Data-model changes

Contents

Data-model changes

New data for macOS

The following new aggregates are available for MacOS:

  • Total CPU time
  • CPU usage ratio
  • High application thread CPU time ratio
  • Average memory usage per execution
Field Group Type Windows black.png Mac black.png Mobile black.png
Total CPU time Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.

Executions shorter than 30 seconds are ignored.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
NXQL ID: total_cpu_time
CPU usage ratio Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration.

Executions shorter than 30 seconds are ignored.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).
NXQL ID: cpu_usage_ratio
High application thread CPU time ratio Warnings Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.
NXQL ID: high_application_thread_cpu_time_ratio
Average memory usage per execution Activity Aggregate Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average memory usage of all underlying executions before aggregation. The value is the average

memory usage of all executions (calculated with a 5-minute resolution) multiplied by their cardinalities and divided by the total cardinality.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a Chrome tab.
NXQL ID: average_memory_usage_per_execution

Additionally, the following fields are now available for each execution:

  • Total CPU time
  • Average memory usage
Field Group Type Windows black.png Mac black.png Mobile black.png
Total CPU time Properties Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the sum of the CPU time of all executions (before aggregation by the Engine) over all logical processors.

Executions shorter than 30 seconds are ignored.

  • Example: if we consider two executions that are launched at the same time (hence aggregated by the Engine), with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).
NXQL ID: total_cpu_time
Average memory usage Activity Field Windows black.png Mac black.png Mobile gray disabled.png
Indicates the average memory usage of the underlying executions before aggregation with a sampling resolution of 5 minutes.
  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine (i.e., event cardinality = 2). The average memory usage will be the average of the two processes before aggregation: it represents the average memory usage of a single Chrome tab.
NXQL ID: average_memory_usage

OS build

The operating system build is now reported for Windows devices.

Field Group Type Windows black.png Mac black.png Mobile black.png
OS build Operating system Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the build number of the operating system:
  • '0.0.0.0': incompatible collector version or the data is not yet available
NXQL ID: os_build

Enhanced OS version and architecture

Due to a change in Microsoft's servicing model, the field "OS version and architecture" now includes the feature update release version of Windows 10.

As an example:

  • "Windows 10 Pro (64 bits)" might become "Windows 10 Pro 1709 (64 bits)"

This would have the following impact on existing investigations and metrics.

The following conditions would still work:

  • "Os version and architecture" matches "Windows 10*"
  • "Os version and architecture" matches "Windows 10 Pro*"
  • "Os version and architecture" matches "Windows 10* (64 bits)"
  • "Os version and architecture" matches "*Pro*"

The following condition would become broken and should be updated:

  • "Os version and architecture" is "Windows 10 Pro (64 bits)"

Additional reading:

SHA-256 hashes for binaries

SHA-256 hashes are now available for binaries.

Field Group Type Windows black.png Mac black.png Mobile black.png
SHA-256 hash Properties Field Windows black.png Mac gray disabled.png Mobile gray disabled.png
Indicates the SHA-256 hash of the binary.
NXQL ID: sha256