Executing processes (merged when in close succession).

Field

Group

Type

Application name

Application

Field

Windows black.pngMac black.pngMobile gray disabled.png

Executed application name

Average memory usage per process

Activity

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the average memory usage per process for the given execution with the sampling resolution of 5 minutes.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine in a single execution (with an event cardinality = 2). The average memory usage per process will represent the average memory usage of a single Chrome tab.

NXQL ID:

average_memory_usage

Binary path

Application

Field

Windows black.pngMac black.pngMobile gray disabled.png

Executed binary path

NXQL ID:

binary_path

Binary version

Application

Field

Windows black.pngMac black.pngMobile gray disabled.png

Executed binary version

Cardinality

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Number of underlying processes, consolidated over time

NXQL ID:

cardinality

Device ID

Device

Field

Windows black.pngMac black.pngMobile gray disabled.png

Unique identifier code of the executing device

Device IP addresses

Device

Field

Windows black.pngMac black.pngMobile gray disabled.png

List of IP addresses of the executing device

Device name

Device

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the name of the device:

  • For Windows: NetBios Name

  • For Mac OS: computer name used on the network

  • For Mobile: composed by mailbox name and device friendly name

Device SID

Device

Field

Windows black.pngMac gray disabled.pngMobile gray disabled.png

Windows security identifier of the executing device

Duration

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Total execution duration

NXQL ID:

duration

End time

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Execution end time

NXQL ID:

end_time

Executable name

Application

Field

Windows black.pngMac black.pngMobile gray disabled.png

Executed executable name

Focus time

Activity

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the amount of time any window of an application was in focus during the execution.

  • Example: the time Microsoft Teams is being executed (duration = 5h 10min 48s) will usually be considerably longer compared how long (Focus time = 52min 23s) its window(s) are forefront on the desktop.

NXQL ID:

focus_time

ID

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Unique execution identifier code

NXQL ID:

id

Incoming TCP traffic

Traffic

Field

Windows black.pngMac black.pngMobile gray disabled.png

Incoming TCP traffic

NXQL ID:

incoming_tcp_traffic

Lifespan

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Execution lifespan in relation to investigation time frame

Memory usage

Activity

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the average memory usage of executions, based on the total memory usage of underlying processes. Sampling resolution is 5 minutes.

  • Example: if two tabs of the Chrome browser are opened at the same time, two distinct processes of chrome.exe are launched and they are aggregated by the Engine in a single execution (with an event cardinality = 2). The memory usage will represent the total memory usage of the two Chrome tabs.

NXQL ID:

memory_usage

Outgoing TCP traffic

Traffic

Field

Windows black.pngMac black.pngMobile gray disabled.png

Outgoing TCP traffic

NXQL ID:

outgoing_tcp_traffic

Outgoing UDP traffic

Traffic

Field

Windows black.pngMac black.pngMobile gray disabled.png

Outgoing UDP traffic

NXQL ID:

outgoing_udp_traffic

Privilege level

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Privilege level of the execution (user, power user, administrator)

NXQL ID:

privilege_level

Signature ID

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

ID of the related execution signature, i.e. a user executing a certain process on a particular device

NXQL ID:

usage

Start time

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Execution start time

NXQL ID:

start_time

Startup duration

Properties

Field

Windows black.pngMac gray disabled.pngMobile gray disabled.png

Indicates the time between the start of the process and the time a window is displayed (not taking into account the splash screen).

The value is averaged over all underlying executions.

NXQL ID:

startup_duration

Status

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Status of the execution (started, stopped)

NXQL ID:

status

Total CPU time

Properties

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the sum of the CPU time of all executions (before aggregation by the Engine) over all logical processors.

Executions shorter than 30 seconds are ignored.

  • Example: if we consider two executions that are launched at the same time (hence aggregated by the Engine), with the first one taking 50% of a logical processor during 30 minutes and the second one taking 100% of 2 logical processors during 60 minutes, the total CPU time is 135 minutes (= 50% * 30 min + 2 * 100% * 60 min).

NXQL ID:

total_cpu_time

User ID

User

Field

Windows black.pngMac black.pngMobile gray disabled.png

Unique identifier code of the executing user

User name

User

Field

Windows black.pngMac black.pngMobile gray disabled.png

Name of the executing user

User SID

User

Field

Windows black.pngMac black.pngMobile gray disabled.png

Indicates the Windows security identifier for the user.

  • For Mac 0S: the value is 'S-0-0' if the user is not in Active Directory