Triggering workflows
Workflows allows you to trigger a workflow with different execution options. There are four mechanisms to execute a workflow:
Manual: Enables you to execute a workflow manually against multiple targets simultaneously.
API: Enables you to execute a workflow with the Nexthink API.
Scheduled: Enables you to execute a workflow within the timeframe defined by the NQL query.
Events: Enables you to execute a real-time event workflow defined by the NQL query.
Triggering a workflow manually
To trigger a workflow manually, you must:
Get a list of
devices
using an NQL query.Configure one or more workflows using an NQL query.
Grant Trigger manually all workflows permissions or share a workflow with trigger permissions.
Device view and Amplify are not supported for manual triggers.
To manually trigger a workflow:
Select Investigations from the main menu.
Click the New button to run your NQL query. The Visual Editor tab opens by default.
Switch to the NQL editor tab and write an NQL query to list all
devices
.Click the Run button to show the query results.
Select the checkboxes of the items that you wish to trigger.
Once you select the first item, an action bar appears with the total number of entries chosen, along with the Execute action button.
Click the Execute action button. An action modal appears.
Select the relevant action and click the Run devices trigger.
Triggering a workflow via API
To trigger a workflow using the Nexthink API, refer to the Workflows API documentation for more information.
Triggering a scheduled workflow
Trigger a workflow at specific recurring periods and define the workflow targets using an NQL query.
To trigger a scheduled workflow:
Select Workflows from the main menu.
To access a workflow, you have two options:
Select Manage workflows to edit an existing workflow.
Click the New button to create a new workflow.
In the General tab, select Schedule.
Click the Add Schedule button to open the schedule modal.
Fill in the following fields:
Name: Enter a unique name for the schedule.
NQL: Enter an NQL query for the workflow targets.
Recurrence: Configure the timing and recurrence of the schedule.
Workflow parameters: Use parameters to schedule the workflow. Define the parameters in Designer or with a NEAL script. Refer to the Designer documentation for more information.
Set parameters with:
A predefined list of values in Designer.
Custom free text values.
Defined attributes in the
list
statement of the NQL query.
Click the Add button to trigger the workflow.
Triggering an event workflow
The system only triggers one event per workflow.
Trigger a real-time event workflow defined using an NQL query. The system triggers the workflow when Nexthink receives the event.
To trigger an event workflow:
Select Workflows from the main menu.
To access a workflow, there are two options:
Select Manage workflows to edit an existing workflow.
Click the New button to create a new workflow.
In the General tab, click the Events > Add Event button to open the event modal.
Fill in the following fields:
Name: Enter a unique name for the event.
NQL: Enter an NQL query to capture the event triggering the workflow.
For the query to be valid, it must contain at least one:
Supported event
where
statement in cases where the object can be filtered onlist
statement
See the Supported Events section for a list of events that you can use and the Event Limits section for more information about the supported query elements.
Parameters: Use parameters to set the values when the workflow is triggered. Define the parameters in Designer or with a NEAL script. Refer to the Designer documentation for more information.
Set parameters with:
A predefined list of values configured in Designer.
Custom free text values.
Defined attributes in the
list
statement of the NQL query.
Click the Add button to trigger a workflow.
Examples
The examples below show the NQL queries that you can use with events:
Slow login event
Use the following query to identify high login times for a device, including the affected user's username.
session.logins
| where time_until_desktop_is_ready > 1s
| list user.ad.username
Driver or storage-related blue screen of death (BSoD)
Use the following query to respond to a Windows device that experienced a BSoD due to a driver or storage-related issue.
device_performance.system_crashes
| where label == 'IRQ_NOT_LESS_OR_EQUAL'
| list error_code
Anti-virus disabled
Use the following query when the anti-virus is disabled and detected remotely. This ensures compliance and allows you to perform additional checks on the compliance state of the device.
remote_action.#AVCheck.executions
| where outputs.AVActive == 'false'
| list outputs.AVDefinitionVersion
Supported Events
Manual custom fields are supported.
Below is a list of supported query events:
alert.alerts
device_performance.boots
device_performance.hard_resets
device_performance.system_crashes
execution.crashes
remote_action.executions
session.connects
session.disconnects
session.locks
session.logins
session.logouts
session.lockouts
Event Limitations
Filtering using date or time attributes is not supported.
The following limits apply to event trigger configuration:
One event trigger per workflow.
The use of ratings is not supported.
last_seen
attributes are not supported on any object.
The following fields are not supported for use in the query from the device object:
last_seen
login.last_login_user_name
boot.days_since_last_full_boot
boot.last_full_boot_duration
boot.last_full_boot_time
connectivity.last_connectivity_type
connectivity.last_local_ip
The use of the following custom fields is not supported:
Query-based fields
Rule-based fields
The use of dimensions in the query is not supported:
context.*
device.public_ip.*