Executable programs (e.g. 'winword.exe').

Field

Group

Type

Activity start time

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Start time of investigated activity

NXQL ID:

activity_start_time

Activity stop time

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Stop time of investigated activity

NXQL ID:

activity_stop_time

Application company

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Application company

NXQL ID:

application_company

Application crash ratio

Errors

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the number of application crashes per 100 executions.

NXQL ID:

application_crash_ratio

Application name

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Application name

NXQL ID:

application_name

Application not responding event ratio

Errors

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the number of application not responding events per 100 executions.

NXQL ID:

application_not_responding_event_ratio

Average application startup duration

Activity

Aggregate

Windows black.pngMac gray disabled.pngMobile gray disabled.png

Indicates the average time between the start of the process and the time a window is displayed (not taking into account the splash screen)

NXQL ID:

average_process_start_time

Average incoming network bitrate

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Average incoming network bitrate

NXQL ID:

average_incoming_bitrate

Average incoming web bitrate

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Average incoming bitrate of all underlying web requests, consolidated over time

NXQL ID:

average_incoming_bitrate

Average memory usage per process

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the average memory usage per process for the given executions with the sampling resolution of 5 minutes.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine in a single execution (with an event cardinality = 2). The average memory usage per process will represent the average memory usage of a single Chrome tab.

NXQL ID:

average_memory_usage_per_execution

Average network response time

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the average TCP connection establishment time of all underlying connections. The value is

the average TCP connection establishment time of all executions weighted by their cardinality.

NXQL ID:

average_network_response_time

Average outgoing network bitrate

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Average outgoing network bitrate

NXQL ID:

average_outgoing_bitrate

Average outgoing web bitrate

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Average outgoing bitrate of all underlying web requests, consolidated over time

NXQL ID:

average_outgoing_bitrate

Average web request duration

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Average time between request and last response byte

NXQL ID:

average_request_duration

Average web request size

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Average size of web requests

NXQL ID:

average_request_size

Average web response size

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Average size of web responses

NXQL ID:

average_response_size

Binary paths

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

List of executed binary paths (max. 50 paths)

CPU usage ratio

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the sum of the CPU time of all executions on each device in scope over all logical processors divided by their total duration.

Executions shorter than 30 seconds are ignored.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the CPU usage ratio is 150% (= [50% * 30 min + 2 * 100% * 60 min] / [30 min + 60 min]).

NXQL ID:

cpu_usage_ratio

Cumulated execution duration

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Cumulated duration of executions

NXQL ID:

cumulated_execution_duration

Cumulated network connection duration

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Cumulated duration of TCP connections

NXQL ID:

cumulated_connection_duration

Database usage

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the percentage of the Engine database used by the executable.

NXQL ID:

database_usage

Description

Properties

Field

Windows black.pngMac gray disabled.pngMobile gray disabled.png

Executable description

NXQL ID:

description

First seen

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

First time activity of the executable was recorded on any device

NXQL ID:

first_seen

Focus time

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the amount of time any window of an application was in focus during the execution.

  • Example: the time Microsoft Teams is being executed (duration = 5h 10min 48s) will usually be considerably longer compared how long (Focus time = 52min 23s) its window(s) are forefront on the desktop.

NXQL ID:

focus_time

High application thread CPU time ratio

Warnings

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the ratio between the time that the underlying executions are in high thread CPU usage and their execution duration.

NXQL ID:

high_application_thread_cpu_time_ratio

Highest local privilege level reached

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Highest local privilege level reached for executions (user, power user, administrator)

NXQL ID:

highest_local_privilege_reached

Incoming network traffic

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Total network incoming traffic

NXQL ID:

incoming_traffic

Incoming network traffic per device

Traffic

Aggregate

Windows black.pngMac gray disabled.pngMobile gray disabled.png

Indicates the incoming network traffic divided by the number of devices.

NXQL ID:

incoming_network_traffic_per_device

Incoming web traffic

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Total web incoming traffic

NXQL ID:

incoming_traffic

Incoming web traffic per device

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the incoming web traffic divided by the number of devices.

NXQL ID:

incoming_web_traffic_per_device

Known packages

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

List of packages known to contain the executable. This list is not exhaustive: the presence of a package does not necessarily imply that on a given device the executable was installed through that package

NXQL ID:

known_packages

Last seen

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Last time activity of the executable was recorded on any device

NXQL ID:

last_seen

Lowest observed web protocol version

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Lowest protocol version observed in web requests (excluding web requests with unknown protocol version)

NXQL ID:

lowest_protocol_version

Memory usage

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the average memory usage of executions, based on the total memory usage of underlying processes. Sampling resolution is 5 minutes.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine in a single execution (with an event cardinality = 2). The memory usage will represent the total memory usage of the two Chrome tabs.

NXQL ID:

memory_usage

Name

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Executable name

NXQL ID:

name

Network availability level

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the ratio of successful TCP connections. The possible values are:

  • high: the ratio is greater or equal to 98%

  • medium: the ratio is greater or equal to 90% and less than 98%

  • low: the ratio is lower than 90%

NXQL ID:

network_availability_level

Number of application crashes

Errors

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of application crashes

NXQL ID:

number_of_application_crashes

Number of application not responding events

Errors

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of application not responding events

NXQL ID:

number_of_application_not_responding_events

Number of binaries

Inventory

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of binaries

NXQL ID:

number_of_binaries

Number of connections

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of connections

NXQL ID:

number_of_connections

Number of destinations

Inventory

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of destinations

NXQL ID:

number_of_destinations

Number of devices

Inventory

Aggregate

Windows black.pngMac black.pngMobile black.png

Number of devices

NXQL ID:

number_of_devices

Number of domains

Inventory

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of domains

NXQL ID:

number_of_domains

Number of executions

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of executions

NXQL ID:

number_of_executions

Number of ports

Inventory

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of ports

NXQL ID:

number_of_ports

Number of users

Inventory

Aggregate

Windows black.pngMac black.pngMobile black.png

Number of users

NXQL ID:

number_of_users

Number of web requests

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Number of web requests

NXQL ID:

number_of_web_requests

Outgoing network traffic

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Total network outgoing traffic

NXQL ID:

outgoing_traffic

Outgoing network traffic per device

Traffic

Aggregate

Windows black.pngMac gray disabled.pngMobile gray disabled.png

Indicates the outgoing network traffic divided by the number of devices.

NXQL ID:

outgoing_network_traffic_per_device

Outgoing web traffic

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Total web outgoing traffic

NXQL ID:

outgoing_traffic

Outgoing web traffic per device

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the outgoing web traffic divided by the number of devices.

NXQL ID:

outgoing_web_traffic_per_device

Platform

Properties

Field

Windows black.pngMac black.pngMobile black.png

The platform (operating system family) on which the executable is running

NXQL ID:

platform

Protocols used in web requests

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Protocols used in web requests (HTTP, TLS, HTTP/TLS)

NXQL ID:

protocols_used_in_requests

Storage policy

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the event storage policy for the executable. Possible values are:

  • all: web requests, connections and executions are stored

  • connections and executions

  • executions

  • none: no activity is recorded

NXQL ID:

storage_policy

Successful HTTP requests ratio

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Percentage of successful HTTP requests (1xx, 2xx and 3xx)

NXQL ID:

successful_http_requests_ratio

Successful network connections ratio

Availability

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Percentage of successful TCP connections

NXQL ID:

successful_connections_ratio

Total active days

Activity

Field

Windows black.pngMac black.pngMobile gray disabled.png

Total number of days the executable was active

NXQL ID:

total_active_days

Total CPU time

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the sum of the CPU time of all executions on each device in scope and over all logical processors.

Executions shorter than 30 seconds are ignored.

  • Example: if we consider two executions with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).

NXQL ID:

total_cpu_time

Total network traffic

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Total network traffic (incoming and outgoing)

NXQL ID:

total_network_traffic

Total web traffic

Traffic

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Total web traffic (incoming and outgoing)

NXQL ID:

total_web_traffic

UID

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the universally unique identifier (based on application name, application company and executable name).

Web interaction time

Activity

Aggregate

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the time during which at least one executable is doing HTTP or TLS traffic. This is counted with a 5-minute resolution.

NXQL ID:

cumulated_web_interaction_duration