network bitrate
	NXQL ID:	average_outgoing_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Binary paths	Activity	Aggregate
Binary paths	List of executed binary paths (max. 50 paths)
Country code	Properties	Field
	Indicates the Country/Region, represented as a 2-character code based on ISO-3166, as listed in Active Directory: Data available only in Nexthink Cloud '-' : No data
	NXQL ID:	country
CPU usage ratio	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
	NXQL ID:	cpu_usage_ratio
Cumulated execution duration	Activity	Aggregate
	Cumulated duration of executions
	NXQL ID:	cumulated_execution_duration
Cumulated network connection duration	Activity	Aggregate
	Cumulated duration of TCP connections
	NXQL ID:	cumulated_connection_duration
Department	Properties	Field
	User department as listed in Active Directory
	NXQL ID:	department
Distinguished name	Properties	Field
	Active Directory distinguished name (DN)
	NXQL ID:	distinguished_name
First seen	Properties	Field
	First time activity of the user was recorded on any device
	NXQL ID:	first_seen
Full name	Properties	Field
	Full user name as listed in Active Directory
	NXQL ID:	full_name
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Incoming network traffic	Traffic	Aggregate
	Total network incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Job title	Properties	Field
	Job title as listed in Active Directory
	NXQL ID:	job_title
Last seen	Properties	Field
	Last time activity of the user was recorded on any device
	NXQL ID:	last_seen
Locality name	Properties	Field
	Indicates the user's locality as a city or a town, as listed in Active Directory: Data available only in Nexthink Cloud '-' : No data
	NXQL ID:	locality
Location	Properties	Field
	Indicates the user's physical delivery office location, as listed in Active Directory: Data available only in Nexthink Cloud '-' : No data
	NXQL ID:	location
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
Name	Properties	Field
	User logon name
	NXQL ID:	name
Network availability level	Availability	Aggregate
	Indicates the ratio of successful TCP connections. The possible values are: high: the ratio is greater or equal to 98% medium: the ratio is greater or equal to 90% and less than 98% low: the ratio is lower than 90%
	NXQL ID:	network_availability_level
Number of application crashes	Errors	Aggregate
	Number of application crashes
	NXQL ID:	number_of_application_crashes
Number of application not responding events	Errors	Aggregate
	Number of application not responding events
	NXQL ID:	number_of_application_not_responding_events
Number of applications	Inventory	Aggregate
	Number of applications
	NXQL ID:	number_of_applications
Number of binaries	Inventory	Aggregate
	Number of binaries
	NXQL ID:	number_of_binaries
Number of connections	Activity	Aggregate
	Number of connections
	NXQL ID:	number_of_connections
Number of days since last seen	Properties	Field
	Indicates the number of days since the last time the user was seen by Nexthink. The field is updated every hour.
	NXQL ID:	number_of_days_since_last_seen
Number of destinations	Inventory	Aggregate
	Number of destinations
	NXQL ID:	number_of_destinations
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of domains	Inventory	Aggregate
	Number of domains
	NXQL ID:	number_of_domains
Number of executables	Inventory	Aggregate
	Number of executables
	NXQL ID:	number_of_executables
Number of executions	Activity	Aggregate
	Number of executions
	NXQL ID:	number_of_executions
Number of ports	Inventory	Aggregate
	Number of ports
	NXQL ID:	number_of_ports
Number of print jobs	Activity	Aggregate
	Number of print jobs
	NXQL ID:	number_of_printouts
Number of printed pages	Activity	Aggregate
	Number of printed pages
	NXQL ID:	number_of_printed_pages
Number of printers	Inventory	Aggregate
	Number of printers
	NXQL ID:	number_of_printers
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
Organizational unit name	Properties	Field
	Indicates the name of the organizational unit, as listed in Active Directory: Data available only in Nexthink Cloud '-' : No data
	NXQL ID:	org_unit
Outgoing network traffic	Traffic	Aggregate
	Total network outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
SID	Properties	Field
	Indicates the Windows security identifier for the user. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory.
	NXQL ID:	sid
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Successful network connections ratio	Availability	Aggregate
	Percentage of successful TCP connections
	NXQL ID:	successful_connections_ratio
Total active days	Activity	Field
	Total number of days the user was active
	NXQL ID:	total_active_days
Total CPU time	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
	NXQL ID:	total_cpu_time
Total network traffic	Traffic	Aggregate
	Total network traffic (incoming and outgoing)
	NXQL ID:	total_network_traffic
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
Type	Properties	Field
	Type of user (local/domain/system)
	NXQL ID:	type
UID	Properties	Field
	Indicates the universally unique identifier (based on user SID).
	NXQL ID:	user_uid
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration

Device

Devices are Windows, Mac OS or mobile endpoints

Field	Group	Type
Access state	Exchange	Field
	Indicates whether the device can access the Exchange ActiveSync server. The possible states are: allowed: the device has access blocked: the device is blocked discovery: the device is temporarily quarantined while it is being identified by the Exchange ActiveSync server quarantined: the device is waiting for Exchange ActiveSync administrator approval
	NXQL ID:	eas_access_state
Access state reason	Exchange	Field
	Indicates the reason for the device access state. The possible values are: global: caused by the global access settings device rule: caused by a device access rule individual: caused by an individual exemption policy: caused by Exchange ActiveSync policy
	NXQL ID:	eas_access_state_reason
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
AD site	Properties	Field
	Indicates the AD site of the device as configured in the Active Directory. A '-' is displayed if the Collector is older than version 6.19 or if the device is not part of a domain.
	NXQL ID:	directory_service_site
Administrator account status	Policy	Field
	Determines whether the local Administrator account is enabled or disabled
	NXQL ID:	administrator_account_status
All antispyware	Security	Field
	Summary information about all the detected antispyware: unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	all_antispywares Note: this field is not available for Windows Server operating systems.
All antiviruses	Security	Field
	Summary information about all the detected antiviruses: unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	all_antiviruses Note: this field is not available for Windows Server operating systems.
All firewalls	Security	Field
	Summary information about all the detected firewalls: unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	all_firewalls Note: this field is not available for Windows Server operating systems.
Antispyware display name	Security	Field
	Name of the main antispyware
	NXQL ID:	antispyware_name Note: this field is not available for Windows Server operating systems.
Antispyware RTP	Security	Field
	Indicates whether the antispyware real time protection (RTP) is active: on: indicates that RTP is active off: indicates that either RTP is not active or no antispyware has been detected unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	antispyware_rtp Note: this field is not available for Windows Server operating systems.
Antispyware up-to-date	Security	Field
	Indicates whether the antispyware is up-to-date: yes: indicates that antispyware is up-to-date no: indicates that either the antispyware is not up-to-date or no antispyware has been detected unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	antispyware_up_to_date Note: this field is not available for Windows Server operating systems.
Antivirus display name	Security	Field
	Name of the main antivirus
	NXQL ID:	antivirus_name Note: this field is not available for Windows Server operating systems.
Antivirus RTP	Security	Field
	Indicates whether the antivirus real time protection (RTP) is active: on: indicates that RTP is active off: indicates that either RTP is not active or no antivirus has been detected unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	antivirus_rtp Note: this field is not available for Windows Server operating systems.
Antivirus up-to-date	Security	Field
	Indicates whether the antivirus is up-to-date: yes: indicates that antivirus is up-to-date no: indicates that either the antivirus is not up-to-date or no antivirus has been detected unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	antivirus_up_to_date Note: this field is not available for Windows Server operating systems.
Application crash ratio	Errors	Aggregate
	Indicates the number of application crashes per 100 executions.
	NXQL ID:	application_crash_ratio
Application not responding event ratio	Errors	Aggregate
	Indicates the number of application not responding events per 100 executions.
	NXQL ID:	application_not_responding_event_ratio
Audit account logon events	Policy	Field
	Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account
	NXQL ID:	audit_account_logon_events
Audit account management	Policy	Field
	Determines whether to audit each event of account management on a computer
	NXQL ID:	audit_account_management
Audit directory service access	Policy	Field
	Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified
	NXQL ID:	audit_directory_service_access
Audit logon events	Policy	Field
	Determines whether to audit each instance of a user logging on to or logging off from a computer
	NXQL ID:	audit_logon_events
Audit object access	Policy	Field
	Determines whether to audit the event of a user accessing an object, e.g. a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified
	NXQL ID:	audit_object_access
Audit policy change	Policy	Field
	Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies
	NXQL ID:	audit_policy_change
Audit privilege use	Policy	Field
	Determines whether to audit each instance of a user exercising a user right
	NXQL ID:	audit_privilege_use
Audit process tracking	Policy	Field
	Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access
	NXQL ID:	audit_process_tracking
Audit system events	Policy	Field
	Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log
	NXQL ID:	audit_system_events
Average application startup duration	Activity	Aggregate
	Indicates the average time between the start of the process and the time a window is displayed (not taking into account the splash screen)
	NXQL ID:	average_process_start_time
Average boot duration	Startup	Aggregate
	Indicates the average (full or fast startup) boot duration.
	NXQL ID:	average_boot_duration
Average extended logon duration	Startup	Aggregate
	Indicates the average extended logon duration.
	NXQL ID:	average_extended_logon_duration
Average incoming network bitrate	Availability	Aggregate
	Average incoming network bitrate
	NXQL ID:	average_incoming_bitrate
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average logon duration	Startup	Aggregate
	Indicates the average logon duration.
	NXQL ID:	average_logon_duration
Average memory usage per execution	Activity	Aggregate
	Indicates the average memory usage of all underlying executions before aggregation. The value is the average memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality. Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
	NXQL ID:	average_memory_usage_per_execution
Average network response time	Availability	Aggregate
	Indicates the average TCP connection establishment time of all underlying connections. The value is the average TCP connection establishment time of all executions weighted by their cardinality.
	NXQL ID:	average_network_response_time
Average outgoing network bitrate	Availability	Aggregate
	Average outgoing network bitrate
	NXQL ID:	average_outgoing_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Binary paths	Activity	Aggregate
Binary paths	List of executed binary paths (max. 50 paths)
BIOS serial number	Hardware	Field
	BIOS serial number
	NXQL ID:	bios_serial_number
Chassis serial number	Hardware	Field
	Chassis serial number
	NXQL ID:	chassis_serial_number
Collector assignment	Nexthink Collector	Field
	Indicates whether Collector assignment service is enabled or disabled disabled: indicates that the Collector feature is disabled enabled: indicates that the Collector feature is enabled "-" : data not available
	NXQL ID:	cltr_ca_status
Collector assignment license UID	Nexthink Collector	Field
	Indicates the Collector assignment license UID
	NXQL ID:	cltr_ca_license_uid
Collector CrashGuard count	Nexthink Collector	Field
	Indicates the number of consecutive hard resets or system crashes of the device
	NXQL ID:	cltr_crash_guard_count
Collector CrashGuard limit	Nexthink Collector	Field
	Indicates the Collector CrashGuard limit
	NXQL ID:	cltr_crash_guard_limit
Collector CrashGuard protection interval	Nexthink Collector	Field
	Indicates the CrashGuard monitoring interval in minutes
	NXQL ID:	cltr_crash_guard_protection_interval
Collector CrashGuard reactivation interval	Nexthink Collector	Field
	Indicates the Collector CrashGuard reactivation interval in hours
	NXQL ID:	cltr_crash_guard_react_interval
Collector installation log	Nexthink Collector	Field
	Indicates the link to the last Nexthink Collector installation error log.
	NXQL ID:	collector_installation_log
Collector log level	Nexthink Collector	Field
	Indicates the Collector log level off: no logs critical: only critical logs are enabled error: only error and critical logs are enabled warning: only warning, error and critical logs are enabled info: only info, warning, error and critical logs are enabled debug: only debug, info, warning, error and critical logs are enabled trace: only trace, debug, info, warning, error and critical logs are enabled "-" : data not available
	NXQL ID:	cltr_log_level
Collector status	Nexthink Collector	Field
	Indicates the status of the Nexthink Collector package installed on the device: unmanaged: the Collector is not automatically updated up-to-date: the Collector is up-to-date outdated: a newer Collector version is available.
	NXQL ID:	collector_status
Collector string tag	Nexthink Collector	Field
	Indicates the Collector string tag
	NXQL ID:	cltr_string_tag
Collector tag	Nexthink Collector	Field
	Indicates the Collector installation tag.
	NXQL ID:	collector_tag
Collector update group	Nexthink Collector	Field
	Indicates the update group of Nexthink Collector: manual: the Collector is manually updated pilot: the Collector is updated as part of the pilot group main: the Collector is updated as part of the main group.
	NXQL ID:	upgrade_group
Collector update status	Nexthink Collector	Field
	Indicates the status of the Nexthink Collector updater.
	NXQL ID:	collector_update_status
Collector version	Nexthink Collector	Field
	Indicates the version of the Nexthink Collector installed on the device.
	NXQL ID:	collector_version
CPU frequency	Hardware	Field
	CPU frequency
	NXQL ID:	cpu_frequency
CPU model	Hardware	Field
	CPU model
	NXQL ID:	cpu_model
CPU usage ratio	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
	NXQL ID:	cpu_usage_ratio
Cumulated execution duration	Activity	Aggregate
	Cumulated duration of executions
	NXQL ID:	cumulated_execution_duration
Cumulated interaction time	Activity	Aggregate
	Cumulated time with user interaction (mouse or keyboard events)
	NXQL ID:	cumulated_interaction_duration
Cumulated network connection duration	Activity	Aggregate
	Cumulated duration of TCP connections
	NXQL ID:	cumulated_connection_duration
Data transport protocol	Nexthink Collector	Field
	Specifies if the Collector data is sent over TCP or UDP UDP: the Collector data traffic is sent over UDP TCP: the Collector data traffic is sent over TCP "-" : data not available
	NXQL ID:	cltr_data_channel_protocol
Database usage	Properties	Field
	Indicates the percentage of the Engine database used by the device.
	NXQL ID:	database_usage
Device access rule	Exchange	Field
	Indicates the name of the Exchange ActiveSync device access rule and if the rule allows, blocks or quarantines the device.
	NXQL ID:	eas_device_access_rule
Device encryption required	Policy	Field
	Indicates whether device encryption is required.
	NXQL ID:	device_encryption_required
Device identity	Exchange	Field
	Indicates the identity of the device in Exchange ActiveSync server.
	NXQL ID:	eas_device_identity
Device manufacturer	Hardware	Field
	Indicates the device manufacturer.
	NXQL ID:	device_manufacturer
Device model	Hardware	Field
	Indicates the model of the device.
	NXQL ID:	device_model
Device password required	Policy	Field
	Indicates whether a password is required on the device.
	NXQL ID:	device_password_required
Device product ID	Hardware	Field
	Device product ID
	NXQL ID:	device_product_id
Device product version	Hardware	Field
	Device product version
	NXQL ID:	device_product_version
Device serial number	Hardware	Field
	Indicates the device serial number.
	NXQL ID:	device_serial_number
Device type	Hardware	Field
	Indicates the device type: desktop laptop server mobile
	NXQL ID:	device_type
Device UUID	Properties	Field
	Indicates the device universally unique identifier (UUID).
	NXQL ID:	device_uuid
Disks S.M.A.R.T. index	Hardware	Field
	Lowest S.M.A.R.T. index of installed hard disks (index is based on S.M.A.R.T. attributes)
	NXQL ID:	disks_smart_index
Distinguished name	Properties	Field
	Indicates the distinguished name (DN) as seen: For Windows: in Active Directory (AD); if no connection with AD is set up, a '-' is displayed For Mobile: in the Exchange ActiveSync server
	NXQL ID:	distinguished_name
Distinguished name reported by Collector	Properties	Field
	Indicates the distinguished name as reported by the Collector. A '-' is displayed if the device is not part of a domain.
	NXQL ID:	collector_distinguished_name
Email attachment enabled	Policy	Field
	Indicates whether attachments can be downloaded to the mobile device through the Exchange ActiveSync protocol.
	NXQL ID:	email_attachment_enabled
Enforce password history	Policy	Field
	Indicates the number of unique password that have to be associated with a user account before an old password can be reused: Windows: as set up in the group policy Mobile: as set up in security policies
	NXQL ID:	enforce_password_history
Engage	Nexthink Collector	Field
	Indicates whether Engage is enabled or disabled enabled: indicates that the status of Engage service in Collector is enabled enabled except on server OS: indicates that the status of Engage service in Collector is enabled on all devices except on servers disabled: indicates that the status of Engage service in Collector is disabled "-" : data not available
	NXQL ID:	cltr_engage_service_status
Entity	Properties	Field
	Entity to which the device belongs
	NXQL ID:	entity
Exemption	Exchange	Field
	Indicates whether a personal exemption is set for the device and its user. Possible values are: none allow block
	NXQL ID:	eas_exemption
Extended logon duration baseline	Startup	Field
	Indicates the extended logon duration averaged over the last logons. In the calculation, recent logons weigh more than older logons (exponentially weighted moving average).
	NXQL ID:	extended_logon_duration_baseline
Fast startup boot duration baseline	Startup	Field
	Indicated the fast startup boot duration averaged over the fast startups. In the calculation, recent boots weigh more than older boots (exponentially weighted moving average).
	NXQL ID:	average_fast_startup_duration
Firewall display name	Security	Field
	Name of the main firewall
	NXQL ID:	firewall_name Note: this field is not available for Windows Server operating systems.
Firewall RTP	Security	Field
	Indicates whether the firewall real time protection (RTP) is active: on: indicates that RTP is active off: indicates that either RTP is not active or no firewall has been detected unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	firewall_rtp Note: this field is not available for Windows Server operating systems.
First seen	Properties	Field
	Indicates the first time when the activity of the device was recorded: For Windows and Mac OS: the first time Collector reported activity For Mobile: the first time the device was reported with a successful synchronization
	NXQL ID:	first_seen
Full boot duration baseline	Startup	Field
	Indicated the full boot duration averaged over the last full boots. In the calculation, recent full boots weigh more than older full boots (exponentially weighted moving average).
	NXQL ID:	average_boot_duration
Graphical card RAM	Hardware	Field
	Amount of RAM of the graphical card with most RAM
	NXQL ID:	graphical_card_ram
Graphical cards	Hardware	Field
	Installed graphical cards
	NXQL ID:	graphical_cards
Group name	Network	Field
	Name of computer domain or workgroup
	NXQL ID:	group_name
Guest account status	Policy	Field
	Determines if the Guest account is enabled or disabled
	NXQL ID:	guest_account_status
Hard disks	Hardware	Field
	List of all hard disks
	NXQL ID:	hard_disks
Hard disks manufacturers	Hardware	Field
	Indicates the list of hard disk manufacturers
	NXQL ID:	disks_manufacturers
High device IO throughput time ratio	Warnings	Aggregate
	Indicates the ratio between the time the device is in high IO throughput and its uptime.
	NXQL ID:	high_device_io_throughput_time_ratio
High device memory time ratio	Warnings	Aggregate
	Indicates the ratio between the time the device is in high memory usage and its uptime.
	NXQL ID:	high_device_memory_time_ratio
High device overall CPU time ratio	Warnings	Aggregate
	Indicates the ratio between the time the device is in high overall CPU usage and its uptime.
	NXQL ID:	high_device_overall_cpu_time_ratio
High device page faults time ratio	Warnings	Aggregate
	Indicates the ratio between the time the device is in high page faults and its uptime.
	NXQL ID:	high_device_page_faults_time_ratio
High device thread CPU time ratio (deprecated)	Warnings	Aggregate
High device thread CPU time ratio (deprecated)	Indicates the ratio between the time that the device is in high thread CPU usage and its uptime.
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Incoming network traffic	Traffic	Aggregate
	Total network incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Interaction time ratio	Activity	Aggregate
Interaction time ratio	Percentage of time with user interaction (mouse or keyboard events)
Internet security settings	Security	Field
	Internet security settings (ok, at risk or unknown)
	NXQL ID:	internet_security_settings
IP addresses	Network	Field
	Indicates the list of IP addresses seen from the Nexthink appliance. If the connection between the device and the Nexthink appliance goes through network address translation (NAT), the IP addresses will be different than the local IP addresses set-up on the device.
	NXQL ID:	ip_addresses
IP protocol DNS resolution	Nexthink Collector	Field
	Indicates the DNS resolution preference for Collector in terms of IP protocol version on the device IPv4: prefer IPv4 IPv6: prefer IPv6 "-" : data not available
	NXQL ID:	cltr_dns_res_preference
Last boot time	Startup	Field
	Indicates the time of the last (full or fast startup) boot.
	NXQL ID:	last_system_boot
Last boot time duration	Startup	Field
	Indicates the duration of the last (full or fast startup) boot.
	NXQL ID:	last_boot_duration
Last extended logon duration	Startup	Field
	Indicates the last recorded value for the time between the user logging on and the device is ready.
	NXQL ID:	last_extended_logon_duration
Last IP address	Network	Field
	Indicates the IP address seen from the Nexthink appliance. If the connection between the device and the Nexthink appliance goes through network address translation (NAT), the IP address will be different than the local IP address set-up on the device.
	NXQL ID:	last_ip_address
Last known connection status	Nexthink Collector	Field
	Indicates the last known connection status of the device: 'UDP only': the device is successfully connected via UDP. 'TCP only': the device is successfully connected via TCP. 'Fully connected': the device is successfully connected via both UDP and TCP, unless it has been configured to transmit only over TCP, in which case it has successfully connected via TCP.
	NXQL ID:	last_known_connection_status
Last local IP address	Network	Field
	Indicates the local IP address of the device. This field requires a collector version newer than 6.23 and connected through TCP.
	NXQL ID:	last_local_ip_address
Last logged on user	Startup	Field
	Last logged on user
	NXQL ID:	last_logged_on_user
Last logged on user's privileges	Startup	Field
	Privileges of the last logged on user (user, power user, administrator)
	NXQL ID:	privileges_of_last_logged_on_users
Last logon duration	Startup	Field
	Indicates the last recorded value for the time between the user logging on and the desktop is displayed.
	NXQL ID:	last_logon_duration
Last logon time	Startup	Field
	Indicates the time of the last logon.
	NXQL ID:	last_logon_time
Last policy update	Exchange	Field
	Indicates the last time the Exchange ActiveSync policy was updated on the device.
	NXQL ID:	eas_policy_update
Last seen	Properties	Field
	Indicates the last time that activity on the device was reported: For Windows and Mac OS: the last time that the Collector reported activity. For Mobile: the last time that the device successfully synchronized with the Mobile Bridge.
	NXQL ID:	last_seen
Last seen on TCP	Nexthink Collector	Field
	Indicates the last time that the device was successfully connected through the TCP channel. '-': the Collector version is older than V6.6 and does not support TCP; or the Collector has never connected to Engine in TCP.
	NXQL ID:	last_seen_on_tcp
Last system update	Operating system	Field
	Time of last system update
	NXQL ID:	last_windows_update
Last update	Nexthink Collector	Field
	Indicates the last Collector update time.
	NXQL ID:	last_update
Last update status	Nexthink Collector	Field
	Indicates the status of the last Collector update: '-': the Collector was never updated successful installation: the last Collector installation was successful package download error: the Collector was not able to download the Collector package from Nexthink Appliance package digital signature error: the Collector was not able to check the Collector package digital signature device reboot required: the device needs to be rebooted to complete the Collector installation package error: the Collector package installation has failed internal error: the Collector package installation has failed for an unexpected reason.
	NXQL ID:	last_update_status
Last Updater request	Nexthink Collector	Field
	Indicates the last time the Nexthink Updater has checked for updates.
	NXQL ID:	last_updater_request
Local Administrators	Operating system	Field
	Users and groups which are members of the Local Administrators group on the device
	NXQL ID:	local_administrators
Local Power Users	Operating system	Field
	Users and groups which are members of the Local Powers Users group on the device
	NXQL ID:	local_power_users
Logical drives	Local drives	Field
	List of all logical drives
	NXQL ID:	logical_drives
Logon duration baseline	Startup	Field
	Indicates the logon duration averaged over the last logons. In the calculation, recent logons weigh more than older logons (exponentially weighted moving average).
	NXQL ID:	average_logon_duration
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
MAC addresses	Network	Field
	List of MAC addresses for the device
	NXQL ID:	mac_addresses
Maximum password age	Policy	Field
	Indicates the period in time (in days) during which the password can be used before the system requires the user to change it: Windows: as set up in the group policy Mobile: as set up in security policies
	NXQL ID:	maximum_password_age
Membership type	Network	Field
	Type of computer membership (domain/workgroup)
	NXQL ID:	membership_type
Message maximum segment size	Nexthink Collector	Field
	Indicates the maximum segment size of packets sent by Collector
	NXQL ID:	cltr_max_segment_size
Minimum password age	Policy	Field
	Period of time (in days) that a password must be used before the user can change it
	NXQL ID:	minimum_password_age
Minimum password length	Policy	Field
	Least number of characters that a password for a user account may contain
	NXQL ID:	minimum_password_length
Monitor models	Hardware	Field
	Models of connected monitors
	NXQL ID:	monitor_models
Monitor resolutions	Hardware	Field
	Screen resolutions of connected monitors
	NXQL ID:	monitor_resolutions
Monitoring of unresponsive applications	Nexthink Collector	Field
	Indicates whether the Collector is monitoring for unresponsive applications on the device disabled: indicates that the Collector feature is disabled enabled: indicates that the Collector feature is enabled "-" : data not available
	NXQL ID:	cltr_freezes_monitoring
Monitors	Hardware	Field
	Connected monitors
	NXQL ID:	monitors
Monitors serial numbers	Hardware	Field
	Serial numbers of connected monitors (ordered as in 'Monitors')
	NXQL ID:	monitors_serial_numbers
Name	Properties	Field
	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
	NXQL ID:	name
Network availability level	Availability	Aggregate
	Indicates the ratio of successful TCP connections. The possible values are: high: the ratio is greater or equal to 98% medium: the ratio is greater or equal to 90% and less than 98% low: the ratio is lower than 90%
	NXQL ID:	network_availability_level
Number of antispyware	Security	Field
	Number of antispyware detected: unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	number_of_antispyware Note: this field is not available for Windows Server operating systems.
Number of antiviruses	Security	Field
	Number of antiviruses detected: unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	number_of_antiviruses Note: this field is not available for Windows Server operating systems.
Number of application crashes	Errors	Aggregate
	Number of application crashes
	NXQL ID:	number_of_application_crashes
Number of application not responding events	Errors	Aggregate
	Number of application not responding events
	NXQL ID:	number_of_application_not_responding_events
Number of applications	Inventory	Aggregate
	Number of applications
	NXQL ID:	number_of_applications
Number of binaries	Inventory	Aggregate
	Number of binaries
	NXQL ID:	number_of_binaries
Number of boots	Startup	Aggregate
	Indicates the number of (full or fast startup) boot.
	NXQL ID:	number_of_boots
Number of connections	Activity	Aggregate
	Number of connections
	NXQL ID:	number_of_connections
Number of cores	Hardware	Field
	Indicates the number of CPUs multiplied by the number of cores that are available on each CPU.
	NXQL ID:	number_of_cores
Number of CPUs	Hardware	Field
	Indicates the number of central processing units (CPUs), also known as the number of sockets.
	NXQL ID:	number_of_cpus
Number of days since first seen	Properties	Field
	Indicates the number of complete days since the device was first seen. The value is updated every hour.
	NXQL ID:	number_of_days_since_first_seen
Number of days since last full boot	Startup	Field
	Indicates the number of days since the last full boot.
	NXQL ID:	number_of_days_since_last_boot
Number of days since last logon	Startup	Field
	Number of days since last logon
	NXQL ID:	number_of_days_since_last_logon
Number of days since last policy update	Exchange	Field
	Indicates the number of days since the last Exchange ActiveSync policy update.
	NXQL ID:	number_of_days_since_last_eas_policy_update
Number of days since last seen	Properties	Field
	Indicates the number of days since the last time that activity on the device was reported. The field is updated every hour: For Windows and Mac OS: the last time that the Collector reported activity. For Mobile: seen the last time that the device successfully synchronized with the Mobile Bridge.
	NXQL ID:	number_of_days_since_last_seen
Number of days since last seen on TCP	Nexthink Collector	Field
	Indicates the number of days since the last time that the device was successfully connected through the TCP channel. The field is updated every hour: '-': the Collector version is older than V6.6 and does not support TCP; or the Collector has never connected to Engine in TCP.
	NXQL ID:	number_of_days_since_last_seen_on_tcp
Number of days since last system update	Operating system	Field
	Number of days since last system update
	NXQL ID:	number_of_days_since_last_windows_update
Number of destinations	Inventory	Aggregate
	Number of destinations
	NXQL ID:	number_of_destinations
Number of domains	Inventory	Aggregate
	Number of domains
	NXQL ID:	number_of_domains
Number of executables	Inventory	Aggregate
	Number of executables
	NXQL ID:	number_of_executables
Number of executions	Activity	Aggregate
	Number of executions
	NXQL ID:	number_of_executions
Number of firewalls	Security	Field
	Number of firewalls detected: unknown: indicates that the information could not be retrieved N/A: this field is not available on this operating system '-' : no data, incompatible collector version or the data is not yet available
	NXQL ID:	number_of_firewalls Note: this field is not available for Windows Server operating systems.
Number of graphical cards	Hardware	Field
	Number of installed graphical cards
	NXQL ID:	number_of_graphical_cards
Number of hard resets	Errors	Aggregate
Number of hard resets	Number of hard resets
Number of installations	Activity	Aggregate
	Number of installations
	NXQL ID:	number_of_installations
Number of logical processors	Hardware	Field
	Indicates the number of cores multiplied by the number of threads that can run on each core through the use of hyperthreading.
	NXQL ID:	logical_cpu_number
Number of logons	Startup	Aggregate
	Number of logons
	NXQL ID:	number_of_logons
Number of monitors	Hardware	Field
	Number of connected monitors
	NXQL ID:	number_of_monitors
Number of packages	Inventory	Aggregate
	Number of packages
	NXQL ID:	number_of_packages
Number of ports	Inventory	Aggregate
	Number of ports
	NXQL ID:	number_of_ports
Number of print jobs	Activity	Aggregate
	Number of print jobs
	NXQL ID:	number_of_printouts
Number of printed pages	Activity	Aggregate
	Number of printed pages
	NXQL ID:	number_of_printed_pages
Number of printers	Inventory	Aggregate
	Number of printers
	NXQL ID:	number_of_printers
Number of system crashes	Errors	Aggregate
Number of system crashes	Indicates the number of system crashes.
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
OS architecture	Operating system	Field
	Architecture of device operating system (x86/x64)
	NXQL ID:	os_architecture
OS build	Operating system	Field
	Indicates the build number of the operating system: '0.0.0.0': incompatible collector version or the data is not yet available
	NXQL ID:	os_build
OS version	Operating system (deprecated)	Field
OS version	Version of device operating system
OS version and architecture	Operating system	Field
	Indicates name, version and architecture (when applicable) of the operating system: Unknown: the OS version could not be retrieved or it could not be mapped to a recognized value
	NXQL ID:	os_version_and_architecture
Outgoing network traffic	Traffic	Aggregate
	Total network outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Packages and updates scan interval	Nexthink Collector	Field
	Indicates the interval, in hours, after which the Collector checks for newly installed packages and updates
	NXQL ID:	cltr_installs_scan_interval
Password complexity requirements enabled	Policy	Field
	Indicates whether password complexity is required: Windows: the password must meet complexity requirements as defined in the group policy Mobile: no simple passwords are allowed or a minimum password length is set, as defined in the security policy
	NXQL ID:	password_complexity_requirements
Platform	Properties	Field
	Indicates the platform of the device. A platform is a set of operating system families on which the same objects, activities, events and properties can be retrieved. The possible values are: Windows Mac OS Mobile
	NXQL ID:	platform
Policy allows non provisionable devices	Exchange	Field
	Indicates whether a device which does not fully support the policy is still allowed to connect to the Exchange Exchange ActiveSync server. If 'yes', the security policy is not guaranteed to be applied, even if the field 'ActiveSync policy application status' value is 'applied in full'
	NXQL ID:	allow_non_provisionable_devices
Policy application status	Exchange	Field
	Indicates whether the Exchange ActiveSync policy is applied or not. Possible values are: not applied applied in full: the policy is applied (unless the field 'Allow non provisionable devices' value is 'yes') partially applied
	NXQL ID:	eas_policy_application_status
Policy name	Exchange	Field
	Indicates the name of the Exchange ActiveSync policy applied to the user's mailbox.
	NXQL ID:	eas_policy_name
Print monitoring	Nexthink Collector	Field
	Indicates whether the Collector printing monitoring is enabled or disabled disabled: indicates that the Collector feature is disabled enabled: indicates that the Collector feature is enabled "-" : data not available
	NXQL ID:	collector_print_monitoring_status
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
Script execution policy	Nexthink Collector	Field
	Indicates the Powershell script execution policy unrestricted: indicates that Act service in Collector can execute any kind of scripts signed, trusted: indicates that Act service in Collector can only execute scripts signed by a trusted authority signed, trusted or nexthink: indicates that Act service in Collector can only execute scripts signed by a trusted authority or by Nexthink disabled: indicates that Act service in Collector cannot execute scripts "-" : data not available
	NXQL ID:	cltr_ra_execution_policy
SD card encryption required	Policy	Field
	Indicates whether SD card encryption is required.
	NXQL ID:	sd_card_encryption_required
SID	Properties	Field
	Windows security identifier for the device
	NXQL ID:	sid
SMB print monitoring	Nexthink Collector	Field
	Indicates whether SMB printing monitoring is enabled or disabled disabled: indicates that the Collector feature is disabled enabled: indicates that the Collector feature is enabled "-" : data not available
	NXQL ID:	cltr_smb_print_mon_status
Storage policy	Properties	Field
	Indicates the event storage policy for the device. Possible values are: all: web requests, connections and executions are stored connections and executions executions none: no activity is recorded remove: the device will be removed from Engine during the next cleanup, as long as it is no longer sending data Note that available events depend on the device platform
	NXQL ID:	storage_policy
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Successful network connections ratio	Availability	Aggregate
	Percentage of successful TCP connections
	NXQL ID:	successful_connections_ratio
System disk type	Hardware	Field
	Indicates the type of the disk from which the device is booting. HDD SSD "-" : data not available
	NXQL ID:	boot_disk_type
System drive capacity	Local drives	Field
	Total capacity of system drive
	NXQL ID:	system_drive_capacity
System drive free space	Local drives	Field
	Total available free space on system drive
	NXQL ID:	system_drive_free_space
System drive usage	Local drives	Field
	Use percentage of system drive
	NXQL ID:	system_drive_usage
Target version	Nexthink Collector	Field
	Indicates the Collector package version that is targeted.
	NXQL ID:	collector_package_target_version
Total active days	Activity	Field
	Indicates the total number of days the device has been active. The value is updated every night.
	NXQL ID:	total_active_days
Total CPU time	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
	NXQL ID:	total_cpu_time
Total drive capacity	Local drives	Field
	Total capacity of all drives
	NXQL ID:	total_drive_capacity
Total drive free space	Local drives	Field
	Total free space on all drives
	NXQL ID:	total_drive_free_space
Total drive usage	Local drives	Field
	Total use percentage of all drives
	NXQL ID:	total_drive_usage
Total network traffic	Traffic	Aggregate
	Total network traffic (incoming and outgoing)
	NXQL ID:	total_network_traffic
Total non-system drive capacity	Local drives	Field
	Total capacity of all non-system drives
	NXQL ID:	total_nonsystem_drive_capacity
Total non-system drive free space	Local drives	Field
	Total free space on all non-system drives
	NXQL ID:	total_nonsystem_drive_free_space
Total non-system drive usage	Local drives	Field
	Total use percentage of all non-system drives
	NXQL ID:	total_nonsystem_drive_usage
Total RAM	Hardware	Field
	Total amount of RAM
	NXQL ID:	total_ram
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
UID	Properties	Field
	Indicates the universally unique identifier (based on Engine name and device ID).
	NXQL ID:	device_uid
Updater error	Nexthink Collector	Field
	Indicates the last Nexthink Collector Updater error.
	NXQL ID:	updater_error
Updater version	Nexthink Collector	Field
	Indicates the Nexthink Collector Updater version.
	NXQL ID:	updater_version
Uptime	Activity	Aggregate
	Amount of time the machine has been running
	NXQL ID:	uptime
User account control status	Security	Field
	User account control status (ok, at risk or unknown)
	NXQL ID:	user_account_control_status
VDI/Kiosk support	Nexthink Collector	Field
	Indicates whether the Collector reports user logon events and user interactions in virtualized and embedded (kiosk mode) environments disabled: indicates that the Collector feature is disabled enabled: indicates that the Collector feature is enabled "-" : data not available
	NXQL ID:	cltr_custom_shells
Visibility from Add or Remove Programs	Nexthink Collector	Field
	Indicates whether Collector is hidden in the "Add or Remove Programs" invisible: indicates that the Collector application is not shown in the "add or remove programs" list visible: indicates that the Collector application is shown in the "add or remove programs" list "-" : data not available
	NXQL ID:	cltr_is_visible
Web & Cloud monitoring	Nexthink Collector	Field
	Indicates whether Web & Cloud monitoring is enabled or disabled disabled: indicates that the Collector feature is disabled enabled: indicates that the Collector feature is enabled "-" : data not available
	NXQL ID:	cltr_web_mon_status
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration
Windows license key	Operating system	Field
	Indicates the Windows license key: '-': the data is not yet available 'BBBBB-BBBBB-BBBBB-BBBBB-BBBBB': Windows is activated, but the license key could not be retrieved 'BBBBB-BBBBB-BBBBB-BBBBB-?????': the full license key is not present on the machine 'Windows is not activated': Windows is not activated
	NXQL ID:	windows_license_key
Windows Update status	Operating system	Field
	Windows Update status (ok, at risk or unknown)
	NXQL ID:	windows_updates_status
WMI status	Operating system	Field
	Windows WMI service status (ok, failure)
	NXQL ID:	wmi_status

Package

Software packages (programs or updates)

Field	Group	Type
First installation	Properties	Field
	Date of the first package installation on any device. This field is based on data reported by the operating system and requires devices date and time to be properly set
	NXQL ID:	first_installation
Name	Properties	Field
	Package name
	NXQL ID:	name
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of updates	Properties	Field
	Number of updates (for programs)
	NXQL ID:	number_of_updates
Package status	Inventory	Aggregate
Package status	Package status (installed/removed)
Platform	Properties	Field
	The platform (operating system family) on which the package is installed
	NXQL ID:	platform
Program	Properties	Field
	Package program
	NXQL ID:	program
Publisher	Properties	Field
	Package publisher
	NXQL ID:	publisher
Status	Properties	Field
	Package status (installed/removed)
	NXQL ID:	status
Type	Properties	Field
	Package type: program update (Windows only)
	NXQL ID:	type
UID	Properties	Field
UID	Indicates the universally unique identifier (based on package name and package publisher).
Version	Properties	Field
	Package version
	NXQL ID:	version

Application

Sets of executables (e.g. 'Microsoft Office')

Field	Group	Type
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
Application crash ratio	Errors	Aggregate
	Indicates the number of application crashes per 100 executions.
	NXQL ID:	application_crash_ratio
Application not responding event ratio	Errors	Aggregate
	Indicates the number of application not responding events per 100 executions.
	NXQL ID:	application_not_responding_event_ratio
Average application startup duration	Activity	Aggregate
	Indicates the average time between the start of the process and the time a window is displayed (not taking into account the splash screen)
	NXQL ID:	average_process_start_time
Average incoming network bitrate	Availability	Aggregate
	Average incoming network bitrate
	NXQL ID:	average_incoming_bitrate
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average memory usage per execution	Activity	Aggregate
	Indicates the average memory usage of all underlying executions before aggregation. The value is the average memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality. Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
	NXQL ID:	average_memory_usage_per_execution
Average network response time	Availability	Aggregate
	Indicates the average TCP connection establishment time of all underlying connections. The value is the average TCP connection establishment time of all executions weighted by their cardinality.
	NXQL ID:	average_network_response_time
Average outgoing network bitrate	Availability	Aggregate
	Average outgoing network bitrate
	NXQL ID:	average_outgoing_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Binary paths	Activity	Aggregate
Binary paths	List of executed binary paths (max. 50 paths)
Company	Properties	Field
	Company producing the application
	NXQL ID:	company
CPU usage ratio	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
	NXQL ID:	cpu_usage_ratio
Cumulated execution duration	Activity	Aggregate
	Cumulated duration of executions
	NXQL ID:	cumulated_execution_duration
Cumulated network connection duration	Activity	Aggregate
	Cumulated duration of TCP connections
	NXQL ID:	cumulated_connection_duration
Database usage	Properties	Field
	Indicates the percentage of the Engine database used by the application.
	NXQL ID:	database_usage
Description	Properties	Field
	Application description
	NXQL ID:	description
First seen	Properties	Field
	First time activity of the application was recorded on any device
	NXQL ID:	first_seen
High application thread CPU time ratio	Warnings	Aggregate
	Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.
	NXQL ID:	high_application_thread_cpu_time_ratio
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Incoming network traffic	Traffic	Aggregate
	Total network incoming traffic
	NXQL ID:	incoming_traffic
Incoming network traffic per device	Traffic	Aggregate
	Indicates the incoming network traffic divided by the number of devices.
	NXQL ID:	incoming_network_traffic_per_device
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic per device	Traffic	Aggregate
	Indicates the incoming web traffic divided by the number of devices.
	NXQL ID:	incoming_web_traffic_per_device
Known packages	Properties	Field
	List of packages known to contain the application. This list is not exhaustive: the presence of a package does not necessarily imply that on a given device the application was installed through that package
	NXQL ID:	known_packages
Last seen	Properties	Field
	Last time activity of the application was recorded on any device
	NXQL ID:	last_seen
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
Name	Properties	Field
	Application name
	NXQL ID:	name
Network availability level	Availability	Aggregate
	Indicates the ratio of successful TCP connections. The possible values are: high: the ratio is greater or equal to 98% medium: the ratio is greater or equal to 90% and less than 98% low: the ratio is lower than 90%
	NXQL ID:	network_availability_level
Number of application crashes	Errors	Aggregate
	Number of application crashes
	NXQL ID:	number_of_application_crashes
Number of application not responding events	Errors	Aggregate
	Number of application not responding events
	NXQL ID:	number_of_application_not_responding_events
Number of binaries	Inventory	Aggregate
	Number of binaries
	NXQL ID:	number_of_binaries
Number of connections	Activity	Aggregate
	Number of connections
	NXQL ID:	number_of_connections
Number of destinations	Inventory	Aggregate
	Number of destinations
	NXQL ID:	number_of_destinations
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of domains	Inventory	Aggregate
	Number of domains
	NXQL ID:	number_of_domains
Number of executables	Inventory	Aggregate
	Number of executables
	NXQL ID:	number_of_executables
Number of executions	Activity	Aggregate
	Number of executions
	NXQL ID:	number_of_executions
Number of ports	Inventory	Aggregate
	Number of ports
	NXQL ID:	number_of_ports
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
Outgoing network traffic	Traffic	Aggregate
	Total network outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing network traffic per device	Traffic	Aggregate
	Indicates the outgoing network traffic divided by the number of devices.
	NXQL ID:	outgoing_network_traffic_per_device
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic per device	Traffic	Aggregate
	Indicates the outgoing web traffic divided by the number of devices.
	NXQL ID:	outgoing_web_traffic_per_device
Platform	Properties	Field
	The platform (operating system family) on which the application is running
	NXQL ID:	platform
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
Storage policy	Properties	Field
	Indicates the event storage policy for the application. Possible values are: all: web requests, connections and executions are stored connections and executions executions none: no activity is recorded
	NXQL ID:	storage_policy
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Successful network connections ratio	Availability	Aggregate
	Percentage of successful TCP connections
	NXQL ID:	successful_connections_ratio
Total active days	Activity	Field
	Total number of days the application was active
	NXQL ID:	total_active_days
Total CPU time	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
	NXQL ID:	total_cpu_time
Total network traffic	Traffic	Aggregate
	Total network traffic (incoming and outgoing)
	NXQL ID:	total_network_traffic
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
UID	Properties	Field
UID	Indicates the universally unique identifier (based on package name and application company).
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration

Executable

Executable programs (e.g. 'winword.exe')

Field	Group	Type
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
Application company	Properties	Field
	Application company
	NXQL ID:	application_company
Application crash ratio	Errors	Aggregate
	Indicates the number of application crashes per 100 executions.
	NXQL ID:	application_crash_ratio
Application name	Properties	Field
	Application name
	NXQL ID:	application_name
Application not responding event ratio	Errors	Aggregate
	Indicates the number of application not responding events per 100 executions.
	NXQL ID:	application_not_responding_event_ratio
Average application startup duration	Activity	Aggregate
	Indicates the average time between the start of the process and the time a window is displayed (not taking into account the splash screen)
	NXQL ID:	average_process_start_time
Average incoming network bitrate	Availability	Aggregate
	Average incoming network bitrate
	NXQL ID:	average_incoming_bitrate
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average memory usage per execution	Activity	Aggregate
	Indicates the average memory usage of all underlying executions before aggregation. The value is the average memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality. Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
	NXQL ID:	average_memory_usage_per_execution
Average network response time	Availability	Aggregate
	Indicates the average TCP connection establishment time of all underlying connections. The value is the average TCP connection establishment time of all executions weighted by their cardinality.
	NXQL ID:	average_network_response_time
Average outgoing network bitrate	Availability	Aggregate
	Average outgoing network bitrate
	NXQL ID:	average_outgoing_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Binary paths	Activity	Aggregate
Binary paths	List of executed binary paths (max. 50 paths)
CPU usage ratio	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
	NXQL ID:	cpu_usage_ratio
Cumulated execution duration	Activity	Aggregate
	Cumulated duration of executions
	NXQL ID:	cumulated_execution_duration
Cumulated network connection duration	Activity	Aggregate
	Cumulated duration of TCP connections
	NXQL ID:	cumulated_connection_duration
Database usage	Properties	Field
	Indicates the percentage of the Engine database used by the executable.
	NXQL ID:	database_usage
Description	Properties	Field
	Executable description
	NXQL ID:	description
First seen	Properties	Field
	First time activity of the executable was recorded on any device
	NXQL ID:	first_seen
High application thread CPU time ratio	Warnings	Aggregate
	Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.
	NXQL ID:	high_application_thread_cpu_time_ratio
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Incoming network traffic	Traffic	Aggregate
	Total network incoming traffic
	NXQL ID:	incoming_traffic
Incoming network traffic per device	Traffic	Aggregate
	Indicates the incoming network traffic divided by the number of devices.
	NXQL ID:	incoming_network_traffic_per_device
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic per device	Traffic	Aggregate
	Indicates the incoming web traffic divided by the number of devices.
	NXQL ID:	incoming_web_traffic_per_device
Known packages	Properties	Field
	List of packages known to contain the executable. This list is not exhaustive: the presence of a package does not necessarily imply that on a given device the executable was installed through that package
	NXQL ID:	known_packages
Last seen	Properties	Field
	Last time activity of the executable was recorded on any device
	NXQL ID:	last_seen
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
Name	Properties	Field
	Executable name
	NXQL ID:	name
Network availability level	Availability	Aggregate
	Indicates the ratio of successful TCP connections. The possible values are: high: the ratio is greater or equal to 98% medium: the ratio is greater or equal to 90% and less than 98% low: the ratio is lower than 90%
	NXQL ID:	network_availability_level
Number of application crashes	Errors	Aggregate
	Number of application crashes
	NXQL ID:	number_of_application_crashes
Number of application not responding events	Errors	Aggregate
	Number of application not responding events
	NXQL ID:	number_of_application_not_responding_events
Number of binaries	Inventory	Aggregate
	Number of binaries
	NXQL ID:	number_of_binaries
Number of connections	Activity	Aggregate
	Number of connections
	NXQL ID:	number_of_connections
Number of destinations	Inventory	Aggregate
	Number of destinations
	NXQL ID:	number_of_destinations
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of domains	Inventory	Aggregate
	Number of domains
	NXQL ID:	number_of_domains
Number of executions	Activity	Aggregate
	Number of executions
	NXQL ID:	number_of_executions
Number of ports	Inventory	Aggregate
	Number of ports
	NXQL ID:	number_of_ports
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
Outgoing network traffic	Traffic	Aggregate
	Total network outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing network traffic per device	Traffic	Aggregate
	Indicates the outgoing network traffic divided by the number of devices.
	NXQL ID:	outgoing_network_traffic_per_device
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic per device	Traffic	Aggregate
	Indicates the outgoing web traffic divided by the number of devices.
	NXQL ID:	outgoing_web_traffic_per_device
Platform	Properties	Field
	The platform (operating system family) on which the executable is running
	NXQL ID:	platform
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
Storage policy	Properties	Field
	Indicates the event storage policy for the executable. Possible values are: all: web requests, connections and executions are stored connections and executions executions none: no activity is recorded
	NXQL ID:	storage_policy
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Successful network connections ratio	Availability	Aggregate
	Percentage of successful TCP connections
	NXQL ID:	successful_connections_ratio
Total active days	Activity	Field
	Total number of days the executable was active
	NXQL ID:	total_active_days
Total CPU time	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
	NXQL ID:	total_cpu_time
Total network traffic	Traffic	Aggregate
	Total network traffic (incoming and outgoing)
	NXQL ID:	total_network_traffic
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
UID	Properties	Field
UID	Indicates the universally unique identifier (based on application name, application company and executable name).
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration

Binary

Executable binary files (e.g. 'winword.exe - 10.0.6843')

Field	Group	Type
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
Application category	Properties	Field
	Indicates the category of the application: '-' : not yet tagged Unknown: not categorized by Nexthink Library
	NXQL ID:	application_category
Application company	Properties	Field
	Application company
	NXQL ID:	application_company
Application crash ratio	Errors	Aggregate
	Indicates the number of application crashes per 100 executions.
	NXQL ID:	application_crash_ratio
Application name	Properties	Field
	Application name
	NXQL ID:	application_name
Application not responding event ratio	Errors	Aggregate
	Indicates the number of application not responding events per 100 executions.
	NXQL ID:	application_not_responding_event_ratio
Average application startup duration	Activity	Aggregate
	Indicates the average time between the start of the process and the time a window is displayed (not taking into account the splash screen)
	NXQL ID:	average_process_start_time
Average CPU usage (deprecated)	Activity	Field
	Indicates the average CPU usage over all logical processors since the first time the binary was seen. The value is the average CPU usage sampled every 5 minutes for each execution divided by the number of samples.
	NXQL ID:	average_cpu_usage
Average incoming network bitrate	Availability	Aggregate
	Average incoming network bitrate
	NXQL ID:	average_incoming_bitrate
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average memory usage (deprecated)	Activity	Field
	Indicates the average memory usage since the first time the binary was seen. The value is the sum of the memory usage sampled every 5 minutes for each execution divided by the number of samples.
	NXQL ID:	average_memory_usage
Average memory usage per execution	Activity	Aggregate
	Indicates the average memory usage of all underlying executions before aggregation. The value is the average memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality. Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
	NXQL ID:	average_memory_usage_per_execution
Average network response time	Availability	Aggregate
	Indicates the average TCP connection establishment time of all underlying connections. The value is the average TCP connection establishment time of all executions weighted by their cardinality.
	NXQL ID:	average_network_response_time
Average number of graphical handles	Activity	Field
	Average number of graphical handles (GDI)
	NXQL ID:	average_number_of_graphical_handles
Average outgoing network bitrate	Availability	Aggregate
	Average outgoing network bitrate
	NXQL ID:	average_outgoing_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Binary paths	Activity	Aggregate
Binary paths	List of executed binary paths (max. 50 paths)
CPU usage ratio	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
	NXQL ID:	cpu_usage_ratio
Cumulated execution duration	Activity	Aggregate
	Cumulated duration of executions
	NXQL ID:	cumulated_execution_duration
Cumulated network connection duration	Activity	Aggregate
	Cumulated duration of TCP connections
	NXQL ID:	cumulated_connection_duration
Database usage	Properties	Field
	Indicates the percentage of the Engine database used by the binary.
	NXQL ID:	database_usage
Description	Properties	Field
	Description as it appears in the binary file
	NXQL ID:	description
Executable name	Properties	Field
	Executable name
	NXQL ID:	executable_name
File size	Properties	Field
	Binary file size
	NXQL ID:	file_size
First seen	Properties	Field
	First time activity of the binary was recorded on any device
	NXQL ID:	first_seen
High application thread CPU time ratio	Warnings	Aggregate
	Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.
	NXQL ID:	high_application_thread_cpu_time_ratio
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Incoming network traffic	Traffic	Aggregate
	Total network incoming traffic
	NXQL ID:	incoming_traffic
Incoming network traffic per device	Traffic	Aggregate
	Indicates the incoming network traffic divided by the number of devices.
	NXQL ID:	incoming_network_traffic_per_device
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic per device	Traffic	Aggregate
	Indicates the incoming web traffic divided by the number of devices.
	NXQL ID:	incoming_web_traffic_per_device
Last seen	Properties	Field
	Last time activity of the binary was recorded on any device
	NXQL ID:	last_seen
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
MD5 hash	Properties	Field
	Indicates the MD5 hash of the binary.
	NXQL ID:	hash
Network availability level	Availability	Aggregate
	Indicates the ratio of successful TCP connections. The possible values are: high: the ratio is greater or equal to 98% medium: the ratio is greater or equal to 90% and less than 98% low: the ratio is lower than 90%
	NXQL ID:	network_availability_level
Number of application crashes	Errors	Aggregate
	Number of application crashes
	NXQL ID:	number_of_application_crashes
Number of application not responding events	Errors	Aggregate
	Number of application not responding events
	NXQL ID:	number_of_application_not_responding_events
Number of connections	Activity	Aggregate
	Number of connections
	NXQL ID:	number_of_connections
Number of destinations	Inventory	Aggregate
	Number of destinations
	NXQL ID:	number_of_destinations
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of domains	Inventory	Aggregate
	Number of domains
	NXQL ID:	number_of_domains
Number of executions	Activity	Aggregate
	Number of executions
	NXQL ID:	number_of_executions
Number of ports	Inventory	Aggregate
	Number of ports
	NXQL ID:	number_of_ports
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
Outgoing network traffic	Traffic	Aggregate
	Total network outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing network traffic per device	Traffic	Aggregate
	Indicates the outgoing network traffic divided by the number of devices.
	NXQL ID:	outgoing_network_traffic_per_device
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic per device	Traffic	Aggregate
	Indicates the outgoing web traffic divided by the number of devices.
	NXQL ID:	outgoing_web_traffic_per_device
Paths	Properties	Field
	List of paths of the binary
	NXQL ID:	paths
Platform	Properties	Field
	The platform (operating system family) on which the binary is running
	NXQL ID:	platform
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
SHA-1 hash	Properties	Field
	Indicates the SHA-1 hash of the binary.
	NXQL ID:	sha1
SHA-256 hash	Properties	Field
	Indicates the SHA-256 hash of the binary.
	NXQL ID:	sha256
Storage policy	Properties	Field
	Indicates the event storage policy for the binary. Possible values are: all: web requests, connections and executions are stored connections and executions executions none: no activity is recorded
	NXQL ID:	storage_policy
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Successful network connections ratio	Availability	Aggregate
	Percentage of successful TCP connections
	NXQL ID:	successful_connections_ratio
Threat level	Properties	Field
	Indicates the threat level of the binary: '-' : not yet tagged none detected: no known threat low: low threat intermediate: intermediate threat high: high threat
	NXQL ID:	threat_level
Total active days	Activity	Field
	Total number of days the binary was active
	NXQL ID:	total_active_days
Total CPU time	Activity	Aggregate
	Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors. Executions shorter than 30 seconds are ignored. Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
	NXQL ID:	total_cpu_time
Total network traffic	Traffic	Aggregate
	Total network traffic (incoming and outgoing)
	NXQL ID:	total_network_traffic
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
UID	Properties	Field
UID	Indicates the universally unique identifier (based on binary hash).
User interface	Properties	Field
	Application has interactive user interface
	NXQL ID:	user_interface
Version	Properties	Field
	Version of the binary
	NXQL ID:	version
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration

Port

Connection ports (TCP or UDP)

Field	Group	Type
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
Average incoming network bitrate	Availability	Aggregate
	Average incoming network bitrate
	NXQL ID:	average_incoming_bitrate
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average network response time	Availability	Aggregate
	Indicates the average TCP connection establishment time of all underlying connections. The value is the average TCP connection establishment time of all executions weighted by their cardinality.
	NXQL ID:	average_network_response_time
Average outgoing network bitrate	Availability	Aggregate
	Average outgoing network bitrate
	NXQL ID:	average_outgoing_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Cumulated network connection duration	Activity	Aggregate
	Cumulated duration of TCP connections
	NXQL ID:	cumulated_connection_duration
First seen	Properties	Field
	First time activity of the port was recorded on any device
	NXQL ID:	first_seen
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Incoming network traffic	Traffic	Aggregate
	Total network incoming traffic
	NXQL ID:	incoming_traffic
Incoming network traffic per device	Traffic	Aggregate
	Indicates the incoming network traffic divided by the number of devices.
	NXQL ID:	incoming_network_traffic_per_device
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic per device	Traffic	Aggregate
	Indicates the incoming web traffic divided by the number of devices.
	NXQL ID:	incoming_web_traffic_per_device
Last seen	Properties	Field
	Last time activity of the port was recorded on any device
	NXQL ID:	last_seen
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
Network availability level	Availability	Aggregate
	Indicates the ratio of successful TCP connections. The possible values are: high: the ratio is greater or equal to 98% medium: the ratio is greater or equal to 90% and less than 98% low: the ratio is lower than 90%
	NXQL ID:	network_availability_level
Number of applications	Inventory	Aggregate
	Number of applications
	NXQL ID:	number_of_applications
Number of binaries	Inventory	Aggregate
	Number of binaries
	NXQL ID:	number_of_binaries
Number of connections	Activity	Aggregate
	Number of connections
	NXQL ID:	number_of_connections
Number of destinations	Inventory	Aggregate
	Number of destinations
	NXQL ID:	number_of_destinations
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of domains	Inventory	Aggregate
	Number of domains
	NXQL ID:	number_of_domains
Number of executables	Inventory	Aggregate
	Number of executables
	NXQL ID:	number_of_executables
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
Outgoing network traffic	Traffic	Aggregate
	Total network outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing network traffic per device	Traffic	Aggregate
	Indicates the outgoing network traffic divided by the number of devices.
	NXQL ID:	outgoing_network_traffic_per_device
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic per device	Traffic	Aggregate
	Indicates the outgoing web traffic divided by the number of devices.
	NXQL ID:	outgoing_web_traffic_per_device
Port number	Properties	Field
	Port number
	NXQL ID:	port_number
Port type	Properties	Field
	Port type (tcp, udp, tcp port scan, udp port scan)
	NXQL ID:	port_type
Port type/Port number	Properties	Field
	Port value for tagging
	NXQL ID:	port_value
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Successful network connections ratio	Availability	Aggregate
	Percentage of successful TCP connections
	NXQL ID:	successful_connections_ratio
Total network traffic	Traffic	Aggregate
	Total network traffic (incoming and outgoing)
	NXQL ID:	total_network_traffic
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
UID	Properties	Field
UID	Indicates the universally unique identifier (based on port number).
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration

Destination

Devices receiving connections

Field	Group	Type
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
Average incoming network bitrate	Availability	Aggregate
	Average incoming network bitrate
	NXQL ID:	average_incoming_bitrate
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average network response time	Availability	Aggregate
	Indicates the average TCP connection establishment time of all underlying connections. The value is the average TCP connection establishment time of all executions weighted by their cardinality.
	NXQL ID:	average_network_response_time
Average outgoing network bitrate	Availability	Aggregate
	Average outgoing network bitrate
	NXQL ID:	average_outgoing_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Cumulated network connection duration	Activity	Aggregate
	Cumulated duration of TCP connections
	NXQL ID:	cumulated_connection_duration
Database usage	Properties	Field
	Indicates the percentage of the Engine database used by the destination.
	NXQL ID:	database_usage
First seen	Properties	Field
	First time activity to the destination was recorded on any device
	NXQL ID:	first_seen
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Incoming network traffic	Traffic	Aggregate
	Total network incoming traffic
	NXQL ID:	incoming_traffic
Incoming network traffic per device	Traffic	Aggregate
	Indicates the incoming network traffic divided by the number of devices.
	NXQL ID:	incoming_network_traffic_per_device
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic per device	Traffic	Aggregate
	Indicates the incoming web traffic divided by the number of devices.
	NXQL ID:	incoming_web_traffic_per_device
IP address	Properties	Field
	IP address for the destination
	NXQL ID:	ip_address
Last seen	Properties	Field
	Last time activity to the destination was recorded on any device
	NXQL ID:	last_seen
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
Name	Properties	Field
	Reverse lookup name
	NXQL ID:	name
Network availability level	Availability	Aggregate
	Indicates the ratio of successful TCP connections. The possible values are: high: the ratio is greater or equal to 98% medium: the ratio is greater or equal to 90% and less than 98% low: the ratio is lower than 90%
	NXQL ID:	network_availability_level
Number of applications	Inventory	Aggregate
	Number of applications
	NXQL ID:	number_of_applications
Number of binaries	Inventory	Aggregate
	Number of binaries
	NXQL ID:	number_of_binaries
Number of connections	Activity	Aggregate
	Number of connections
	NXQL ID:	number_of_connections
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of domains	Inventory	Aggregate
	Number of domains
	NXQL ID:	number_of_domains
Number of executables	Inventory	Aggregate
	Number of executables
	NXQL ID:	number_of_executables
Number of ports	Inventory	Aggregate
	Number of ports
	NXQL ID:	number_of_ports
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
Outgoing network traffic	Traffic	Aggregate
	Total network outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing network traffic per device	Traffic	Aggregate
	Indicates the outgoing network traffic divided by the number of devices.
	NXQL ID:	outgoing_network_traffic_per_device
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic per device	Traffic	Aggregate
	Indicates the outgoing web traffic divided by the number of devices.
	NXQL ID:	outgoing_web_traffic_per_device
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Successful network connections ratio	Availability	Aggregate
	Percentage of successful TCP connections
	NXQL ID:	successful_connections_ratio
Total network traffic	Traffic	Aggregate
	Total network traffic (incoming and outgoing)
	NXQL ID:	total_network_traffic
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
UID	Properties	Field
UID	Indicates the universally unique identifier (based on destination ip address).
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration

Domain

Domain names

Field	Group	Type
Activity start time	Activity	Aggregate
	Start time of investigated activity
	NXQL ID:	activity_start_time
Activity stop time	Activity	Aggregate
	Stop time of investigated activity
	NXQL ID:	activity_stop_time
Average incoming web bitrate	Availability	Aggregate
	Average incoming bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_incoming_bitrate
Average outgoing web bitrate	Availability	Aggregate
	Average outgoing bitrate of all underlying web requests, consolidated over time
	NXQL ID:	average_outgoing_bitrate
Average web request duration	Availability	Aggregate
	Average time between request and last response byte
	NXQL ID:	average_request_duration
Average web request size	Traffic	Aggregate
	Average size of web requests
	NXQL ID:	average_request_size
Average web response size	Traffic	Aggregate
	Average size of web responses
	NXQL ID:	average_response_size
Database usage	Properties	Field
	Indicates the percentage of the Engine database used by the domain.
	NXQL ID:	database_usage
Domain category	Properties	Field
	Indicates the category of the domain: '-' : not yet tagged or internal domain
	NXQL ID:	domain_category
First seen	Properties	Field
	The first time the domain has been seen
	NXQL ID:	first_seen
Highest local privilege level reached	Activity	Aggregate
	Highest local privilege level reached for executions (user, power user, administrator)
	NXQL ID:	highest_local_privilege_reached
Hosting country	Properties	Field
	Indicates in which country the domain is hosted: '-' : not yet tagged, internal domain or not known by Nexthink Library
	NXQL ID:	hosting_country
Hostname	Properties	Field
	The hostname of the fully qualified domain name
	NXQL ID:	hostname
Incoming web traffic	Traffic	Aggregate
	Total web incoming traffic
	NXQL ID:	incoming_traffic
Incoming web traffic per device	Traffic	Aggregate
	Indicates the incoming web traffic divided by the number of devices.
	NXQL ID:	incoming_web_traffic_per_device
Internal domain	Properties	Field
	Indicates whether the domain is considered internal: yes: the domain is not reported to Nexthink Library and subdomains are not compressed using the '' pattern no: the domain is reported to the Nexthink Library (if the license includes the Security module); complex subdomains are compressed using the '' pattern
	NXQL ID:	internal_domain
Last seen	Properties	Field
	The last time the domain has been seen
	NXQL ID:	last_seen
Lowest observed web protocol version	Activity	Aggregate
	Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)
	NXQL ID:	lowest_protocol_version
Name	Properties	Field
	The fully qualified domain name
	NXQL ID:	name
Number of applications	Inventory	Aggregate
	Number of applications
	NXQL ID:	number_of_applications
Number of binaries	Inventory	Aggregate
	Number of binaries
	NXQL ID:	number_of_binaries
Number of destinations	Inventory	Aggregate
	Number of destinations
	NXQL ID:	number_of_destinations
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of executables	Inventory	Aggregate
	Number of executables
	NXQL ID:	number_of_executables
Number of ports	Inventory	Aggregate
	Number of ports
	NXQL ID:	number_of_ports
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Number of web requests	Activity	Aggregate
	Number of web requests
	NXQL ID:	number_of_web_requests
Outgoing web traffic	Traffic	Aggregate
	Total web outgoing traffic
	NXQL ID:	outgoing_traffic
Outgoing web traffic per device	Traffic	Aggregate
	Indicates the outgoing web traffic divided by the number of devices.
	NXQL ID:	outgoing_web_traffic_per_device
Protocols used in web requests	Activity	Aggregate
	Protocols used in web requests (HTTP, TLS, HTTP/TLS)
	NXQL ID:	protocols_used_in_requests
Reputation	Properties	Field
	Indicates the reputation of the domain: '-': internal domain or not yet tagged 'trustworthy': clean domain which has not been connected to any security risks 'low risk': benign domain which rarely delivers dangerous content 'moderate risk': generally benign domain which has exhibited potentially risky behavior 'high risk': potentially malicious domain which delivers dangerous content
	NXQL ID:	threat_level
Storage policy	Properties	Field
	Event storage policy for the domain (web request or none)
	NXQL ID:	storage
Successful HTTP requests ratio	Availability	Aggregate
	Percentage of successful HTTP requests (1xx, 2xx and 3xx)
	NXQL ID:	successful_http_requests_ratio
Total web traffic	Traffic	Aggregate
	Total web traffic (incoming and outgoing)
	NXQL ID:	total_web_traffic
UID	Properties	Field
UID	Indicates the universally unique identifier (based on domain name).
Web interaction time	Activity	Aggregate
	Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.
	NXQL ID:	cumulated_web_interaction_duration

Printer

Installed printers (local, network, shared or virtual)

Field	Group	Type
Display name	Properties	Field
	Most frequently seen display name
	NXQL ID:	real_name
First seen	Properties	Field
	First time activity of the printer was recorded on any device
	NXQL ID:	first_seen
Hostname	Properties	Field
	Indicates where the printer is hosted: for local and smb printers: the hostname of the device the printer is connected to for tcp/ip and wsd printers: usually the hostname of the printer itself
	NXQL ID:	host_name
Last seen	Properties	Field
	Last time activity of the printer was recorded on any device
	NXQL ID:	last_seen
Location	Properties	Field
	Printer location
	NXQL ID:	location
Model	Properties	Field
	Printer model
	NXQL ID:	model
Name	Properties	Field
	Unique printer name
	NXQL ID:	name
Number of devices	Inventory	Aggregate
	Number of devices
	NXQL ID:	number_of_devices
Number of print jobs	Activity	Aggregate
	Number of print jobs
	NXQL ID:	number_of_printouts
Number of printed pages	Activity	Aggregate
	Number of printed pages
	NXQL ID:	number_of_printed_pages
Number of users	Inventory	Aggregate
	Number of users
	NXQL ID:	number_of_users
Type	Properties	Field
	The type of the printer: local: a locally connected or virtual printer tcp/ip: a printer connected through a TCP/IP port smb: a printer connected through a SMB (Server Message Block) port wsd: a printer connected through a WSD (Web Services for Devices) port
	NXQL ID:	type
UID	Properties	Field
UID	Indicates the universally unique identifier (based on printer name and model).

Activities

Activities represent actions performed by Objects.

Installation

Installations or uninstallations of software packages

Field	Group	Type
Device ID	Device	Field
Device ID	Unique identifier code of the installation target device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the installation target device
ID	Properties	Field
	Unique installation identifier code
	NXQL ID:	id
Operation type	Properties	Field
	Type of operation (installation, uninstallation)
	NXQL ID:	type
Package ID	Package	Field
Package ID	Unique identifier code of the installed package
Package name	Package	Field
Package name	Name of the installed package
Package program	Package	Field
Package program	Program of the installed package
Package publisher	Package	Field
Package publisher	Name of the installed package publisher
Package type	Package	Field
Package type	Package type: program update (Windows only)
Package version	Package	Field
Package version	Version of the installed package
Time of installation	Properties	Field
	Installation start time
	NXQL ID:	time

Execution

Executing processes (merged when in close succession)

Field	Group	Type
Application name	Application	Field
Application name	Executed application name
Average memory usage	Activity	Field
	Indicates the average memory usage of the underlying executions before aggregation with a sampling resolution of 5 minutes. Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a single Chrome tab.
	NXQL ID:	average_memory_usage
Binary path	Application	Field
	Executed binary path
	NXQL ID:	binary_path
Binary version	Application	Field
Binary version	Executed binary version
Cardinality	Properties	Field
	Number of underlying processes, consolidated over time
	NXQL ID:	cardinality
Device ID	Device	Field
Device ID	Unique identifier code of the executing device
Device IP addresses	Device	Field
Device IP addresses	List of IP addresses of the executing device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the executing device
Duration	Properties	Field
	Total execution duration
	NXQL ID:	duration
End time	Properties	Field
	Execution end time
	NXQL ID:	end_time
Executable name	Application	Field
Executable name	Executed executable name
ID	Properties	Field
	Unique execution identifier code
	NXQL ID:	id
Incoming TCP traffic	Traffic	Field
	Incoming TCP traffic
	NXQL ID:	incoming_tcp_traffic
Lifespan	Properties	Field
Lifespan	Execution lifespan in relation to investigation time frame
Outgoing TCP traffic	Traffic	Field
	Outgoing TCP traffic
	NXQL ID:	outgoing_tcp_traffic
Outgoing UDP traffic	Traffic	Field
	Outgoing UDP traffic
	NXQL ID:	outgoing_udp_traffic
Privilege level	Properties	Field
	Privilege level of the execution (user, power user, administrator)
	NXQL ID:	privilege_level
Signature ID	Properties	Field
	ID of the related execution signature, i.e. a user executing a certain process on a particular device
	NXQL ID:	usage
Start time	Properties	Field
	Execution start time
	NXQL ID:	start_time
Startup duration	Properties	Field
	Indicates the time between the start of the process and the time a window is displayed (not taking into account the splash screen). The value is averaged over all underlying executions.
	NXQL ID:	startup_duration
Status	Properties	Field
	Status of the execution (started, stopped)
	NXQL ID:	status
Total CPU time	Properties	Field
	Indicates the sum of the CPU time of all executions (before aggregation by the Engine) over all logical processors. Executions shorter than 30 seconds are ignored. Example: if we consider two executions that are launched at the same time (hence aggregated by the Engine), with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
	NXQL ID:	total_cpu_time
User ID	User	Field
User ID	Unique identifier code of the executing user
User name	User	Field
User name	Name of the executing user
User SID	User	Field
User SID	Indicates the Windows security identifier for the user. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

Connection

TCP or UDP connections (merged when in close succession)

Field	Group	Type
Application name	Application	Field
Application name	Name of the connecting application
Average network response time	Availability	Field
	Indicates the average TCP connection establishment time. The value is the average over all underlying connections before aggregation.
	NXQL ID:	network_response_time
Binary paths	Application	Field
Binary paths	Paths of the connecting binary
Binary version	Application	Field
Binary version	Version of the connecting binary
Cardinality	Properties	Field
	Number of underlying connections, consolidated over time
	NXQL ID:	cardinality
Connection type	Properties	Field
	Type of the connection (tcp, udp, tcp network scan, tcp port scan, udp network scan, udp port scan)
	NXQL ID:	type
Destination IP address	Destination	Field
	IP address of the connection destination
	NXQL ID:	destination_ip_address
Destination name	Destination	Field
Destination name	Name of the connection destination
Device ID	Device	Field
Device ID	Unique identifier code of the connecting device
Device IP address	Device	Field
	IP address of the connecting device
	NXQL ID:	device_ip_address
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier for the connecting device
Duration	Properties	Field
	The time between the start of the first connection and end of the last underlying connection
	NXQL ID:	duration
End time	Properties	Field
	Connection end time, corresponding to the moment when the last underlying TCP connection was closed
	NXQL ID:	end_time
Executable name	Application	Field
Executable name	Name of the connecting executable
ID	Properties	Field
	Unique connection identifier code
	NXQL ID:	id
Incoming bitrate	Availability	Field
	Average incoming bitrate of all underlying connections, consolidated over time
	NXQL ID:	incoming_bitrate
Incoming TCP traffic	Traffic	Field
Incoming TCP traffic	Incoming TCP traffic
Lifespan	Properties	Field
Lifespan	Connection lifespan in relation to investigation time frame
Outgoing bitrate	Availability	Field
	Average outgoing bitrate of all underlying connections, consolidated over time
	NXQL ID:	outgoing_bitrate
Outgoing TCP traffic	Traffic	Field
Outgoing TCP traffic	Outgoing TCP traffic
Outgoing UDP traffic	Traffic	Field
Outgoing UDP traffic	Outgoing UDP traffic
Port number	Port	Field
Port number	Port number of the connection
Signature ID	Properties	Field
	ID of the related connection signature, i.e. a user executing a certain process on a particular device which connects to a certain destination/port
	NXQL ID:	signature_id
Start time	Properties	Field
	Connection start time
	NXQL ID:	start_time
Status	Properties	Field
	Status of the connection (established, rejected, no service, no host, closed)
	NXQL ID:	status
User ID	User	Field
User ID	Unique identifier code of the connecting user
User name	User	Field
User name	Name of connecting user
User SID	User	Field
User SID	Indicates the Windows security identifier for the user. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

Web request

HTTP or TLS requests

Field	Group	Type
Application name	Application	Field
Application name	Name of the application which made the web request
Binary paths	Application	Field
Binary paths	Paths of the binary which made the web request
Binary version	Application	Field
Binary version	Version of the binary which made the web request
Cardinality	Properties	Field
	Number of underlying web requests, consolidated over time
	NXQL ID:	cardinality
Connections duration	Properties	Field
	The time between start of the first connection and end of the last underlying connection
	NXQL ID:	connections_duration
Device ID	Device	Field
Device ID	Unique identifier code of the web request source
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the web request source
Domain name	Domain	Field
Domain name	Name of the web request destination domain
End time	Properties	Field
	Web request end time, corresponding to the moment when the last underlying TCP connection was closed
	NXQL ID:	end_time
Executable name	Application	Field
Executable name	Name of the executable which made the web request
HTTP status	Properties	Field
	HTTP response status code
	NXQL ID:	http_status
ID	Properties	Field
	Unique request identifier code
	NXQL ID:	id
Incoming web traffic	Traffic	Field
	Incoming web traffic of all underlying web requests, consolidated over time
	NXQL ID:	incoming_traffic
Network response time	Availability	Field
	Average TCP connection establishment time of all underlying connections, consolidated over time
	NXQL ID:	network_response_time
Outgoing web traffic	Properties	Field
	Outgoing web traffic of all underlying web requests, consolidated over time
	NXQL ID:	outgoing_traffic
Port number	Port	Field
Port number	Port number of the web request
Protocol	Properties	Field
	Web request protocol (HTTP, TLS)
	NXQL ID:	protocol
Protocol version	Properties	Field
	Web request protocol version
	NXQL ID:	protocol_version
Service related	Properties	Field
	Indicates whether the web request is related to a configured service: yes: these requests are always visible by all users no: depending on the privacy settings, requests not related to a service might not be visible by everyone
	NXQL ID:	service_related
Signature ID	Properties	Field
	ID of the related web request signature, i.e. a user executing a certain process on a particular device which emits requests to a specific domain
	NXQL ID:	signature_id
Start time	Properties	Field
	Web request start time
	NXQL ID:	start_time
URL path	Properties	Field
URL path	Indicates the expression used to match the web request against web-based services with URL path: '-': the web request did not match against any service with URL path
User ID	User	Field
User ID	Unique identifier code of the user who made the web request
User name	User	Field
User name	Name of the user who made the web request
User SID	User	Field
User SID	Indicates the Windows security identifier for the user who made the web request. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory
Web request duration	Properties	Field
	Average time between request and last response byte of all underlying requests, consolidated over time
	NXQL ID:	web_request_duration

Print job

Print job submissions to printer drivers

Field	Group	Type
Color enabled	Properties	Field
	Indicates whether the print job has the capability to print in color. Color settings defined by the application performing the print job (usually through the application print dialog) are not taken into account.
	NXQL ID:	color_print
Device ID	Device	Field
Device ID	Unique identifier of the print job source
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the print job source
Document type	Properties	Field
	Type of printed document
	NXQL ID:	document_type
Duplex print	Properties	Field
	Indicates whether the pages are printed on both sides of the sheet.
	NXQL ID:	duplex
ID	Properties	Field
	Unique print job identifier
	NXQL ID:	id
Number of pages	Properties	Field
	Number of printed pages
	NXQL ID:	number_of_printed_pages
Paper size	Properties	Field
	Paper size for printed pages
	NXQL ID:	page_size
Print quality	Properties	Field
	Print quality
	NXQL ID:	print_quality
Printer model	Printer	Field
Printer model	Model of printer
Printer name	Printer	Field
Printer name	Name of printer
Size	Properties	Field
	Print job size in bytes
	NXQL ID:	size
Status	Properties	Field
	Status of the print job: success: the job has been successfully sent to the printer error: an error was detected during the print; the job might have been partially printed unknown: the status of the print job could not be detected
	NXQL ID:	status
Time	Properties	Field
	Print job time
	NXQL ID:	time
User ID	User	Field
User ID	Unique identifier code of the printing user
User name	User	Field
User name	Name of the printing user
User SID	User	Field
User SID	Indicates the Windows security identifier for the user. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

System boot

System boots (timed between kernel start and launch of 'logonui.exe' process)

Field	Group	Type
Boot type	Properties	Field
	Indicates the boot type. The possible values are: full boot fast startup
	NXQL ID:	boot_type
Device ID	Device	Field
Device ID	Unique device identifier
Device IP addresses	Device	Field
Device IP addresses	List of IP addresses for the device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the device
Duration	Properties	Field
Duration	Indicates the time between the kernel start and the launch of the 'logonui.exe' process
ID	Properties	Field
ID	Boot event identifier
Time	Properties	Field
Time	Time of boot

User logon

User logons

Field	Group	Type
Device ID	Device	Field
Device ID	Unique device identifier code
Device IP addresses	Device	Field
Device IP addresses	List of IP addresses for the device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the device
Duration	Properties	Field
Duration	Indicates the time between the user logging on and the desktop being shown.
Extended duration	Properties	Field
Extended duration	Indicates the time between the user logging on and the device being ready to use. Desktops and laptops are considered fully functional once the CPU usage drops below 15% and the disk usage drops below 80%, and servers once the CPU usage of all processes belonging to the corresponding user drops below 15%.
ID	Properties	Field
ID	User logon event identifier code
Time	Properties	Field
Time	Time of user logon
User ID	User	Field
User ID	Unique user identifier code
User name	User	Field
User name	Name of user
User SID	User	Field
User SID	Indicates the Windows security identifier for the user. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

Events

Events are warning or errors.

Device warning

Peaks in system resource usage (CPU, memory or I/O)

Field	Group	Type
Device ID	Device	Field
	Unique device identifier
	NXQL ID:	device
Device IP addresses	Device	Field
Device IP addresses	List of IP addresses for the device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the device
Duration	Properties	Field
	Indicates the duration of the event.
	NXQL ID:	duration
End time	Properties	Field
	Performance event end time
	NXQL ID:	end_time
Event info	Properties	Field
	Performance event information
	NXQL ID:	info
High io usage	Warnings	Field
High io usage	High io usage
High memory usage	Warnings	Field
High memory usage	High memory usage
High overall CPU usage	Warnings	Field
High overall CPU usage	High overall CPU usage.
High page faults	Warnings	Field
High page faults	High number of page faults
High thread CPU usage (deprecated)	Warnings	Field
High thread CPU usage (deprecated)	High thread CPU usage (deprecated).
ID	Properties	Field
	Unique performance event identifier
	NXQL ID:	id
Start time	Properties	Field
	Performance event start time
	NXQL ID:	start_time
Warning duration	Properties	Field
	Indicates the effective duration of the warning; it can be shorter than the event duration when the high CPU usage is not continuous. Example: a high CPU usage warning started at 08:00 and lasted until 08:15 (event duration is 15 min). During this 15min, the device was effectively in high CPU usage once during 60s, twice during 120s and once during 30s; the warning duration is therefore 5min 30s.
	NXQL ID:	warning_duration

Device error

Critical system errors (system crash, hard reset, or disk failure)

Field	Group	Type
Device ID	Device	Field
	Unique device identifier code
	NXQL ID:	device
Device IP addresses	Device	Field
Device IP addresses	List of IP addresses for the device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the device
Error code	Properties	Field
	Indicates the error code for system crashes (Windows bluescreens).
	NXQL ID:	error_code
Error label	Properties	Field
	Indicates the error label for system crashes (Windows bluescreens).
	NXQL ID:	error_label
ID	Properties	Field
	Problem identifier code
	NXQL ID:	id
Time	Properties	Field
	Time of error
	NXQL ID:	start_time
Type	Properties	Field
	Indicates the device error type, with the following possible values: system crash: a Windows bluescreen hard reset: the device was abruptly stopped and then rebooted. It might be caused by pressing the reset button, a power failure or a crash SMART disk failure: a disk error was detected on a disk with SMART technology
	NXQL ID:	type

Execution warning

Peaks in application resource usage (CPU or memory)

Field	Group	Type
Application name	Application	Field
Application name	Name of application
Binary version	Application	Field
Binary version	Version of binary
Device ID	Device	Field
Device ID	Unique device identifier
Device IP addresses	Device	Field
Device IP addresses	List of IP addresses for the device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the device
Duration	Properties	Field
	Indicates the duration of the event.
	NXQL ID:	duration
End time	Properties	Field
	Performance event end time
	NXQL ID:	end_time
Event info	Properties	Field
Event info	Performance event information
Executable name	Application	Field
Executable name	Name of executable
High memory usage	Warnings	Field
High memory usage	High memory usage
High thread CPU usage	Warnings	Field
High thread CPU usage	High thread CPU usage
ID	Properties	Field
	Unique performance event identifier code
	NXQL ID:	id
Signature ID	Properties	Field
	ID of the related execution event signature, i.e. a user executing a certain process on a particular device
	NXQL ID:	signature_id
Start time	Properties	Field
	Performance event start time
	NXQL ID:	start_time
User ID	User	Field
User ID	Unique user identifier code
User name	User	Field
User name	Name of user
User SID	User	Field
User SID	Indicates the Windows security identifier for the user. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory
Warning duration	Properties	Field
	Indicates the effective duration of the warning; it can be shorter than the event duration when the high CPU usage is not continuous. Example: a high CPU usage warning started at 08:00 and lasted until 08:15 (event duration is 15 min). During this 15min, the device was effectively in high CPU usage once during 60s, twice during 120s and once during 30s; the warning duration is therefore 5min 30s.
	NXQL ID:	warning_duration

Execution error

Application errors (crash or not responding)

Field	Group	Type
Application name	Application	Field
Application name	Name of application
Binary version	Application	Field
Binary version	Version of binary
Device ID	Device	Field
Device ID	Unique device identifier code
Device IP addresses	Device	Field
Device IP addresses	List of IP addresses for the device
Device name	Device	Field
Device name	Indicates the name of the device: For Windows: NetBios Name For Mac OS: computer name used on the network For Mobile: composed by mailbox name and device friendly name
Device SID	Device	Field
Device SID	Windows security identifier of the device
Executable name	Application	Field
Executable name	Name of executable
ID	Properties	Field
	Error identifier code
	NXQL ID:	id
Signature ID	Properties	Field
	ID of the related execution error signature, i.e. a user executing a certain process on a particular device
	NXQL ID:	signature_id
Time	Properties	Field
	Time of error
	NXQL ID:	time
Type	Properties	Field
	Error type
	NXQL ID:	type
User ID	User	Field
User ID	Unique user identifier code
User name	User	Field
User name	Name of user
User SID	User	Field
User SID	Indicates the Windows security identifier for the user. For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory

Retrieved from "https://doc.nexthink.com/Documentation/Nexthink/latest/GlossaryAndReferences/DataModel"

Services tooltips

Maximum supported values

Data model

Contents

Data model

Objects

User

Device

Package

Application

Executable

Binary

Port

Destination

Domain

Printer

Activities

Installation

Execution

Connection

Web request

Print job

System boot

User logon

Events

Device warning

Device error

Execution warning

Execution error