NQL data model

Data model concepts

Consult the Understanding key data platform concepts page for more information about the various data model concepts.

Data model

Table

Description

devices

Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.

device.antiviruses

The list of antivirus registered on the device and reported through WMI.

device.cpus

The list of CPU model names and their nominal clock speeds.

device.disks

The list of storage devices.

device.firewalls

The list of firewalls registered on the device and exposed through the Windows Security Center.

device.gpus

The graphics processing unit.

device.local_admins

The list of users and groups that are members of the local Administrators group on the device.

device.monitors

The list of monitors connected to the device.

device.volumes

The list of logical storage volumes.

binaries

Table of binaries. A binary is an executable binary file identified by its hash code.

users

Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user.

alert.monitors

The table of defined alert monitors in the system.

alerts

The table collecting information about instances where metric values go outside normal parameters as defined in monitors.

alert.impacts

The table collecting information about instances of an alert impact.

applications

Table of defined applications.

application.network_applications

Table of defined network applications.

application.pages

Table of defined key pages.

application.transactions

Table of defined transactions.

campaigns

The table collecting all active and retired campaigns.

campaign.responses

The table collecting responses (expected or given) of a campaign by an employee.

collaboration.sessions

Table collecting meetings performed with collaboration tools such as Teams or Zoom.

connection.events

The connections.events table contains events for outgoing TCP connections and UPD packages. Some metrics are only available for TCP connections. These metrics are 'NULL' for UDP events. Connection events are associated to binaries, users, devices, and applications (optional).

connection.tcp_events

The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead.

connection.udp_events

The connections.udp_events table has been deprecated. Please use 'connection.events' table instead.

connectivity.events

Table collecting performance metrics and attributes specific to a device's connectivity.

device_performance.boots

The table collecting boots of devices.

device_performance.events

The table collecting performance metrics and attributes specific to a device.

device_performance.hard_resets

The table contains hard resets, which occur when a device reboots without first completing the shutdown procedure. This could apply to situations where a device totally freezes up and can only be restarted by turning it off first, as well as situations involving power outages.

device_performance.system_crashes

The table collecting the system crashes of the devices.

dex.application_scores

application_score

dex.scores

A table of the DEX score.

execution.crashes

The table collecting crashes of a running process.

execution.events

The table collecting performance metrics and attributes specific to a process execution.

packages

A table of packages. A package is a group of files and executables that together constitute a software application.

package.installations

A table of package installation events.

package.uninstallations

A table of package uninstallation events.

package.installed_packages

A table of all installed packages on all devices.

platform.audit_logs

audit_log

remote_actions

The table of defined remote actions.

remote_action.executions

The table collecting the executed remote actions.

remote_action.executions_summary

The table collecting the trend of executed remote actions.

services

A table of services. A service performs automated tasks, respond to hardware events, or listen for data requests from other software. These services are often loaded automatically at startup, and run in the background, without user interaction

service.changes

Timeline of events when an attribute of an existing service has changed on a device. The attributes tracked by these events are the same as in the installed_services table. Eg. logon_as & startup_type.

service.installations

Punctual event, indicating when an service was added or removed to a particular device.

service.installed_services

A table of all installed services on all devices.

session.connects

The table collecting connections linked to user sessions.

session.disconnects

The table collecting disconnections linked to user sessions.

session.events

The table collecting performance metrics and attributes specific to both local and remote sessions.

session.lifecycle_events

The table collecting all events linked to user sessions.

session.locks

The table collecting locks linked to the user sessions.

session.logins

The table collecting all session logins.

session.logouts

The table collecting all session logouts.

session.unlocks

The table collecting unlocks linked to user sessions.

software_metering.meter_configurations

meter_configuration

software_metering.events

event

web.errors

The table collecting errors of defined business-critical services.

web.events

The table collecting events of defined business-critical services.

web.page_views

Table collecting page views of defined business-critical services.

web.transactions

The table collecting transactions of defined business-critical services.

workflows

workflow

workflow.executions

execution

workflow.executions_summary

execution_summary

Namespace device

The device namespace includes one large devices table, which has multiple fields referring to device properties such as hardware, operating system and also Nexthink Collector.

devices

Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.

Field

Type

Description

Supported platforms

ad_site

string

AD site: Indicates the site to which the device is assigned to in Active Directory (AD).

Details: In case the device is not part of a domain, the value shows as "-".

Windows macOS

boot.days_since_last_full_boot

integer

Days since last full boot: The number of days since the device last boot following a restart or a complete shutdown.

Windows macOS

boot.last_full_boot_duration

duration

Last full boot duration: The duration of the device last boot following a restart or a complete shutdown.

Windows

boot.last_full_boot_time

datetime

Last full boot time: The date and time of the device last boot following a restart or a complete shutdown.

Windows macOS

collector.last_update_status

string

Collector last update status: The last update status received from a specific Collector instance.

Windows macOS

collector.last_update_status_date

datetime

Collector last update status date: The reception date of the last update status for a specific Collector instance.

Windows macOS

collector.local_ip

ipAddress

Collector local IP: The local IP used for the traffic between the endpoint and the Nexthink Instance.

Windows macOS

collector.tag_id

integer

Collector tag: The configurable number that identifies a group of Collector instances. The tag is useful for defining the entities to build hierarchies.

Details: An optional field that must be an integer number between 0 and 2147483647. Could complement the Collector string tag.

collector.tag_string

string

Collector string tag: The configurable label that identifies a group of Collector instances. The string tag is useful for defining the entities to build hierarchies.

Details: An optional field, with a maximum length of 2048 characters. Could complement the Collector tag.

Windows macOS

collector.target_update_date

datetime

Collector target update date: The date when the devices install the target version.

Windows macOS

collector.target_version

version

Collector target version: The version to which all Collector instances update next.

Windows macOS

collector.uid

uuid

UID: The Collector unique identifier, provided using the UUID format.

collector.update_group

string

Collector update group: For scheduling separate waves of Collector updates, the devices are assigned to one of the available update groups.Possible values:

  • Pilot

  • Main

  • Unsupported OS

Details: By default, 10% of all the Collector instances are assigned to the Pilot update group. The Pilot group starts updating two days after a new Collector version is available. The Main group starts updates 14 days after the Pilot group.

Windows macOS

collector.version

version

Collector version: Indicates the version of the Collector instance installed on the device.

Windows macOS

connectivity.last_connectivity_type

enumeration

Connectivity type: Last type of network adapter used. Possible values are:

  • WiFi

  • Ethernet

  • Bluetooth

Windows macOS

connectivity.last_local_ip

ipAddress

Local IP: The last local IP address for the primary physical network adapter of the device.

Windows macOS

days_since_first_seen

integer

Days since first seen: The number of days since the first time the device was seen by the Nexthink instance.

Windows macOS

days_since_last_seen

integer

Days since last seen: The number of days since the last time the device was seen active by the Nexthink instance.

Windows macOS

distinguished_name

string

Distinguished name: The unique identifier of a device when joined to a domain or workgroup.

Details: Shows as "-" when the device is not part of a domain or workgroup.

Windows macOS

entity

string

Entity: A customizable field used for organizing a group of devices into logical groups.

Windows macOS

first_seen

datetime

First seen: The date and time the device was first seen by the Nexthink instance.

Windows macOS

group_name

string

Group name: The name of the security group containing the device when joined to a domain or workgroup.

Windows

hardware.bios_serial_number

string

BIOS serial number: The serial number of the motherboard.

Details: On macOS, this is the same as the chassis serial number.

Windows macOS

hardware.chassis_serial_number

string

Chassis serial number: The chassis serial number.

Details: On macOS, this is the same as the BIOS serial number.

Windows macOS

hardware.machine_serial_number

string

Machine serial number: The unique serial number of the device in a UUID format.

Windows macOS

hardware.manufacturer

string

Manufacturer: The short name of the device manufacturer.

Details: While devices might natively report slight variations of it, for example, sometimes dependent on the model or year of introduction, the information is simplified to ensure consistency across different devices of the same manufacturer.

Windows macOS

hardware.memory

bytes

Installed memory: The total amount of random-access memory (RAM) installed on the device.

Windows macOS

hardware.model

string

Device model: The model of the device.

Details: On Windows, it is provided by the device manufacturer using the WMI interface as the product name. On macOS it is the "model id" provided by System Profiler.

Windows macOS

hardware.product_id

string

Product ID: A variant of a specific device model, sometimes also referred to as the SKU number.

Details: Provided by the device manufacturer through the WMI interface as the SKUNumber.

Windows

hardware.product_line

string

Product line: The product line or hardware version information.

Details: Provided by the device manufacturer through the WMI interface as the product version.

Windows macOS

hardware.type

enumeration

Device type: The device form factor:

  • desktop

  • laptop

  • virtual

Details: The Windows devices are considered to be a laptop if they have a "lid closed" sensor. For macOS this information comes from the device model.

Windows macOS

last_seen

datetime

Last seen: The date and time of the last device activity received by the Nexthink instance.

Windows macOS

license_type

enumeration

License type: The type of license used for this device. Possible values:

  • endpoint

  • server

  • thin_client

Windows macOS

location.type

string

Location type: The type of location indicates whether the device is onsite or remote.

Windows macOS

login.last_login_user_name

string

Last logged in user: The name of the user associated to the last login on the device.

Windows macOS

membership_type

enumeration

Membership type: The type of computer group membership. Possible values:

  • standalone

  • workgroup

  • domain

  • open directory

Details: Possible values:

  • domain

  • workgroup

  • standalone

  • open directoryWhen not available, shows as "-".

Windows

name

string

Name: The name of the device as used by the operating system for identification purposes on the local network.

Details: Source:

  • For Windows: NetBios Name

  • For macOS: LocalHostName

Windows macOS

operating_system.architecture

enumeration

Architecture: The architecture of the device operating system. The instruction set it can natively execute.

Details: Possible values:

  • x86

  • x64

  • ARM64

Windows macOS

operating_system.build

version

Build: The build number of the operating system.

Details: The build number is set to "0.0.0.0" if the Collector version is incompatible or the data is not yet available.

Windows

operating_system.days_since_last_update

integer

Days since last system update: The number of days since the last system update.

Windows

operating_system.is_activated

bool

Is activated: The Windows license activation status.

Details: macOS does not require a license since OSX 10.9 Mavericks (released in 2013), and shows as "-".

Windows

operating_system.last_update

datetime

Last system update: The date and time of the last system update.

Windows

operating_system.name

string

Name: The combination of the name, version and architecture (when applicable) of the operating system.

Details: The operating system name is set to "Unknown" if the name or version cannot be retrieved or mapped to a valid value.

Windows macOS

operating_system.platform

enumeration

Platform: The software platform composed of a collection of operating system families providing access to the same objects, activities, events and properties.

Details: Possible values are:

  • Windows

  • macOS

  • Linux

Windows macOS

operating_system.wmi_status

enumeration

WMI status (deprecated): This field is deprecated and will be replaced in the future.

Details: The status of the WMI extension Collector relies on for device identification. Used internally to mitigate potential transient issues with this particular WMI source.

Windows

organization.entity

string

Entity: The organizational entity to which the device belongs.

public_ip.city

string

City: The city where the device is located.

Windows macOS

public_ip.country

string

Country: The country where the device is located.

Windows macOS

public_ip.ip_address

ipAddress

Public IP address: The public IP address of the device.

Windows macOS

public_ip.isp

string

ISP: The internet service provider of the device.

Windows macOS

public_ip.state

string

State: The subdivision (for example, state) where the device is located.

Windows macOS

sid

string

SID: The Security Identifier (SID) of the device, often used for identification and permission control purposes.

Windows

uid

uuid

Device UID: Unique identifier of the device.

Windows macOS

user_account_control_status

enumeration

User account control status: Indicates if the User Account Control (UAC) is configured, forcing applications to request explicit approval from the user to make changes to the computer or to run with elevated permissions.

Details: Possible values:

  • ok (apps ask for approval)

  • at risk

  • unknown

virtualization.desktop_broker

enumeration

Desktop broker: Name of the desktop virtualization product used to broker the remote desktop connections.

Windows

virtualization.desktop_pool

string

Desktop pool name: The hardware characteristics of the associated virtual machines.

Windows

virtualization.disk_image

string

Disk image: Name of the disk image used to deploy the virtual machine.

Windows

virtualization.environment_name

string

Environment name: Name of the connector used to retrieve the virtualization details.

Windows

virtualization.hostname

string

Virtualization hostname: The physical device on which the virtual machine is hosted.

Windows

virtualization.hypervisor_name

string

Hypervisor name: The hardware virtualization system running the virtual machine.

Windows

virtualization.instance_size

string

Instance size: A predefined configuration that determines the CPU, memory and storage which is allocated to a virtual machine.

Windows

virtualization.last_update

datetime

Last update: Date and time when the desktop virtualization information was last updated.

Windows

virtualization.region

string

Region: Geographical areas where one or more Microsoft Azure data centers are located.

Windows

virtualization.type

enumeration

Desktop pool type: The type of the desktop pool. Possible values are:

  • shared, several users work on the same virtual machine at the same time

  • personal, the virtual machine is used by one user at a time and all changes to the system persist

  • pooled, the device is used by one user at a time and during the logoff all changes including documents and data are erased.

Windows

antiviruses

The list of antivirus registered on the device and reported through WMI.

Field

Type

Description

Supported platforms

is_up_to_date

enumeration

Up to date: The up-to-date status of the antivirus. Possible values are:

  • yes

  • no

  • not_reported

  • not_applicable

Windows

name

string

Name: The name of the main antivirus.

Windows

real_time_protection

enumeration

Real-time protection: The status of the antivirus real time protection (RTP). Possible values are:

  • not_reported: incompatible Collector version or the data is not yet available

  • enabled: : indicates that the RTP is active

  • disabled: indicates that either the RTP is inactive or the antivirus is not detected

  • partially_enabled

  • not_applicable

Windows

cpus

The list of CPU model names and their nominal clock speeds.

Field

Type

Description

Supported platforms

frequency

integer

CPU frequency: The CPU base frequency in MHz. The base frequency can be much smaller than the maximum turbo frequency. For example, the Intel Core i7-8565U CPU has a base frequency of 1.80 GHz and a maximum frequency of 4.6 GHz.

Windows macOS

name

string

CPU name: The CPU model.

Windows macOS

number_of_cores

integer

Number of cores: The number of CPU cores.

Windows macOS

number_of_logical_processors

integer

Number of logical processors: The number of CPU cores multiplied by the number of threads that can run on each core using hyperthreading.

Windows macOS

disks

The list of storage devices.

Field

Type

Description

Supported platforms

capacity

bytes

Capacity: The disk capacity.

Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

Windows macOS

is_bootable

bool

Is bootable: Returns the value "yes" when the device boots from that disk.

Windows macOS

name

string

Name: The name of the physical or virtual disk drive.

Windows macOS

type

enumeration

Type: The type of drive. Possible values are:

  • HDD

  • SSD

  • Other

Windows macOS

firewalls

The list of firewalls registered on the device and exposed through the Windows Security Center.

Field

Type

Description

Supported platforms

name

string

Name: The name of the main firewall.

Windows

real_time_protection

enumeration

Real-time protection: The status of the firewall real time protection (RTP). Possible values are:

  • not_reported: incompatible Collector version or the data is not yet available

  • enabled: indicates that RTP is active

  • disabled: indicates that either RTP isn’t active or no antivirus has been detected

  • partially_enabled

  • not_applicable

Windows

gpus

The graphics processing unit.

Field

Type

Description

Supported platforms

memory

bytes

Memory: The video memory in bytes.

Windows macOS

name

string

Name: The graphics card name.

Windows macOS

local_admins

The list of users and groups that are members of the local Administrators group on the device.

Field

Type

Description

Supported platforms

name

string

Name: The users who are members of the local Administrators group on the device.

Windows

type

enumeration

Type: The type of the user. Possible values are:

  • user

  • group

Windows

monitors

The list of monitors connected to the device.

Field

Type

Description

Supported platforms

diagonal_size

float

Diagonal size: The diagonal size in inches.

Windows

horizontal_resolution

integer

Horizontal resolution: The maximum horizontal resolution in pixels.

Windows

name

string

Name: The monitor name.

Windows

serial_number

string

Serial number: The monitor serial number.

Windows

vendor

string

Vendor: The monitor vendor.

Windows

vertical_resolution

integer

Vertical resolution: The maximum vertical resolution in pixels.

Windows

volumes

The list of logical storage volumes.

Field

Type

Description

Supported platforms

capacity

bytes

Capacity: The volume capacity in bytes.

Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

Windows macOS

name

string

Name: The name of the volume.

Windows macOS

system

bool

Operating system volume: Returns the value "yes" when the volume contains the operating system.

Windows macOS

usage

float

Usage: The volume usage in percent.

Windows macOS

Namespace binary

Table of binaries. A binary is an executable binary file identified by its hash code.

binaries

Table of binaries. A binary is an executable binary file identified by its hash code.

Field

Type

Description

Supported platforms

architecture

enumeration

Architecture: The operating system architecture the binary is compiled for (32-bit or 64-bit).

Windows macOS

company

string

Company: The name of the company that produced the binary.

Details: Information retrieved from the file properties.

Windows macOS

description

string

Description: Used for describing the purpose of the file or to complement the name with additional details.

Details: Information retrieved from the file properties.

Windows

first_seen

datetime

First seen: The date and time the binary was first seen by the Nexthink instance.

Windows macOS

has_user_interface

bool

Has user interface: Indicates if the binary has an interactive window while running.

Details: On Windows platform the reported value is 'true', or 'false' if the binary has no interactive window or if the information is not available. Any other platform is always NULL.

Windows

last_seen

datetime

Last seen: The date and time of the last binary activity received by the Nexthink instance.

Windows macOS

md5_hash

bytea

MD5 hash: The MD5 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary.

Details: The MD5 hash represented in base64 format.

Windows macOS

md5_hash_hex

bytea

MD5 hash hex: The MD5 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary.

Details: The MD5 hash represented in hex format.

Windows macOS

name

string

Name: The file name of the binary executed.

Windows macOS

platform

enumeration

Platform: The operating system family on which the binary natively runs.

Details: Possible values are:

  • Windows

  • macOS

  • Linux

Windows macOS

product_name

string

Product name: The name of the application associated with the file.

Details: Information retrieved from the file properties.

Windows macOS

sha-1_hash

bytea

SHA-1 hash: The SHA-1 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary.

Details: The SHA-1 hash represented in base64 format.

Windows macOS

sha-1_hash_hex

bytea

SHA-1 hash hex: The SHA-1 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary.

Details: The SHA-1 hash represented in hex format.

Windows macOS

sha-256_hash

bytea

SHA-256 hash: The SHA-256 fingerprint calculated by the Collector instance that can be used to uniquely identify a binary.

Details: The SHA-256 hash represented in base64 format.

Windows macOS

sha-256_hash_hex

bytea

SHA-256 hash hex: The SHA-256 fingerprint calculated by the Collector instance, that can be used to uniquely identify a binary.

Details: The SHA-256 hash represented in hex format.

Windows macOS

size

bytes

Size: The size of the binary file, in bytes.

Windows macOS

uid

uuid

Binary UID: The unique identifier for the binary.

Windows macOS

version

version

Version: The version of the binary file, retrieved from the file properties.

Windows macOS

Namespace user

The users table within the user namespace, includes information about the individual accounts across the IT infrastructure. It contains all employees recognized by your Nexthink instance. Most of the table fields are derived from Entra ID and are included in the "ad" grouping. A user may have access to more than one device.

users

Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user.

Field

Type

Description

Supported platforms

ad.city

string

City: The name of the city the user is associated with.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.country_code

string

Country code: The country or region the user is associated with.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: The country or region is represented as a two-character code based on the ISO-3166 standard. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.department

string

Department: The name of the department the user is associated with.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.distinguished_name

string

Distinguished name: The unique identifier of a domain user for an on-premises Active Directory (AD).

Requirements: Requires one or more connectors for Entra ID correctly configured, and Entra ID needs to be synchronized with an on-premises AD.

Details: The distinguished name follows the LDAP syntax. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.email_address

string

Email address: The email address of the user.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.full_name

string

Full name: The name displayed in the address book for the user. This is usually the combination of the user first name, middle initial and last name.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.job_title

string

Job title: The job title assigned to the user in Active Directory.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.last_update

datetime

Last update: The date and time of the last update received for the user information from Entra ID.

Windows macOS

ad.office

string

Office: The name of the physical location or office the user is associated with.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.organizational_unit

string

Organizational unit name: The name of the directory folder containing the user account.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.username

string

AD Username: The name of the user account as it appears in Entra ID.

Requirements: Requires one or more connectors for Entra ID correctly configured.

Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

days_since_first_seen

integer

Days since first seen: The number of days since the first time the user account was seen by the Nexthink instance.

Windows macOS

days_since_last_seen

integer

Days since last seen: The number of days since the last time the user account was seen active by the Nexthink instance.

Windows macOS

first_seen

datetime

First seen: The date and time the user account was first seen by the Nexthink instance.

Windows macOS

last_seen

datetime

Last seen: The date and time of the last user account activity received by the Nexthink instance.

Windows macOS

name

string

Username: The name of the user account on the local device.

Requirements: The collector is configured to report the username: Configuring Collector level anonymization

Details: Depending on the configuration, the Collector reports username in cleartext, as a hashed value or not at all.

Windows macOS

sid

string

SID: The unique security identifier (SID) of the user account on Windows.

Details: On Windows, each user account has a unique security identifier (SID) used to provide access to system resources. On macOS, a unique SID is generated by Nexthink to facilitate user identification.

Windows macOS

type

enumeration

Type: The type of the user account.

Details: Nexthink recognizes three types of user accounts:

  • A local user account is an account that only exists on a single device. It cannot be used to login to systems other than that specific device.

  • A domain user account is a user account managed by Microsoft Active Directory, enabling users to log in across various devices and access multiple services.

  • A system account is a form of a local account that has special privileges on a device.

Windows macOS

uid

uuid

User UID: The value that uniquely identifies a user on the Nexthink platform.

Windows macOS

upn

string

UPN: The User Principal Name (UPN), a unique identifier for a user account

Requirements: The Collector reports the UPN for Active Directory and Microsoft Entra ID user accounts on Windows, and for mobile and Jamf Connect-linked local user accounts on macOS. Nexthink does not report UPNs for system accounts or local accounts (without Jamf Connect for macOS). The collector must be configured to report the UPN: Configuring Collector level anonymization

Details: The User Principal Names (UPN) is a standardized identifier for users (RFC822). Normally, it takes the form of an email address. The UPN allows to uniquely identify a user across systems, for example, devices with different OS platforms. Nexthink uses the UPN to enrich user objects with data from third-party services. If the Collector cannot retrieve the UPN for a user, the UPN is NULL (displayed as “-”) and the upn_privacy_level is set to no_import (independent from the Collector configuration).

Windows macOS

upn_privacy_level

enumeration

UPN privacy level: Indicates how securely the User Principal Name (UPN) is stored by the Nexthink instance.

Requirements: The collector is configured to report the UPN: Configuring Collector level anonymization

Details: The User Principal Name (UPN) privacy level is a Collector configuration parameter on the user device. Depending on the configuration, the Collector reports UPN in cleartext, as a hashed value or not at all. The options are represented by the following values:

  • cleartext

  • hashed

  • no_import

Windows macOS

Namespace alert

The alert namespace consists of two tables: alerts and monitors. Monitors store sets of rules configured by Nexthink users (monitor name, threshold, priority, etc.), describing acceptable limits for metrics. Alerts store information about instances where metric values go outside normal parameters as defined in monitors. You may want to query the alerts table if you have permission to run investigations but are not allowed to access alerts dashboards or when creating dashboards for reporting.

monitors

The table of defined alert monitors in the system.

Field

Type

Description

Supported platforms

comparison_operator

enumeration

Comparison operator: Determines when a monitor should trigger an alert.

Details: It is one of the key elements used to define the conditions within a monitor in order to trigger an alert. It is specifically utilized when setting up the breaching criteria for the primary metric. A comparison operator allows for the comparison of values to determine if the specified condition is met. Possible values are:

  • at_least

  • less_or_equal

multiple_contexts

bool

Multiple-context: Indicates if the monitor triggers alerts with different contexts.

Details: The value is set to "Yes" when NQL has a "group by" clause.

name

string

Monitor name: The assigned name of a configured monitor.

Details: A monitor is a defined set of metrics and conditions used to continuously observe a system or process and trigger an alert when certain criteria are met. The name of the custom monitor can be changed after creation. Do not consider it as a unique identifier.

nql_id

string

NQL ID: The unique NQL identifier of the monitor.

Details: NQL ID cannot be changed after initial creation.

origin

enumeration

Monitor origin: Indicates where the monitor originates from. Monitors can be built-in to the Nexthink platform (system), installed using a library pack (library) or created manually (custom)

priority

enumeration

Priority: The importance of alerts that are triggered by the monitor.

Details: Possible values are:

  • critical

  • high

  • medium

  • low

defined by the user in the monitor configuration.

status

enumeration

Status: The status of the monitor as set in the "Manage monitors".

Details: Possible values are:

  • active

  • deleted

tags

jsonArrayString

Alert tags: List of user-defined labels that are assigned to a monitor and subsequently utilized for filtering alerts that are generated by the monitor.

Details: Tags are created and specified within the monitor configuration. By assigning tags to monitors, users can categorize and organize monitors based on specific criteria, making it easier to filter and manage alerts based on these tags. Up to 10 custom tags are allowed per monitor.

threshold

float

Threshold: It defines the value of the primary metric that must be exceeded for the monitor to trigger an alert.

Details: The threshold value serves as a reference point against which the metric actual value is compared to determine if it breaches the defined condition and triggers an alert.

thresholds

jsonArrayString

Thresholds: It contains the values of all metrics that need to be breached to trigger an alert.

type

enumeration

Monitor type: The chosen method used for monitoring. It identifies the specific approach employed to observe and evaluate the system or process being monitored.

Details: Possible values are:

  • metric_threshold

  • metric_change

alerts

The table collecting information about instances where metric values go outside normal parameters as defined in monitors.

alerts are punctual events.

alerts are associated to user, device, monitor

Field

Type

Description

Supported platforms

context

jsonArrayString

Context: The relevant information needed to understand alert.

Details: Depending on the alert, the context information may contain the name of the binary, device or user associated with the alert. It is the JSON-formatted payload of the alert.

context.location.country

string

Country: The country in which the device is located at the time of the event.

context.location.state

string

State: The state in which the device is located at the time of the event.

context.location.type

string

Type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity of the event.

context_hash

string

Context hash: The unique fingerprint of the alert context.

Details: The fingerprint is created by calculating an MD5 hash context.

duration

duration

Alert duration: The duration when the alert is active.

Details: It is calculated as the time between the trigger and the recovery if the alert is closed, or between the trigger and now if the alert is open.

is_auto_recovery

bool

Auto-recovery: Indicates if the alert was auto-recovered.

Details: Auto-recovery takes place when there are no events recorded for the metric(s) specified in the monitor configuration within the selected timeframe. Yes, if the alert is auto-recovered

is_grouped

bool

Group alert: It represents a situation where too many alerts have been generated by a single monitor at the same time. The monitor will not generate any more alerts until the situation has been resolved.

number_of_alerts

long

Number of alerts: The number of alerts triggered.

recovery_reference_value

float

Recovery reference value: It contains the reference value of the main (first) monitored metric that is checked to recover an alert.

recovery_time

datetime

Recovery time: Contains the date and time at which the alert was recovered.

recovery_value

float

Recovery value: The value of the metric that caused the alert to be recovered. Equal to the first metric value if more than one trigger condition is defined.

recovery_values

jsonArrayString

Recovery values: The lists of values of all the monitored metrics reported when the alert has recovered.

status

enumeration

Status: The status of the alert event. The status can be open or closed.

Details:

  • Open: the alert is currently active.

  • Closed: the alert has been recovered.

time

datetime

Alert time: Alert bucket time.

trigger_reference_value

float

Trigger reference value: The reference value of the metric against which the current value was compared to trigger the alert.

trigger_time

datetime

Trigger time: The date and time when the alert was raised.

trigger_value

float

Trigger value: The value of the metric that bypassed the threshold defined in the monitor configuration and caused the alert to be raised.

Details: Equal to the first metric value if more than one trigger condition is defined

trigger_values

jsonArrayString

Trigger values: The values of the metrics that bypassed the thresholds defined in the monitor configuration and caused the alert to be raised.

uid

uuid

Alert event UUID: The unique identifier of the alert event.

impacts

The table collecting information about instances of an alert impact.

impacts are punctual events.

impacts are associated to user, device, monitor

Field

Type

Description

Supported platforms

alert_uid

uuid

Associated alert event UUID: The unique identifier of the associated alert event.

context.location.country

string

Country: The country in which the device is located at the time of the event.

context.location.state

string

State: The state in which the device is located at the time of the event.

context.location.type

string

Type: The type of location indicates whether the device is onsite or remote at the time of the event.

context.organization.entity

string

Entity: The organizational entity of the event.

duration

duration

Impact duration: The duration of the impact.

Details: It is calculated as the time between the "from_time" and the "to_time" if there is more than one trigger, or between the "from_time" and now if there is only one trigger.

from_time

datetime

Impact from: Impact from

to_time

datetime

Impact to: Impact to

Namespace application

The application namespace contains a set of tables that store information about business-critical services configured by Nexthink users in the Application module. The tables include configuration data such as the name and ID of each application, as well as defined key pages and transactions. These tables can be queried alongside associated tables to help identify issues with business-critical services.

applications

Table of defined applications.

Field

Type

Description

Supported platforms

category

enumeration

Category: The category of the application. We have three categories, collaboration, connectivity and standard.

Requirements: The applications need to be defined through the application configuration menu.

Details: Connectivity applications (for example VPN, ZTNA, XDR) will be highlighted in the device view, to correlate their activity with any employee connectivity issues. Collaboration applications (for example Teams, Zoom) will be displayed in device view timeline under Collaboration section. Any other application falls under the Standard category. Applications are assigned the 'Standard' category by default, users can select the 'Connectivity' or 'Collaboration' category when applicable. More info from the documentation

name

string

Name: The name of the web, desktop or hybrid application.

Requirements: The applications need to be defined through the Applications configuration menu.

Details: More info from the documentation

network_applications

Table of defined network applications.

Field

Type

Description

Supported platforms

category

enumeration

Category: The category of the network application. We have three categories, collaboration, connectivity and standard.

Requirements: The network applications need to be defined through the application configuration menu.

Details: Connectivity applications (for example VPN, ZTNA, XDR) will be highlighted in the device view, to correlate their activity with any employee connectivity issues. Collaboration applications (for example Teams, Zoom) will be displayed in device view timeline under Collaboration section. Any other application falls under the Standard category. Applications are assigned the 'Standard' category by default, users can select the 'Connectivity' or 'Collaboration' category when applicable. More info from the documentation

name

string

Name: The name of the network application.

Requirements: The network applications need to be defined through the Applications configuration menu.

Details: More info from the documentation

pages

Table of defined key pages.

Field

Type

Description

Supported platforms

name

string

Name: The name of the key page defined for a web application. Key pages divide a web application into functionally relevant parts based on URL patterns.

Requirements: The key pages need to be defined through the application configuration menu.

Details: More info from the documentation

transactions

Table of defined transactions.

Field

Type

Description

Supported platforms

name

string

Name: The name of the transaction defined for a web application. A transaction is an employee action or event in a web application that creates business value for the company.

Requirements: The transactions need to be defined through the application configuration menu.

Details: More info from the documentation