NXQL data model (classic)

Download the full data model:

Objects

application

An application is a set of executables e.g. 'Microsoft Office'.

NameTypeOperating systemsProperties

company

string

Windows

macOS

Company producing the application

database_usage

permill

Windows

macOS

Percentage of the database used by information related with the application

description

string

Windows

Application description

first_seen

datetime

Windows

macOS

NU

First time activity of the application was recorded on any device.

id

identifier

Windows

macOS

Unique application identifier

known_packages

string

Windows

macOS

List of packages known to contain the application. This list is not exhaustive: The presence of a package does not necessarily imply that on a given device the application was installed through that package.

last_seen

datetime

Windows

macOS

NU

Last time activity of the application was recorded on any device.

name

string

Windows

macOS

Application name

platform

enum

Windows

macOS

The platform (operating system family) on which the application is running.

storage_policy

enum

Windows

macOS

Indicates the event storage policy for the application. Possible values are:

  • all: web requests, connections and executions are stored;

  • connections and executions;

  • executions;

  • none: no activity is recorded.

total_active_days

day

Windows

macOS

Total number of days the application was active.

binary

A binary is an executable binary file identified by its hash code.

NameTypeOperating systemsProperties

application_category

string

Windows

macOS

SE

Indicates the category of the application:

  • '-': Not yet tagged;

  • Unknown: Not categorized by Nexthink Library.

application_company

string

Windows

macOS

Application company

application_name

string

Windows

macOS

Application name

architecture

enum

Windows

macOS

Executable architecture (32/64 bit)

average_cpu_usage

permill

Windows

Average CPU usage for the binary

average_memory_usage

byte

Windows

NU

Average memory usage for the binary

average_number_of_graphical_handles

integer

Windows

NU

Average number of graphical handles (GDI)

company

string

Windows

macOS

Executable company

database_usage

permill

Windows

macOS

Percentage of the database used by information related with the binary.

description

string

Windows

Description as it appears in the binary file.

executable_name

string

Windows

macOS

Executable name

file_size

byte

Windows

macOS

Binary file size

first_seen

datetime

Windows

macOS

NU

First time activity of the binary was recorded on any device.

hash

md5

Windows

macOS

Hash code of the binary (MD5)

id

identifier

Windows

macOS

Unique binary identifier

last_seen

datetime

Windows

macOS

NU

Last time activity of the binary was recorded on any device.

paths

path

Windows

macOS

List of paths of the binary

platform

enum

Windows

macOS

The platform (operating system family) on which the binary is running.

sha1

sha1

Windows

macOS

SHA-1 hash code of the binary

sha256

sha256

Windows

macOS

SHA-256 hash code of the binary

storage_policy

enum

Windows

macOS

Event storage policy for the binary (connection and execution, execution-only or none)

threat_level

enum

Windows

macOS

SE

Indicates the threat level of the binary:

  • '-': Not yet tagged;

  • none detected: No known threat;

  • low: low threat;

  • intermediate: Intermediate threat;

  • high: high threat.

total_active_days

day

Windows

macOS

Total number of days the binary was active.

user_interface

boolean

Windows

Application has interactive user interface

version

version

Windows

macOS

Version of the binary

destination

A destination is a device or server receiving TCP/UDP connections.

NameTypeOperating systemsProperties

database_usage

permill

Windows

macOS

Percentage of the database used by information related with the destination

first_seen

datetime

Windows

macOS

NU

First time activity to the destination was recorded on any device.

id

identifier

Windows

macOS

Unique destination identifier

ip_address

ip_address

Windows

macOS

IP address for the destination

last_seen

datetime

Windows

macOS

NU

Last time activity to the destination was recorded on any device.

name

string

Windows

macOS

Reverse lookup name

device

A device is Windows physical or virtual machine monitored by a Nexthink Collector.

NameTypeOperating systemsProperties

administrator_account_status

enum

Windows

Determines whether the local Administrator account is enabled or disabled.

all_antispywares

string

Windows

Summary information about all the detected antispyware:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

all_antiviruses

string

Windows

Summary information about all the detected antiviruses:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

all_firewalls

string

Windows

Summary information about all the detected firewalls:

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

allow_non_provisionable_devices

boolean

NU

Indicates whether a device which does not fully support the policy is still allowed to connect to the Exchange Exchange ActiveSync server. If 'yes', the security policy is not guaranteed to be applied, even if the field 'ActiveSync policy application status' value is 'applied in full'

antispyware_name

string

Windows

NU

Name of the main antispyware

antispyware_rtp

enum

Windows

Indicates whether the antispyware real time protection (RTP) is active:

  • on: Indicates that RTP is active;

  • off: Indicates that either RTP is not active or no antispyware has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

antispyware_up_to_date

enum

Windows

Indicates whether the antispyware is up-to-date:

  • yes: Indicates that antispyware is up-to-date;

  • no: Indicates that either the antispyware is not up-to-date or no antispyware has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

antivirus_name

string

Windows

NU

Name of the main antivirus

antivirus_rtp

enum

Windows

Indicates whether the antivirus real time protection (RTP) is active:

  • on: Indicates that RTP is active;

  • off: Indicates that either RTP is not active or no antivirus has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

antivirus_up_to_date

enum

Windows

Indicates whether the antivirus is up-to-date:

  • yes: Indicates that antivirus is up-to-date;

  • no: Indicates that either the antivirus is not up-to-date or no antivirus has been detected;

  • unknown: Indicates that the information could not be retrieved;

  • N/A: This field is not available on this operating system;

  • '-': No data, incompatible collector version or the data is not yet available.

audit_account_logon_events

enum

Windows

Determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.

audit_account_management

enum

Windows

Determines whether to audit each event of account management on a computer.

audit_directory_service_access

enum

Windows

Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.

audit_logon_events

enum

Windows

Determines whether to audit each instance of a user logging on to or logging off from a computer.

audit_object_access

enum

Windows

Determines whether to audit the event of a user accessing an object, e.g. a file, folder, registry key, and so forth - that has its own system access control list (SACL) specified.

audit_policy_change

enum

Windows

Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.

audit_privilege_use

enum

Windows

Determines whether to audit each instance of a user exercising a user right.

audit_process_tracking

enum

Windows

Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.

audit_system_events

enum

Windows

Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.

average_boot_duration

millisecond

Windows

NU

Full boot duration baseline

average_fast_startup_duration

millisecond

Windows

NU

Indicated the fast startup boot duration averaged over the fast startups. In the calculation, recent boots weigh more than older boots (exponentially weighted moving average).

average_logon_duration

millisecond

Windows

NU

User logon duration baseline

bios_serial_number

string

Windows

macOS

NU

BIOS serial number

boot_disk_health_status

enum

Windows

NU

Indicates the health of the disk from which the device is booting [from], as reported by the operating system.

boot_disk_type

enum

Windows

macOS

NU

Indicates the type of the disk from which the device is booting.

chassis_serial_number

string

Windows

NU

Chassis serial number

cltr_ca_license_uid

string

Windows

macOS

NU

Indicates the Collector assignment license UID

cltr_ca_status

enum

Windows

macOS

NU

Indicates whether Collector assignment service is enabled or disabled

cltr_crash_guard_count

integer

Windows

NU

Indicates the number of consecutive hard resets or system crashes of the device

cltr_crash_guard_limit

integer

Windows

NU

Indicates the Collector CrashGuard limit

cltr_crash_guard_protection_interval

integer

Windows

NU

Indicates the CrashGuard monitoring interval in minutes

cltr_crash_guard_react_interval

integer

Windows

NU

Indicates the Collector CrashGuard reactivation interval in hours

cltr_custom_shells

enum

Windows

NU

Indicates whether the Collector reports user logon events and user interactions in virtualized and embedded (kiosk mode) environments

cltr_data_channel_protocol

enum

Windows

macOS

NU

Specifies if the Collector data is sent over TCP or UDP

cltr_dns_res_preference

enum

Windows

NU

Indicates the DNS resolution preference for Collector in terms of IP protocol version on the device

cltr_engage_service_status

enum

Windows

macOS

NU

Indicates whether Engage is enabled or disabled

cltr_freezes_monitoring

enum

Windows

NU

Indicates whether the Collector is monitoring for unresponsive applications on the device

cltr_installs_scan_interval

integer

Windows

NU

Indicates the interval, in hours, after which the Collector checks for newly installed packages and updates

cltr_is_visible

enum

Windows

NU

Indicates whether Collector is hidden in the "Add or Remove Programs"

cltr_log_level

enum

Windows

macOS

NU

Indicates the Collector log level

cltr_max_segment_size

integer

Windows

NU

Indicates the maximum segment size of packets sent by Collector

cltr_ra_execution_policy

enum

Windows

NU

Indicates the Powershell script execution policy

cltr_string_tag

string

Windows

macOS

NU

Indicates the Collector string tag

cltr_web_mon_status

enum

Windows

NU

Indicates whether Web & Cloud monitoring is enabled or disabled

collector_distinguished_name

string

Windows

NU

Indicates the distinguished name (DN) as seen:

  • For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;

  • For Mobile: In the Exchange ActiveSync server Note that this DN is reported by the Collector.

collector_installation_log

string

Windows

NU

Link to the last Nexthink Collector installation error log

collector_package_target_version

version

Windows

macOS

NU

Indicates the Collector package version that is targeted.

collector_status

enum

Windows

macOS

NU

Indicates the status of the Nexthink Collector package installed on the device:

  • unmanaged: the Collector is not automatically updated

  • up-to-date: the Collector is up-to-date

  • outdated: a newer Collector version is available.

collector_tag

integer

Windows

Collector installation tag

collector_update_status

enum

Windows

Current status of Nexthink Collector Updater

collector_version

version

Windows

macOS

Version number of Nexthink Collector installation

cpu_frequency

mhz

Windows

macOS

NU

CPU frequency

cpu_model

string

Windows

macOS

NU

CPU model

database_usage

permill

Windows

macOS

Percentage of the database used by information related with the device

device_encryption_required

boolean

NU

Indicates whether device encryption is required.

device_manufacturer

string

Windows

macOS

NU

Indicates the device manufacturer.

device_model

string

Windows

macOS

NU

Indicates the model of the device.

device_password_required

boolean

NU

Indicates whether a password is required on the device.

device_product_id

string

Windows

macOS

NU

Device product ID

device_product_version

string

Windows

macOS

NU

Device product version

device_serial_number

string

Windows

macOS

NU

Indicates the device serial number.

device_type

enum

Windows

macOS

Type of device (desktop, laptop, server, mobile)

device_uid

md5

Windows

macOS

Indicates the universally unique identifier (based on Engine name and device ID)

device_uuid

string

Windows

macOS

Indicates the device universally unique identifier (UUID)

directory_service_site

string

Windows

NU

Site (or location) of an Active Directory (AD) service

disks_manufacturers

string

Windows

Hard disks manufacturers

disks_smart_index

percent

Windows

NU

Lowest S.M.A.R.T. index of installed hard disks (index is based on S.M.A.R.T. attributes)

distinguished_name

string

Windows

NU

Indicates the distinguished name (DN) as seen:

  • For Windows: In Active Directory (AD). if no connection with AD is set up, a '-' is displayed;

  • For Mobile: In the Exchange ActiveSync server

eas_access_state

enum

Indicates whether the device can access the Exchange ActiveSync server. The possible states are:

  • allowed: the device has access;

  • blocked: the device is blocked;

  • discovery: the device is temporary quarantined while it is being identified by the Exchange ActiveSync server;

  • quarantined: the device is waiting for Exchange ActiveSync administrator approval.

eas_access_state_reason

enum

Indicates the reason for the device access state. The possible values are:

  • global: caused by the global access settings;

  • device rule: caused by a device access rule;

  • individual: caused by an individual exemption;

  • policy: caused by Exchange ActiveSync policy.

eas_device_access_rule

string

Indicates the name of the access rule. An access rule allows, blocks or quarantines devices based on the device type, model, OS or user agent characteristics.

eas_device_identity

string

Indicates the identity of the device in Exchange ActiveSync Server.

eas_exemption

enum

Indicates whether a personal exemption is set for the device and its user. Possible values are:

  • none;

  • allow;

  • block.

eas_policy_application_status

enum