NQL data model

devices

Table of devices. A device is a physical or virtual machine monitored by Nexthink Collector.

device.antiviruses

The list of antivirus registered on the device and reported through WMI.

device.cpus

The list of CPU model names and their nominal clock speeds.

device.disks

The list of storage devices.

device.firewalls

The list of firewalls registered on the device and exposed through the Windows Security Center.

device.gpus

The graphics processing unit.

device.local_admins

The list of users and groups that are members of the local Administrators group on the device.

device.monitors

The list of monitors connected to the device.

device.npus

The neural processing unit.

device.volumes

The list of logical storage volumes.

device.mobile_devices

Table of mobile devices. A mobile device is a smartphone or tablet monitored by the Nexthink app.

binaries

The table containing binaries. A binary is an executable binary file identified by its hash code.

users

Table of users. A user is an object that represents an individual user account on a device (local user) or multiple devices (domain user). The user account may identify a physical user or a system user.

agent.conversations

The list of conversations with the Spark agent.

ai.tools

The table of defined AI tools.

ai.interactions_summary

This table collects interactions and usage summary data of the defined AI tools.

alert.monitors

The table of defined alert monitors in the system.

alerts

The table collecting information about instances where metric values go outside normal parameters as defined in monitors.

alert.impacts

The table collecting information about instances of an alert impact.

applications

Table of defined Web and Desktop applications.

application.guides

A guide represents any type of in-app guidance for end-users, including Walkthroughs (step-by-step guidance), Tooltips, and Media (PDFs, links, etc).

application.guide_steps

A step represents an individual part of a walkthrough, tooltip, or document.

application.network_applications

Table of defined network applications.

application.pages

Table of defined key pages.

application.transactions

Table of defined transactions.

campaigns

The table collecting all active and retired campaigns.

campaign.responses

The table collecting responses (expected or given) of a campaign by an employee.

collaboration.sessions

Table collecting meetings performed with collaboration tools such as Teams or Zoom.

connection.events

The connections.events table contains events for outgoing TCP connections and UDP packages. Some metrics are only available for TCP connections. These metrics are 'NULL' for UDP events. Connection events are associated to binaries, users, devices, and applications (optional).

connection.tcp_events

The connections.tcp_events table has been deprecated. Please use 'connection.events' table instead.

connection.udp_events

The connections.udp_events table has been deprecated. Please use 'connection.events' table instead.

connectivity.events

Table collecting performance metrics and attributes specific to a device's connectivity.

connectivity.mobile_events

The table collecting connectivity metrics and attributes specific to a device.

device_performance.boots

The table collecting all exit-from-inactive events of a device.

device_performance.events

The table collecting performance metrics and attributes specific to a device.

device_performance.hard_resets

The table contains hard resets, when a device reboots without first completing the shutdown procedure. For example, when a device unresponsive and must be powered off manually, or during unexpexted power loss.

device_performance.mobile_events

The table collecting performance metrics and attributes specific to a mobile device.

device_performance.suspends

The table collecting all transition-to-inactive events of a device.

device_performance.system_crashes

The table collecting the system crashes of the devices.

dex.application_scores

application_score

dex.scores

A table of the DEX score.

execution.crashes

The table collecting crashes of a running process.

execution.events

The table collecting performance metrics and attributes specific to a process execution.

packages

The table of packages. A package is a group of files and executables that together constitute a software application.

package.installations

The table of package installation events.

package.uninstallations

The table of package uninstallation events.

package.installed_packages

The table of all installed packages on all devices.

platform.accounts

account

platform.audit_logs

The list of all the events audited on the Infinity platform. Requires permission 'View audit logs in NQL'

platform.custom_trends_logs

The list of all logs associated to custom trends computations. Requires permission 'View platform logs in NQL'.

platform.data_export_logs

The list of all logs associated to data export executions. Requires permission 'View platform logs in NQL'.

platform.guide_step_stability_statistics

Represents daily-aggregated information about the stability of selectors for guide steps.

platform.inbound_connector_logs

The list of all logs associated to inbound connector executions. Requires permission 'View platform logs in NQL'.

remote_actions

The table of defined remote actions.

remote_action.executions

The table collecting the executed remote actions.

remote_action.executions_summary

The table collecting the trend of executed remote actions.

services

A table of services. A service performs automated tasks, responds to hardware events, or listens for data requests from other software. These services are often loaded automatically at startup and run in the background without user interaction.

service.changes

Contains events triggered when an attribute of an existing service changes on a device. The attributes tracked by these events are the same as those in the 'installed_services' table, for example, 'logon_as' and 'startup_type'.

service.installations

Contains event triggered when a service was added to or removed from a specific device.

service.installed_services

A table containing all services currently installed on all devices.

session.vdi_sessions

vdi_session

session.connects

The table collecting connections linked to user sessions.

session.disconnects

The table collecting disconnections linked to user sessions.

session.events

The table collecting performance metrics and attributes specific to both local and remote sessions.

session.lifecycle_events

The table collecting all events linked to user sessions.

session.locks

The table collecting locks linked to the user sessions.

session.logins

The table collecting all session logins.

session.logouts

The table collecting all session logouts.

session.unlocks

The table collecting unlocks linked to user sessions.

session.vdi_events

VDI Events

software_metering.meter_configurations

meter_configuration

software_metering.events

event

usage.account_actions

The list of all logs associated to account actions.

web.context_help_executions

End user interactions with the context help (opened or closed)

web.errors

The table collecting errors of defined business-critical services.

web.errors_summary

The table collecting errors of defined business-critical services up to 90d

web.events

web.events represent periodic signals of active usage time while a user has a tab in focus, regardless of interaction type. They primarily measure engagement duration, with events generated every 30 seconds during continued usage, even in error states.

web.events_summary

The table collecting events of defined business-critical services up to 90d

web.guide_executions

Represents a user interaction with a guide. It can be triggered when a guide is targeted (e.g. the guide is available for the user) or when a user interacts with the guide. In this case the status of the event is replaced with the latest status of targeted, started, completed or closed.

web.guide_step_executions

Represents user interactions with the guide steps. It can be triggered when a user closes or completes a step

web.guide_step_interactions

Represents any type of user interaction with the step, for example which button was clicked.

web.page_views

web.page_views capture navigations—i.e., when a user loads or switches to a new page within the application. A user can generate a single page view upon arrival, regardless of how long they remain on the page afterward.

web.page_views_summary

Table collecting page views of defined business-critical services up to 90d

web.transactions

The table collecting transactions of defined business-critical services.

web.transactions_summary

The table collecting transactions of defined business-critical services up to 90d

workflows

workflow

workflow.executions

execution

workflow.executions_summary

execution_summary

ad_site

string

AD site: Indicates the site to which the device is assigned to in Active Directory (AD). Details: In case the device is not part of a domain, the value shows as "-".

Windows macOS

boot.days_since_last_full_boot

integer

Days since last full boot: The number of days since the device last boot following a restart or a complete shutdown.

Windows macOS

boot.last_full_boot_duration

duration

Last full boot duration: The duration of the device last boot following a restart or a complete shutdown.

Windows

boot.last_full_boot_time

datetime

Last full boot time: The date and time of the device last boot following a restart or a complete shutdown.

Windows macOS

collector.last_update_status

string

Collector last update status: The last update status received from a specific Collector instance.

Windows macOS

collector.last_update_status_date

datetime

Collector last update status date: The reception date of the last update status for a specific Collector instance.

Windows macOS

collector.local_ip

ipAddress

Collector local IP: The local IP used for the traffic between the endpoint and the Nexthink Instance.

Windows macOS

collector.tag_id

numeric

Collector tag: The configurable number that identifies a group of Collector instances. The tag is useful for defining the entities to build hierarchies. Details: An optional field that must be an integer number between 0 and 2147483647. Could complement the Collector string tag.

collector.tag_string

string

Collector string tag: The configurable label that identifies a group of Collector instances. The string tag is useful for defining the entities to build hierarchies. Details: An optional field, with a maximum length of 2048 characters. Could complement the Collector tag.

Windows macOS

collector.target_update_date

datetime

Collector target update date: The date when the devices install the target version.

Windows macOS

collector.target_version

version

Collector target version: The version to which all Collector instances update next.

Windows macOS

collector.uid

uuid

UID: The Collector unique identifier, provided using the UUID format.

collector.update_group

string

Collector update group: For scheduling separate waves of Collector updates, the devices are assigned to one of the available update groups.Possible values:

• Pilot

• Main

• Unsupported OS

Details: By default, 10% of all the Collector instances are assigned to the Pilot update group. The Pilot group starts updating two days after a new Collector version is available. The Main group starts updates 14 days after the Pilot group.

Windows macOS

collector.version

version

Collector version: Indicates the version of the Collector instance installed on the device.

Windows macOS

configuration_tag

string

Configuration tag: A configurable label that identifies a group of devices. The string tag is useful for defining the entities to build hierarchies.

Windows macOS

connectivity.last_connectivity_type

enumeration

Connectivity type: Last type of network adapter used. Possible values are:

• WiFi

• Ethernet

• Bluetooth

Windows macOS

connectivity.last_local_ip

ipAddress

Local IP: The last local IP address for the primary physical network adapter of the device.

Windows macOS

days_since_first_seen

integer

Days since first seen: The number of days since the first time the device was seen by the Nexthink instance.

Windows macOS

days_since_last_seen

integer

Days since last seen: The number of days since the last time the device was seen active by the Nexthink instance.

Windows macOS

distinguished_name

string

Distinguished name: The unique identifier of a device when joined to a domain or workgroup. Details: Shows as "-" when the device is not part of a domain or workgroup.

Windows macOS

entity

string

Entity: A customizable field used for organizing a group of devices into logical groups.

Windows macOS

first_seen

datetime

First seen: The date and time the device was first seen by the Nexthink instance.

Windows macOS

group_name

string

Group name: The name of the security group containing the device when joined to a domain or workgroup.

Windows macOS

hardware.bios_serial_number

string

BIOS serial number: The serial number of the motherboard. Details: On macOS, this is the same as the chassis serial number.

Windows macOS

hardware.chassis_serial_number

string

Chassis serial number: The chassis serial number. Details: On macOS, this is the same as the BIOS serial number.

Windows macOS

hardware.machine_serial_number

string

Machine serial number: The unique serial number of the device in a UUID format.

Windows macOS

hardware.manufacturer

string

Manufacturer: The short name of the device manufacturer. Details: While devices might natively report slight variations of it, for example, sometimes dependent on the model or year of introduction, the information is simplified to ensure consistency across different devices of the same manufacturer.

Windows macOS

hardware.memory

bytes

Installed memory: The total amount of random-access memory (RAM) installed on the device.

Windows macOS

hardware.model

string

Device model: The model of the device. Details: On Windows, it is provided by the device manufacturer using the WMI interface as the product name. On macOS it is the "model id" provided by System Profiler.

Windows macOS

hardware.product_id

string

Product ID: A variant of a specific device model, sometimes also referred to as the SKU number. Details: Provided by the device manufacturer through the WMI interface as the SKUNumber.

Windows macOS

hardware.product_line

string

Product line: The product line or hardware version information. Details: Provided by the device manufacturer through the WMI interface as the product version.

Windows macOS

hardware.type

enumeration

Device type: The device form factor:

• desktop

• laptop

• virtual

Details: The Windows devices are considered to be a laptop if they have a "lid closed" sensor. For macOS this information comes from the device model.

Windows macOS

last_seen

datetime

Last seen: The date and time of the last device activity received by the Nexthink instance.

Windows macOS

license_type

enumeration

License type: Specifies the license category assigned to the device, based on the product type reported by the operating system. For example, multi-session Windows is reported as server. Possible values:

• endpoint

• server

• thin_client

Details: Session-based (VDI) licenses are independent and must not be derived from this field.

Windows macOS

location.country

string

Country: The country where the device is located.

Windows macOS

location.site

string

Site: Custom-defined identifier (office, city, ...) where the device is located.

Windows macOS

location.state

string

State: The subdivision (for example, state) where the device is located.

Windows macOS

location.type

string

Location type: The type of location indicates whether the device is onsite or remote.

Windows macOS

login.last_login_user_name

string

Last logged in user: The name of the user associated to the last login on the device.

Windows macOS

membership_type

enumeration

Membership type: The type of computer group membership. Possible values:

• standalone

• workgroup

• domain

• open directory

Details: Possible values:

• domain

• workgroup

• standalone

• open directoryWhen not available, shows as "-".

Windows macOS

name

string

Name: The name of the device as used by the operating system for identification purposes on the local network. Details: Source:

• For Windows: NetBios Name

• For macOS: LocalHostName

Windows macOS

operating_system.architecture

enumeration

Architecture: The architecture of the device operating system. The instruction set it can natively execute. Details: Possible values:

• x86

• x64

• ARM64

Windows macOS

operating_system.build

version

Build: The build number of the operating system. Details: The build number is set to "0.0.0.0" if the Collector version is incompatible or the data is not yet available.

Windows

operating_system.days_since_last_update

integer

Days since last system update: The number of days since the last system update.

Windows

operating_system.is_activated

bool

Is activated: The Windows license activation status. Details: macOS does not require a license since OSX 10.9 Mavericks (released in 2013), and shows as "-".

Windows

operating_system.last_update

datetime

Last system update: The date and time of the last system update.

Windows

operating_system.msi_status

enumeration

MSI status: MSI status Details: MSI status

Windows

operating_system.name

string

Name: The combination of the name, version and architecture (when applicable) of the operating system. Details: The operating system name is set to "Unknown" if the name or version cannot be retrieved or mapped to a valid value.

Windows macOS

operating_system.platform

enumeration

Platform: The software platform composed of a collection of operating system families providing access to the same objects, activities, events and properties. Details: Possible values are:

• Windows

• macOS

• Linux

Windows macOS

operating_system.wmi_status (deprecated)

enumeration

WMI status: This field is deprecated and will be replaced in the future. Details: The status of the WMI extension the Collector relies on for device identification. Deprecation reason: This field has been depreciated since 2024.3 and This field is used internally to mitigate potential transient issues with this particular WMI source. It does not reflect the status of WMI generally.

Windows

organization.entity

string

Entity: Organizational entity of the device at the time of the event, determined by rule-based organization.

public_ip.city

string

City: The city where the device is located.

Windows macOS

public_ip.country

string

Country: The country where the device is located.

Windows macOS

public_ip.ip_address

ipAddress

Public IP address: The public IP address of the device.

Windows macOS

public_ip.isp

string

ISP: The internet service provider of the device.

Windows macOS

public_ip.state

string

State: The subdivision (for example, state) where the device is located.

Windows macOS

sid

string

SID: The Security Identifier (SID) of the device, often used for identification and permission control purposes.

Windows macOS

uid

uuid

Device UID: Unique identifier of the device.

Windows macOS

user_account_control_status

enumeration

User account control status: Indicates if the User Account Control (UAC) is configured, forcing applications to request explicit approval from the user to make changes to the computer or to run with elevated permissions. Details: Possible values:

• ok (apps ask for approval)

• at risk

• unknown

virtualization.desktop_broker

enumeration

Desktop broker: VDI broker platform of the VM. Details: Derived from the configured Inbound Connector integration. Indicates which VDI management platform enriches VMs in the device inventory with broker-level metadata.

Windows

virtualization.desktop_pool

string

Desktop pool name: The hardware characteristics of the associated virtual machines.

Windows

virtualization.disk_image

string

Disk image: The disk image last observed in use by the virtual machine.

Windows

virtualization.environment_name

string

Environment name: Name of the connector used to retrieve the virtualization details.

Windows

virtualization.hostname

string

Virtualization hostname: The name of the virtualization host where the virtual machine was last observed running.

Windows

virtualization.hypervisor_name

string

Hypervisor name: The hardware virtualization system running the virtual machine.

Windows

virtualization.instance_size

string

Instance size: A predefined configuration that determines the CPU, memory and storage which is allocated to a virtual machine.

Windows

virtualization.last_update

datetime

Last update: Date and time when the desktop virtualization information was last updated.

Windows

virtualization.region

string

Region: Geographical areas where one or more Microsoft Azure data centers are located.

Windows

virtualization.type

enumeration

Desktop pool type: The type of the desktop pool. Possible values are:

• shared, several users work on the same virtual machine at the same time

• personal, the virtual machine is used by one user at a time and all changes to the system persist

• pooled, the device is used by one user at a time and during the logoff all changes including documents and data are erased.

Windows

virtualization.vdi_reporting

enumeration

VDI reporting: Highlights whether the device supports VDI Experience and whether it has already been enabled. Details: Possible values are:

• not_supported: device is not compatible with VDI Experience

• inactive: a compatible agent is detected, but reporting is not yet enabled

• active: a compatible agent is detected and it is reporting data

• unknown: the Collector version running on the device does not yet report VDI Experience compatibility information.

Windows

is_up_to_date

enumeration

Up to date: The up-to-date status of the antivirus. Possible values are:

• yes

• no

• not_reported

• not_applicable

Windows

name

string

Name: The name of the main antivirus.

Windows

real_time_protection

enumeration

Real-time protection: The status of the antivirus real time protection (RTP). Possible values are:

• not_reported: incompatible Collector version or the data is not yet available

• enabled: : indicates that the RTP is active

• disabled: indicates that either the RTP is inactive or the antivirus is not detected

• partially_enabled

• not_applicable

Windows

frequency

integer

CPU frequency: The CPU base frequency in MHz. The base frequency can be much smaller than the maximum turbo frequency. For example, the Intel Core i7-8565U CPU has a base frequency of 1.80 GHz and a maximum frequency of 4.6 GHz.

Windows macOS

name

string

CPU name: The CPU model.

Windows macOS

number_of_cores

integer

Number of cores: The number of CPU cores.

Windows macOS

number_of_logical_processors

integer

Number of logical processors: The number of CPU cores multiplied by the number of threads that can run on each core using hyperthreading.

Windows macOS

capacity

bytes

Capacity: The disk capacity. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

Windows macOS

is_bootable

bool

Is bootable: Returns the value "yes" when the device boots from that disk.

Windows macOS

name

string

Name: The name of the physical or virtual disk drive.

Windows macOS

type

enumeration

Type: The type of drive. Possible values are:

• HDD

• SSD

• Other

Windows macOS

name

string

Name: The name of the main firewall.

Windows

real_time_protection

enumeration

Real-time protection: The status of the firewall real time protection (RTP). Possible values are:

• not_reported: incompatible Collector version or the data is not yet available

• enabled: indicates that RTP is active

• disabled: indicates that either RTP isn’t active or no antivirus has been detected

• partially_enabled

• not_applicable

Windows

memory

bytes

Memory: The video memory in bytes.

Windows

name

string

Name: The graphics card name.

Windows

name

string

Name: The users who are members of the local Administrators group on the device.

Windows

type

enumeration

Type: The type of the user. Possible values are:

• user

• group

Windows

diagonal_size

float

Diagonal size: The diagonal size in inches.

Windows

horizontal_resolution

integer

Horizontal resolution: The maximum horizontal resolution in pixels.

Windows

name

string

Name: The monitor name.

Windows

serial_number

string

Serial number: The monitor serial number.

Windows

vendor

string

Vendor: The monitor vendor.

Windows

vertical_resolution

integer

Vertical resolution: The maximum vertical resolution in pixels.

Windows

manufacturer

string

Manufacturer: The NPU vendor or manufacturer (for example, Qualcomm, AMD, Intel).

Windows

name

string

Name: The neural processing unit (NPU) name.

Windows

shared_memory

bytes

Shared memory: The maximum amount of system memory that can be used by the NPU.

Windows

capacity

bytes

Capacity: The volume capacity in bytes. Details: The metric is displayed in units based on the binary system. For example, 1024 MB corresponds to 1 GB. Windows follows the same convention, while macOS displays data volume based on the decimal system. This might result in a difference of approximately 7.4% when comparing values reported by Nexthink and macOS.

Windows macOS

name

string

Name: The name of the volume.

Windows macOS

system

bool

Operating system volume: Returns the value "yes" when the volume contains the operating system.

Windows macOS

usage

percentage

Usage: The volume usage in percent.

Windows macOS

days_since_last_seen

integer

Days since last seen: The number of days since the last time the mobile device was seen active by the Nexthink instance.

governance.compliance_state

string

Compliance state: The current compliance status of the device as reported by the MDM. Details: Shows whether the device meets the organization's compliance policies. Compliance is usually determined by policies on OS version, encryption, or password settings.

governance.enrollment_type

string

Enrollment type: Defines how the device was enrolled into MDM management. Details: The enrollment method used when the device was registered in MDM. Helps determine management depth and available policy controls.

governance.is_encrypted

bool

Encryption enabled: Indicates whether the device storage is encrypted. Details: True if device storage is encrypted according to MDM reports. Encryption ensures that device data is protected if the device is lost or stolen.

governance.is_supervised

bool

Supervised device: Indicates if the device is supervised by the MDM, allowing deeper management capabilities. Details: True if the device is supervised. Supervision allows advanced management features such as app restrictions or silent app installation. On iOS, supervision is typically applied during setup via Apple Configurator or DEP enrollment.

governance.last_synced

datetime

Last synced: The last time the MDM successfully synced data with the device. Details: Timestamp of the most recent successful sync between the device and the MDM. A stale timestamp may indicate a device that is inactive or unreachable.

governance.name

string

Managed device name: The device name as assigned in the Mobile Device Management (MDM) system. Details: Represents the device name configured by inside the MDM. Useful for identifying devices in enterprise inventory. May differ from the local device name.

governance.ownership_type

string

Ownership type: Specifies whether the device is company-owned or personally-owned.

hardware.battery_type

enumeration

Battery type: The battery type of the installed battery. Details: Specifies the installed battery’s type (e.g., Li-ion, Li-Poly).

hardware.imei

string

IMEI: The International Mobile Equipment Identity (IMEI) of the device. Details: A globally unique hardware identifier for cellular devices. Used to identify devices on mobile networks. Collected via MDM for inventory purposes.

hardware.main_display.diagonal

float

Diagonal size: The physical size of the display in inches.

hardware.main_display.horizontal

integer

Horizontal: The horizontal size of the main display in px.

hardware.main_display.vertical

integer

Vertical: The vertical size of the main display in px.

hardware.manufacturer

string

Manufacturer: The name of the mobile device manufacturer. Details: Always shown as “Apple” for iOS; based on the hardware information for Android devices.

hardware.memory

bytes

Available memory: The total amount of random-access memory (RAM) available to the system.

hardware.model

string

Device model: The model of the device.

hardware.remaining_battery_capacity

numeric

Remaining capacity of the battery: The remaining capacity of the installed battery. Details: The total charge the battery can hold when fully charged, reflecting some wear and aging compared to the original design capacity (in mAh).

hardware.serial_number

string

Serial number: The hardware serial number of the device. Details: Unique identifier assigned by the manufacturer. Used for asset tracking and warranty lookup.

last_seen

datetime

Last seen: The date and time of the last mobile device activity received by the Nexthink instance.

name

string

Name: The name of the mobile device as used by the operating system. Details:

nexthink_app.tag_string

string

Nexthink app string tag: The configurable label that identifies a group of mobile devices. The string tag is useful for defining the entities to build hierarchies. Details: An optional field, with a maximum length of 2048 characters.

nexthink_app.uid

string

UID: DEPRECATED/HIDDEN: The nexthink app unique identifier.

nexthink_app.version

version

Nexthink app version: Indicates the version of the nexthink app instance installed on the mobile device.

operating_system.api_version

integer

API version: Indicates the highest API level the device supports, reflecting its OS capabilities. Details: On Android, the latest API version is retrieved as a specific API level. On iOS, the operating system version itself (e.g., iOS 16.4) serves as the equivalent of the latest API level.

operating_system.architecture

enumeration

Architecture: The architecture of the mobile device operating system. The instruction set it can natively execute.

operating_system.build

string

Build: The build number of the operating system. Details: The build number is set to "0.0.0.0" if the Nexthink app version is incompatible or the data is not yet available.

operating_system.language

string

Operating system language: The defined language by the operating system.

operating_system.name

string

Name: The combination of the name, version and architecture (when applicable) of the operating system. Details: The operating system name is set to "Unknown" if the name or version cannot be retrieved or mapped to a valid value.

operating_system.patch_level

string

Patch level: The current patch level of the mobile device. Details: The patch level is set to 0 if the app is incompatible or the data is not yet available.

operating_system.platform

enumeration

Platform: The software platform composed of a collection of operating system families providing access to the same objects, activities, events and properties. Details: Possible values are:

• Android

• iOS

Windows macOS

operating_system.timezone

string

Operating system timezone: The defined timezone by the operating system.

primary_user_upn

string

Primary user UPN: Primary User Principal Name (UPN) provided by the MDM. Used as a soft linkage between the mobile device and its assigned user. Details: This value is retrieved from the MDM and represents the assigned user for the device.

uid

string

UID: The mobile device unique identifier.

architecture

enumeration

Architecture: The OS architecture for which the binary is compiled (32-bit or 64-bit).

Windows macOS

company

string

Company: The name of the company that produced the binary. Details: Information retrieved from the file properties.

Windows macOS

description

string

Description: A description explaining the purpose of the binary, or providing additional details. Details: Description is generated by AI.

Windows macOS

first_seen

datetime

First seen: The date and time the binary was first seen by the Nexthink instance.

Windows macOS

has_user_interface

bool

Has user interface: An indication whether the binary has an interactive window while running. Details: On Windows platform, the reported value is 'true' or 'false' if the binary has no interactive window, or if the information is not available. On other platforms, the value is always NULL.

Windows

last_seen

datetime

Last seen: The date and time of the last binary activity received by the Nexthink instance.

Windows macOS

md5_hash

bytea

MD5 hash: The MD5 fingerprint calculated by the Collector instance. It can be used to uniquely identify a binary. Details: The MD5 hash represented in base64 format.

Windows macOS

md5_hash_hex

bytea

MD5 hash hex: The MD5 fingerprint calculated by the Collector instance. It can be used to uniquely identify a binary. Details: The MD5 hash represented in hex format.

Windows macOS

name

string

Name: The filename of the binary.

Windows macOS

platform

enumeration

Platform: The OS family on which the binary natively runs. Details: Possible values:

• Windows

• macOS

• Linux

Windows macOS

product_category

string

Product category: A broad, general classification of similar products. Details: Category is generated by AI.

Windows macOS

product_name

string

Product name: The name of the application associated with the file. Details: Information retrieved from the file properties.

Windows macOS

product_subcategory

string

Product subcategory: A more specific classification or subdivision within a larger category. Details: Subcategory is generated by AI.

Windows macOS

sha-1_hash

bytea

SHA-1 hash: The SHA-1 fingerprint calculated by the Collector instance. It can be used to uniquely identify a binary. Details: The SHA-1 hash represented in base64 format.

Windows macOS

sha-1_hash_hex

bytea

SHA-1 hash hex: The SHA-1 fingerprint calculated by the Collector instance. It can be used to uniquely identify a binary. Details: The SHA-1 hash represented in hex format.

Windows macOS

sha-256_hash

bytea

SHA-256 hash: The SHA-256 fingerprint calculated by the Collector instance. It can be used to uniquely identify a binary. Details: The SHA-256 hash represented in base64 format.

Windows macOS

sha-256_hash_hex

bytea

SHA-256 hash hex: The SHA-256 fingerprint calculated by the Collector instance. It can be used to uniquely identify a binary. Details: The SHA-256 hash represented in hex format.

Windows macOS

size

bytes

Size: The size of the binary file, shown in bytes.

Windows macOS

uid

uuid

Binary UID: The unique identifier for the binary.

Windows macOS

version

version

Version: The version of the binary file, retrieved from the file properties.

Windows macOS

ad.city

string

City: The name of the city the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.country_code

string

Country code: The country or region the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: The country or region is represented as a two-character code based on the ISO-3166 standard. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.department

string

Department: The name of the department the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.distinguished_name

string

Distinguished name: The unique identifier of a domain user for an on-premises Active Directory (AD). Requirements: Requires one or more connectors for Entra ID correctly configured, and Entra ID needs to be synchronized with an on-premises AD. Details: The distinguished name follows the LDAP syntax. Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.email_address

string

Email address: The email address of the user. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.full_name

string

Full name: The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.job_title

string

Job title: The job title assigned to the user in Active Directory. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.last_update

datetime

Last update: The date and time of the last update received for the user information from Entra ID.

Windows macOS

ad.office

string

Office: The name of the physical location or office the user is associated with. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.organizational_unit

string

Organizational unit name: The name of the directory folder containing the user account. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

ad.username

string

AD Username: The name of the user account as it appears in Entra ID. Requirements: Requires one or more connectors for Entra ID correctly configured. Details: Please be aware this field may contain information unrelated to its original purpose, depending on how the connector for Entra ID is configured.

Windows macOS

days_since_first_seen

integer

Days since first seen: The number of days since the first time the user account was seen by the Nexthink instance.

Windows macOS

days_since_last_seen

integer

Days since last seen: The number of days since the last time the user account was seen active by the Nexthink instance.

Windows macOS

first_seen

datetime

First seen: The date and time the user account was first seen by the Nexthink instance.

Windows macOS

last_seen

datetime

Last seen: The date and time of the last user account activity received by the Nexthink instance.

Windows macOS

name

string

Username: The name of the user account on the local device. Requirements: The collector is configured to report the username: Configuring Collector level anonymization Details: Depending on the configuration, the Collector reports username in cleartext, as a hashed value or not at all.

Windows macOS

sid

string

SID: The unique security identifier (SID) of the user account on Windows. Details: On Windows, each user account has a unique security identifier (SID) used to provide access to system resources. On macOS, a unique SID is generated by Nexthink to facilitate user identification.

Windows macOS

type

enumeration

Type: The type of the user account. Details: Nexthink recognizes three types of user accounts:

• A local user account is an account that only exists on a single device. It cannot be used to login to systems other than that specific device.

• A domain user account is a user account managed by Microsoft Active Directory, enabling users to log in across various devices and access multiple services.

• A system account is a form of a local account that has special privileges on a device.

Windows macOS

uid

uuid

User UID: The value that uniquely identifies a user on the Nexthink platform.

Windows macOS

upn

string

UPN: The User Principal Name (UPN), a unique identifier for a user account. Requirements: The Collector reports the UPN for Active Directory and Microsoft Entra ID user accounts on Windows, and for mobile and Jamf Connect-linked local user accounts on macOS. Nexthink does not report UPNs for system accounts or local accounts (without Jamf Connect for macOS). The collector must be configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Names (UPN) is a standardized identifier for users (RFC822). Normally, it takes the form of an email address. The UPN allows to uniquely identify a user across systems, for example, devices with different OS platforms. Nexthink uses the UPN to enrich user objects with data from third-party services. If the Collector cannot retrieve the UPN for a user, the UPN is NULL (displayed as “-”) and the upn_privacy_level is set to no_import (independent from the Collector configuration).

Windows macOS

upn_privacy_level

enumeration

UPN privacy level: Indicates how securely the User Principal Name (UPN) is stored by the Nexthink instance. Requirements: The collector is configured to report the UPN: Configuring Collector level anonymization Details: The User Principal Name (UPN) privacy level is a Collector configuration parameter on the user device. Depending on the configuration, the Collector reports UPN in cleartext, as a hashed value or not at all. The options are represented by the following values:

• cleartext

• hashed

• no_import

Windows macOS

category

string

Category: The category of the issue to which the conversation relates. Details: Automatically categorized by AI based on the contents of the conversation. If the conversation includes several topics, the category is set to the main topic.

context.location.country

string

Country location: Country where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.site

string

Location -> Site: Site where the device is located at the time of the event, determined by rule-based location.

context.location.state

string

State location: State where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.type

string

Location type: Type of device location (onsite or remote) at the time of the event, determined by rule-based location.

context.organization.entity

string

Organization -> Entity: Organizational entity of the device at the time of the event, determined by rule-based organization.

conversation_duration

duration

Conversation duration: The elapsed time between the first and last messages in the conversation.

conversation_id

uuid

Conversation ID: The unique identifier of the conversation. Details: The identifier is automatically generated by the system when the conversation starts.

first_message_time

datetime

First message time: The time at which the user initiated the conversation.

intent

string

Intent: A short summary of the issue that the user faced. Details: Automatically generated by AI based on the user's problem or request.

interactions

integer

Interactions: The number of interactions in the conversation between the user and the agent. Details: It counts the number of times the conversation alternates between the user and the agent. It does not count intermediate messages.

number_of_conversations

integer

Number of conversations: Used for calculating aggregated metrics (like count, etc) in NQL. The value for every event is always 1

number_of_turns

integer

Number of turns: The number of turns in the conversation between the user and the agent. Details: It counts the number of time the conversation alternates between the user and the agent. It does not count intermediate messages.

outcome

enumeration

Outcome: The outcome of the conversation. Only set for completed conversations. Details: Possible values:

• unspecified

• resolved

• escalated

• abandoned

• non_support

state

enumeration

State: The current state of the conversation. Details: Possible values:

• in progress

• completed

time

datetime

Time: The date and time at which the last message in the conversation was sent or received.

type

enumeration

Type: The classification of the conversation. Details: Possible values:

• incident

• request

• question

• security_concern

• non_support

name

string

Name: The name of an AI tool.

nql_id

string

NQL ID: The unique identifier of an AI tool configuration. Details: NQL ID cannot be changed after initial creation.

status

enumeration

Status: The status of the AI tool as set in the "Manage AI tools". Details: Possible values are:

• active

• deleted

bucket_duration

duration

Bucket duration: The duration of the bucket.

end_time

datetime

Bucket end: The date and time of the bucket end.

engagement_time

duration

Engagement time: The user's engagement time with AI.

host_application

string

Host application: The application through which AI interaction occurred.

license_type

enumeration

License type: Represents if the AI tool is licensed or not. Possible values are:

• licensed

• not_licensed

number_of_interactions

integer

Number of interactions: The number of interactions with AI.

start_time

datetime

Bucket start: The date and time of the bucket start.

usage_type

enumeration

Usage type: The AI tool usage type. Values are:

• web

• desktop

• api

comparison_operator

enumeration

Comparison operator: Determines when a monitor should trigger an alert. Details: One of the key elements used to define the conditions within a monitor in order to trigger an alert. It is specifically utilized when setting up the breaching criteria for the primary metric. A comparison operator allows for the comparison of values to determine if the specified condition is met. Possible values are:

• at_least

• less_or_equal

multiple_contexts

bool

Multiple-context: Indicates if the monitor triggers alerts with different contexts. Details: The value is set to "Yes" when NQL has a "group by" clause.

name

string

Monitor name: The assigned name of a configured monitor. Details: A monitor is a defined set of metrics and conditions used to continuously observe a system or process and trigger an alert when certain criteria are met. The name of the custom monitor can be changed after creation. Do not consider it as a unique identifier.

nql_id

string

NQL ID: The unique NQL identifier of the monitor. Details: NQL ID cannot be changed after initial creation.

origin

enumeration

Monitor origin: Indicates where the monitor originates from. Monitors can be built-in to the Nexthink platform (system), installed using a library pack (library) or created manually (custom)

priority

enumeration

Priority: The importance of alerts that are triggered by the monitor. Details: Possible values are:

• critical

• high

• medium

• low

defined by the user in the monitor configuration.

status

enumeration

Status: The status of the monitor as set in the "Manage monitors". Details: Possible values are:

• active

• deleted

tags

jsonArrayString

Alert tags: List of user-defined labels that are assigned to a monitor and subsequently utilized for filtering alerts that are generated by the monitor. Details: Tags are created and specified within the monitor configuration. By assigning tags to monitors, users can categorize and organize monitors based on specific criteria, making it easier to filter and manage alerts based on these tags. Up to 10 custom tags are allowed per monitor.

threshold

float

Threshold: It defines the value of the primary metric that must be exceeded for the monitor to trigger an alert. Details: The threshold value serves as a reference point against which the metric actual value is compared to determine if it breaches the defined condition and triggers an alert.

thresholds

jsonArrayString

Thresholds: It contains the values of all metrics that need to be breached to trigger an alert.

type

enumeration

Monitor type: The chosen method used for monitoring. It identifies the specific approach employed to observe and evaluate the system or process being monitored. Details: Possible values are:

• metric_threshold

• metric_change

context

jsonArrayString

Context: Relevant information required for understanding the alert. Details: Depending on the alert, the context information may contain the name of the binary, device or user associated with the alert. It is the JSON-formatted payload of the alert.

context.location.country

string

Country location: Country where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.site

string

Location -> Site: Site where the device is located at the time of the event, determined by rule-based location.

context.location.state

string

State location: State where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.type

string

Location type: Type of device location (onsite or remote) at the time of the event, determined by rule-based location.

context.organization.entity

string

Organization -> Entity: Organizational entity of the device at the time of the event, determined by rule-based organization.

context_hash

string

Context hash: The unique fingerprint of the alert context. Details: The fingerprint is created by calculating an MD5 hash context.

duration

duration

Alert duration: The duration of the alert's activity. Details: Calculated as the time between the trigger and the recovery if the alert is closed, or between the trigger and the current time if the alert is open.

is_auto_recovery

bool

Auto-recovery: Indicates whether the alert was auto-recovered. Details: Auto-recovery takes place when there are no events recorded for the metric(s) specified in the monitor configuration within the selected timeframe. Yes, if the alert is auto-recovered

is_grouped

bool

Group alert: Represents a situation where too many alerts have been simultaneously generated by a single monitor. The monitor will not generate any more alerts until the situation has been resolved.

number_of_alerts

long

Number of alerts: The number of triggered alerts.

recovery_reference_value

float

Recovery reference value: The reference value of the main (first) monitored metric that is checked to recover an alert.

recovery_time

datetime

Recovery time: Date and time at which the alert was recovered.

recovery_value

float

Recovery value: The value of the metric that caused the alert to be recovered. Equal to the first metric value if more than one trigger condition is defined.

recovery_values

jsonArrayString

Recovery values: The lists of values of all the monitored metrics reported when the alert has recovered.

status

enumeration

Status: Status of the alert event. Can be open or closed. Details:

• Open: the alert is currently active.

• Closed: the alert has been recovered.

time

datetime

Alert time: Start time of the 15-minute bucket in which the alert occurred.

trigger_reference_value

float

Trigger reference value: The reference value of the metric against which the current value was compared to trigger the alert.

trigger_time

datetime

Trigger time: Date and time when the alert was raised.

trigger_value

float

Trigger value: The value of the metric that bypassed the threshold defined in the monitor configuration and caused the alert to be raised. Details: This is equal to the first metric value if more than one trigger condition is defined.

trigger_values

jsonArrayString

Trigger values: The values of the metrics that bypassed their monitor configuration-defined thresholds and caused the alert to be raised.

uid

uuid

Alert event UUID: The unique identifier of the alert event.

alert_uid

uuid

Associated alert event UUID: The unique identifier of the associated alert event.

context.location.country

string

Country location: Country where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.site

string

Location -> Site: Site where the device is located at the time of the event, determined by rule-based location.

context.location.state

string

State location: State where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.type

string

Location type: Type of device location (onsite or remote) at the time of the event, determined by rule-based location.

context.organization.entity

string

Organization -> Entity: Organizational entity of the device at the time of the event, determined by rule-based organization.

duration

duration

Impact duration: The duration of the impact. Details: It is calculated as the time between the "from_time" and the "to_time" if there is more than one trigger, or between the "from_time" and now if there is only one trigger.

from_time

datetime

Impact from: Impact from

to_time

datetime

Impact to: Impact to

category

enumeration

Category: The category of the application: Collaboration, Connectivity, and Standard. Requirements: Define the application category from the application configurations. Details: Connectivity applications (for example, VPN, ZTNA, and XDR) are highlighted in the device view to correlate their activity with any employee connectivity issues. Collaboration applications (for example, Teams or Zoom) are displayed in the device view timeline under the Collaboration section. Any other application falls under the Standard category. Applications are assigned the Standard category by default; select the Connectivity or Collaboration category when applicable. Refer to the Configuring applications documentation

name

string

Name: The name of the web, desktop, or hybrid application. Requirements: Define the application name from the application configurations. Details: Refer to the Configuring applications documentation

name

string

Guide name: Name of the guide should be unique on an application level, but not at the tenant level.

nql_id

uuid

Guide unique identifier: Unique identifier of the guide

type

enumeration

Guide type: Type of the guide: Walkthrough (step-by-step guidance), Tooltip, or Media (PDFs, links, etc).

completion_element_version

integer

Completion element version: Version of the completion element definition. If no completion element is defined, the value is null

guide_nql_id

uuid

Guide UID: Guide identifier containing this step.

name

string

Step name: Name of the step is generated from the first sentence within its content

nql_id

string

Step unique identifier: Unique identifier of the step

position_element_version

integer

Position element version: Version of the position element definition. If no position element is defined, the value is null

rank

integer

Step rank: Position or sequence of the step in the guide

trigger_element_version

integer

Trigger element version: Version of the trigger element definition. If no trigger element is defined, the value is null

type

enumeration

Type of step: The type of step depends on the guide type. For Walkthroughs: Action or Decision. For Media: Video, PDF, or Link. For Tooltips: Tooltip steps.

category

enumeration

Category: The category of the network application: Collaboration, Connectivity, and Standard. Requirements: Define the network-application category from the application configurations. Details: Connectivity applications (for example, VPN, ZTNA, and XDR) are highlighted in the device view to correlate their activity with any employee connectivity issues. Collaboration applications (for example, Teams or Zoom) are displayed in the device view timeline under the Collaboration section. Any other application falls under the Standard category. Applications are assigned the Standard category by default; select the Connectivity or Collaboration category when applicable. Refer to the Configuring applications documentation

name

string

Name: The name of the network application. Requirements: Define the network-application name from the application configurations. Details: Refer to the Configuring applications documentation

name

string

Name: The name of the key page defined for a web application. Key pages divide a web application into functionally relevant parts based on URL patterns. Requirements: Define the key pages from the application configurations, under the Key pages tab. Details: Refer to the Configuring key pages documentation

name

string

Name: The name of the transaction defined for a web application. A transaction is an employee action or event in a web application that creates business value for the company. Requirements: Define the transactions from the application configurations, under the Transactions tab. Details: Refer to the Configuring transactions documentation

name

string

Name: The name of the campaign. Details: User defined through the Campaigns user interface or Finder For Infinity campaigns, only configured campaigns in the state published and retired are available in the data model. The name of the campaign can be changed after its creation and should not be considered as a unique identifier.

nql_id

string

NQL ID: The unique identifier of the campaign. Details: The NQL ID cannot be changed after its initial creation.

priority

enumeration

Priority: The configured priority of the campaign. Details: The campaign priority influences which employee protection rules are applied: urgent campaign bypass the do-not-disturb rules unlike normal campaigns. Possible values:

• urgent

• normal

status

enumeration

Status: The current status of the campaign. Details: Possible values:

• draft - a campaign in creation that has not been finalized

• published - an active campaign that can currently collect responses from employees

• retired - a campaign that was active but has now been retire and cannot collect new responses

• Only published campaign can be triggered, and only published and retired campaigns can have responses. Refer to the campaign.responses table for details.

trigger_method

enumeration

Trigger: The possible methods of triggering the campaign. Details: Possible values:

• manual - triggered from an investigation's results for one or more employees

• investigation (Classic campaigns only) - triggered automatically based on an investigation that is evaluated regularly

• schedule - triggered only once based on an investigation evaluated at the time the campaign is published

• schedule_again_after - triggered automatically based on an investigation that is evaluated regularly

• remediation - triggered within a remote action script

• api - triggered via a call to the Campaign API

• workflow - triggered from a Nexthink Workflow

• Campaigns with trigger type remediation do not have their responses available.

analysis_data

string

Analysis data: The answers classification by topic and sentiment analysis. Details: The analysis is structured as a JSON object that includes the free-text comment analysis.

analysis_timestamp

datetime

Analysis data: The date and time when the analysis data was generated. Details: Show the time when the analysis data was generated.

answers

string

Answers: The campaign answers (details and values) given by the employee. Details: The answers are structured as a JSON object that includes, for each answered question: Inspecting answers of a given campaign is best performed using the dynamic data model: for each campaign, you can use fields of campaign.nql_id.responses.answers.nql_id to inspect the answer type, the answer labels and the free-text comment.

context.location.country

string

Country location: Country where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.site

string

Location -> Site: Site where the device is located at the time of the event, determined by rule-based location.

context.location.state

string

State location: State where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.type

string

Location type: Type of device location (onsite or remote) at the time of the event, determined by rule-based location.

displayed_language

enumeration

Displayed language: The language in which the content of a multilingual campaign was shown to the employee. Details: Applicable only to multilingual campaigns. Possible values:

• not_applicable, for campaigns without multiple languages activated or not answered yet

• language name (english, french, etc.), once the campaign has been answered

expiry_date

datetime

Expiry Date: The expiry date and time of an employee campaign request.

first_displayed

datetime

First displayed time [Local]: The date and time when the employee saw the campaign for the first time, adjusted to your local time.

first_planned

datetime

First planned time [Local]: The date and time when the campaign is first set to the planned state, adjusted to your local time.

first_targeted

datetime

First targeted time [Local]: The date and time when the campaign is first set to the targeted state, adjusted to your local time.

historical_state

jsonArrayString

Historical states: The historical state updates for an employee campaign response. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.

historical_state_details

jsonArrayString

Historical state details: The historical state details updates for an employee campaign response, as a chronologically sorted array. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.

historical_time

jsonArrayString

Historical times: The historical update times for an employee campaign response, as a chronologically sorted array. Details: The times are sorted chronologically. Used in conjunction, historical states, historical state details and historical times allow to understand the lifecycle of a campaign response.

number_of_answered_questions

integer

Number of answered questions: The number of questions answered by the employee.

parameters

string

Parameters: The value of all campaign parameters as defined when triggering this campaign response.

request_id

string

Request ID: The unique identifier generated at the time the user was targeted for this campaign. Details: The request ID is the unique identifier for a campaign response. The same user may have different requests with different request ID if the user was targeted several times for the same campaign. When triggering an API campaign, the request ID is returned in the API response and can be stored for later inspection of the campaign answers.

state

enumeration

State: The current state of the campaign response by a user (expected or actual). Details: Possible values:

• planned - the campaign sent to a user who was online and pending display

• targeted - the campaign pending answer, refer to state details for more information

• answered - the campaign partially or fully answered by the user

• declined - the campaign declined by the user

• canceled - the response not expected anymore, refer to state details for more information

• retired - the campaign retired without responses

• unknown_state - the response state not reported by Nexthink

For more information, refer to response state documentation

state_details

enumeration

State Details: Indicates additional details about the current state of the campaign response by a user (expected or actual). Details: The state_details value depends on the state value Nexthink registers for a particular response. For state targeted, possible state details are:

• notified - the user saw the campaign popup

• opened - the user saw the first question fully

• offline - the user was offline when the campaign was triggered

• delayed - the campaign was delayed due to user protection (classic)

• postponed - the user clicked on 'remind me later' For state answered, possible state details are:

• partially - the user answered only some of the required questions

• fully - the user answered all required questions For state canceled, possible state details are:

• user_not_found - the campaign sent to a deleted user

• expired - the response not received before its expiration time

• already_pending - another response for the same user expected For states planned, declined, retired and unkown_state, the state detail is:

• not_applicable - no additional details

For more information, refer to response state documentation

time

datetime

Time [Local]: The date and time when the response was last updated, adjusted to your local time.

trigger_method

enumeration

Trigger method: The trigger method that was used to target the user for the campaign. Details: Possible values:

• manual

• schedule

• api

application.type

enumeration

Application type: The type of the application used for a given call. The possible values are:

• Teams

• Zoom

Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

application.version

version

Application version: The version of the application used during the session. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

audio.inbound_jitter

duration

Audio inbound jitter: Indicates the average change in delay between successive inbound audio packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 30ms, the related session is considered as having a poor audio quality.

audio.inbound_latency

duration

Audio inbound latency: Indicates the time an inbound audio packet takes to reach a participant's device. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor audio quality.

audio.inbound_packet_loss

float

Audio inbound packet loss: Indicates the ratio of inbound audio packets that never reach their destination compared to the total of audio packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 10%, the related session is considered as having a poor audio quality.

audio.inbound_rocs

float

Audio inbound ROCS: Indicates the ratio comparing the number of audio frames generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. It's only available for Teams sessions. When it is higher than 0.07, the related Teams session is considered as having a poor audio quality.

audio.inbound_rtt

duration

Audio inbound RTT: Indicates the time an audio packet takes to reach a participant's device and the response to reach its origin. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor audio quality.

audio.outbound_jitter

duration

Audio outbound jitter: Indicates the average change in delay between successive outbound audio packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. When it is higher than 30ms, the related session is considered as having a poor audio quality.

audio.outbound_latency

duration

Audio outbound latency: Indicates the time an outbound audio packet takes to reach its destination from a participant’s device. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor audio quality.

audio.outbound_packet_loss

float

Audio outbound packet loss: Indicates the ratio of outbound audio packets that never reach their destination compared to the total number of outbound audio packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. When it is higher than 10%, the related session is considered as having a poor audio quality.

audio.outbound_rocs

float

Audio outbound ROCS: Indicates the average ratio comparing the number of outbound audio frames with concealed samples generated by packet loss healing mechanisms to the total number of audio frames. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. It's only available for Teams sessions. When it is higher than 0.07, the related Teams session is considered as having a poor audio quality.

audio.outbound_rtt

duration

Audio outbound RTT: Indicates the time an outbound audio packet takes to reach its destination from a participant's device and for the response to come back. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor audio quality.

audio.quality

enumeration

Audio call quality: Provides an assessment of the audio call quality. Possible values are:

• Good

• Poor

• Unknown

Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: When the audio quality is poor, end-users might experience some distorted, breaking up or robotic sound. Assessment of the quality is based on multiple metrics, like jitter, packet loss... See more details on the related documentation.

call.end_time

datetime

Call end time: The timestamp indicating when the last user left the call. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

call.id

string

Call ID: The unique identifier (UID) for the call record.

call.quality

enumeration

Call quality: Indicates the overall call quality computed as a combination of the following metrics:

• Audio quality

• Video quality

• Screen share quality (Teams only)

• Failed to connect to the call (Teams only) Possible values

• Poor: If any of the metric is poor.

• Good: If more than two metrics is good.

• Unknown: If majority of the metrics is unknown.

Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

call.start_time

datetime

Call start time: The timestamp indicating when the first user joined the call.

call.type

enumeration

Call type: Indicates if the call type was a group call or a peer-to-peer call. This value is available only for Microsoft teams calls. Possible values are:

• Group call

• Peer-to-peer

• Unknown

Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Group call indicates that the call was either scheduled or a call that involves more than two participants. Peer-to-peer indicates it was a direct call between two participants.

connection_type

enumeration

Connection type: The internet connection type for a participant in a given call. Possible values are:

• Ethernet

• WiFi

• cellular

• PPP

• tunnel

• point_to_point

Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

context.location.country

string

Country location: Country where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.site

string

Location -> Site: Site where the device is located at the time of the event, determined by rule-based location.

context.location.state

string

State location: State where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.type

string

Location type: Type of device location (onsite or remote) at the time of the event, determined by rule-based location.

context.organization.entity

string

Organization -> Entity: Organizational entity of the device at the time of the event, determined by rule-based organization.

duration

duration

Session duration: Time between the start time and end time of the session. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

end_time

datetime

Session end time: Time when the user left the call. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

has_screen_share

bool

Has screen share: Indicates if screen sharing was used during the call. Requirements: This requires

• The Collaboration Experience license..

• Configured inbound connectors.

• macOS requires Jamf as an identity provider..

See more details in the related documentation.

has_video

bool

Session contains video: Indicates if video was used during the call. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

id

string

Session ID: Unique identifier of the session. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Peer-to-peer calls typically only have one session, whereas group calls typically have at least one session per participant.

participant_device.camera

string

Camera: The camera used during the session. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_device.camera_driver

string

Camera driver: Indicates the name and version of the camera driver detected during the session. This information is available only for Teams calls on Windows devices. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

See more details in the related documentation.

participant_device.mac_address

string

MAC address: The MAC address of the participants' devices used during the session. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_device.microphone

string

Microphone: The microphone used during the session. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_device.microphone_driver

string

Microphone driver: Indicates the name and version of the audio driver detected during the session. This information is available only for Teams calls on Windows devices. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

See more details in the related documentation.

participant_device.speaker

string

Speaker: The speaker used during the session. Requirements: This requires

• The Collaboration Experience license..

• Configured inbound connectors.

• macOS requires Jamf as an identity provider..

See more details in the related documentation.

participant_device.speaker_driver

string

Speaker driver: Indicates the name and version of the audio driver detected during the session. This information is available only for Teams calls on Windows devices. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

See more details in the related documentation.

participant_device.type

enumeration

Device type: Indicates the device type of the participants used during the session. Possible values are:

• Windows

• macOS

• iOS

• Android

• web

• IP_phone

• room_system

• Surface_Hub

• HoloLens

• PSTN

Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_device.vendor_wifi_driver

string

WiFi vendor driver: Indicates the name of the WiFi driver detected during the session. This information is available only for Teams calls on Windows devices. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

See more details in the related documentation.

participant_device.vendor_wifi_driver_version

string

WiFi vendor driver version: Indicates the version of the WiFi driver detected during the session. This information is available only for Teams calls on Windows devices. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

See more details in the related documentation.

participant_failed_to_connect

string

Participant failed to connect: Indicates whether the participant failed to connect to the call. This information is available only for Teams calls. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

participant_got_disconnected

string

Participant got disconnected: Indicates if participant got disconnected during the call. This information is available only for Teams calls. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

screen_share.inbound_frame_loss_percentage

percentage

Screen share inbound frames loss percentage: Displays a percentage of inbound frames loss. This information is available only for Teams calls. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Inbound frame loss percentage refers to the proportion of lost frames during screen sharing. When someone shares their screen, frames (individual images) are transmitted over the network. If any frames are lost or delayed, it affects the viewing experience. The issue may be related to network problems, and troubleshooting involves analysing the network path and seeking community insights. If inbound frame loss percentage > 50%, you will see an issue in screen sharing quality.

screen_share.inbound_frame_rate

integer

Screen share inbound frame rate: Indicates the frames per second received by viewers during screen sharing. This information is available only for Teams calls. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Inbound frame rate refers to the frames per second (fps) received by viewers during screen sharing. If inbound frame rate as well as outbound frame rate is less than 1 FPS, the screen sharing quality is marked as poor.

screen_share.outbound_frame_rate

integer

Screen share outbound frame rate: Displays the frames per second transmitted by the person's device who is sharing screen. This information is available only for Teams calls. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: Outbound frame rate pertains to the fps at which shared content is transmitted from a person's device who is sharing screen. If inbound frame rate as well as outbound frame rate is less than 1 FPS, the screen sharing quality is marked as poor.

screen_share.quality

enumeration

Screen share quality: Provides an assessment of the screen share quality. The assessment is based on inbound frame loss percentage, inbound and outbound frame rate metrics. Possible values are:

• Good

• Poor

• Unknown

This information is available only for Teams calls. Requirements: This requires

• The Collaboration Experience license.

• Inbound connectors for Microsoft Teams configured.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: When the screen share quality is poor, end-users might experience lags in the screen share display. The screen share quality is considered:

• Good when inbound frame loss percentage <= 50% OR (inbound frame loss percentage is null AND inbound frame rate >= 1 AND outbound frame rate >= 1).

• Poor when inbound frame loss percentage > 50% OR (inbound frame loss percentage is null AND inbound frame rate < 1 AND outbound frame rate < 1).

• Unknown when inbound frame loss percentage is null AND inbound frame rate is null AND outbound frame rate is null.

See more details on the related documentation.

start_time

datetime

Session start time: Time when the user joined the call. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation.

video.inbound_frame_rate

integer

Video inbound frame rate: Indicates the frequency at which inbound frames appear on a display. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. When it is lower than 7 FPS, the related session is considered as having a poor video quality.

video.inbound_jitter

duration

Video inbound jitter: Indicates the average change in delay between successive inbound video packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. When it is higher than 30ms, the related session is considered as having a poor video quality.

video.inbound_latency

duration

Video inbound latency: Indicates the time it takes an inbound video packet to reach a participant's device. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor video quality.

video.inbound_packet_loss

float

Video inbound packet loss: Indicates the ratio of inbound video packets that never reach their destination compared to the total number of inbound video packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. When it is higher than 10%, the related session is considered as having a poor video quality.

video.inbound_rtt

duration

Video inbound RTT: Indicates the time an inbound video packet takes to reach a participant's device and for the response to reach its origin. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor video quality.

video.outbound_frame_rate

integer

Video outbound frame rate: Indicates the frequency at which outbound frames appear on a display. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is lower than 7 FPS, the related session is considered as having a poor video quality.

video.outbound_jitter

duration

Video outbound jitter: Indicates the average change in delay between successive outbound video packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged throughout the whole session. When it is higher than 30ms, the related session is considered as having a poor video quality.

video.outbound_latency

duration

Video outbound latency: Indicates the time it takes an outbound video packet to reach its destination from a participant’s device. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Zoom sessions. When it is higher than 500ms, the related Zoom session is considered as having a poor video quality.

video.outbound_packet_loss

float

Video outbound packet loss: Indicates the ratio of outbound video packets that never reach their destination compared to the total number of outbound video packets. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. When it is higher than 10%, the related session is considered as having a poor video quality.

video.outbound_rtt

duration

Video outbound RTT: Indicates the time an outbound video packet takes to reach its destination from a participant’s device and for the response to come back. Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: The metric is aggregated and averaged on the whole session. It's only available for Teams sessions. When it is higher than 500ms, the related Teams session is considered as having a poor video quality.

video.quality

enumeration

Video call quality: Provides an assessment of the video call quality. Possible values are:

• Good

• Poor

• Unknown

Requirements: This requires

• The Collaboration Experience license.

• Configured inbound connectors.

• macOS requires Jamf as an identity provider.

See more details in the related documentation. Details: When the video quality is poor, end-users might experience video display delays. Assessment of the video quality is based on multiple metrics, like jitter, frame rate... See more details on the related documentation.

bucket_duration

duration

Bucket duration: The duration of the time bucket. Requirements: Exclusive to Nexthink Infinity

context.location.country

string

Country location: Country where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.site

string

Location -> Site: Site where the device is located at the time of the event, determined by rule-based location.

context.location.state

string

State location: State where the device is located at the time of the event, determined by rule-based location or geolocation.

context.location.type

string

Location type: Type of device location (onsite or remote) at the time of the event, determined by rule-based location.

context.organization.entity

string

Organization -> Entity: Organizational entity of the device at the time of the event, determined by rule-based organization.

destination.country

string

Country: Country of the destination based on GeoIP information. Requirements: Exclusive to Nexthink Infinity Details: The country is NULL if the destination.type equals 'intranet' or the destination type is NULL.

destination.datacenter_region

string

Data center region: Region of the data center as provided by the data center owner Requirements: Exclusive to Nexthink Infinity Details: Nexthink assigns the following regions:

• the regions as provided by the data center owner, if destination.type equals 'datacenter'

• NULL, if the destination.type equals 'intranet' or 'internet' or the destination type is NULL.

destination.domain

string

Domain name: The DNS domain name of the destination as reported by Collector. Requirements: Exclusive to Nexthink Infinity. Domain name reporting is optional and must be activated for the Collectors, see Configuring Collector level anonymization . Details: The destination domain name is 'multiple domain names', if a binary establishes multiple connections to the same destination with different domain names. The destination domain name is NULL, if the Collector did not report a domain name or if a binary establishes 512 or more connections within one time bucket.

destination.ip_address

ipAddress

IP address: IPv4 or IPv6 IP address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The IP address is only available for buckets of 15 minutes duration. The system sets the IP address to NULL, when aggregating the data into buckets of one day duration. The destination IP address is NULL, if a binary establishes 512 or more connections within one time bucket.

destination.ip_subnet

ipAddress

Subnet address: Network address of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The system sets the last 8 bit of the IP address to zero. You can query the subnet IP address with the CIDR (Classless Inter-Domain Routing) subnet notation, for example '198.51.100.0/24' for IPv4 or ' 2600:1401:4000::1724:2625/120' for IPv6. The destination subnet address is NULL, if a binary establishes 512 or more connections within one time bucket.

destination.owner

string

Owner: Owner of the destination Requirements: Exclusive to Nexthink Infinity Details:

• Owner of the autonomous system for destinations of type 'internet'

• Operator of the data center for destinations of type 'datacenter'

• 'Intranet' for destinations of type 'intranet'

• The destination owner is NULL, if the destination type is NULL.

destination.port

numeric

Port: The network port number of the connection's destination. Requirements: Exclusive to Nexthink Infinity Details: The destination port is NULL, if a binary establishes 512 or more connections within one time bucket.

destination.type

enumeration

Type: Classifies the destination and allows to group destinations. Requirements: Exclusive to Nexthink Infinity Details: Nexthink determines the destination type based on the IP address. There are three supported destination types: datacenter, internet, and intranet. The destination type is NULL, if a binary establishes 512 or more connections within one time bucket.

end_time

datetime

Bucket end: Time bucket's end time and date. Requirements: Exclusive to Nexthink Infinity

establishment_time

duration