Skip to content

Common Query Templates

Note

Ready-to-use NQL query templates - copy, replace placeholders, and run. Organized by common IT scenarios.

How to Use These Templates

  1. Find the template that matches your use case
  2. Copy the entire query
  3. Replace placeholders (shown in <brackets> or UPPERCASE)
  4. Adjust time windows and limits as needed
  5. Run the query!

Placeholders you'll see:

  • <PROCESS_NAME> - Replace with actual process (e.g., "outlook.exe")
  • <APPLICATION_NAME> - Replace with app name (e.g., "Microsoft Outlook")
  • <DEVICE_NAME> - Replace with device hostname
  • <DOMAIN> - Replace with destination domain (e.g., "*.service.com")
  • <THRESHOLD> - Replace with numeric threshold (e.g., 50, 80)

Adding Comments to Your Queries

NQL now supports comments using /* */ syntax! Add them to document your queries: 

/* Query purpose and author */
devices during past 7d
/* Filter step */
| where operating_system.platform == windows
Important: Comments work between clauses, not within them!

Device Inventory & Configuration

Template 1: Basic Device List with Specifications

Use when: Creating device inventory report

/* Device inventory with hardware specs */
devices
| list device.name,
       operating_system.name,
       operating_system.platform,
       hardware.memory.as(format = bytes),
       volumes.size.as(format = bytes),
       last_seen
| sort device.name asc
| limit 100

Customization:

  • Add department: device.department
  • Add location: device.location
  • Filter by OS: | where operating_system.platform == windows

Template 2: Devices by Operating System

Use when: OS version inventory or upgrade planning

/* OS inventory - Replace <PLATFORM> with: windows, macos, or linux */
devices
| where operating_system.platform == <PLATFORM>
| list device.name,
       operating_system.name,
       operating_system.version,
       last_seen
| sort operating_system.version asc
| limit 100

Example: 

/* Windows device inventory */
devices
| where operating_system.platform == windows
| list device.name,
       operating_system.name,
       operating_system.version,
       last_seen
| sort operating_system.version asc
| limit 100

Template 3: Devices Not Seen Recently

Use when: Finding offline or disconnected devices

/* Find devices not seen in 7 days */
devices
| where last_seen < ago(7d)
| list device.name,
       operating_system.name,
       last_seen,
       department
| sort last_seen asc
| limit 100

Customization:

  • Change threshold: ago(3d), ago(30d)
  • Filter by department: Add and department == "IT"

Performance Monitoring

Template 4: Top N Devices by CPU Usage

Use when: Finding devices with high CPU load

/* Top 20 devices by CPU usage - Replace <THRESHOLD> with % (e.g., 50) */
devices during past 7d
| include device_performance.events
| compute avg_cpu = cpu_usage.avg()
| where avg_cpu > <THRESHOLD>
| list device.name,
       operating_system.name,
       avg_cpu.as(format = percent)
| sort avg_cpu desc
| limit 20

Example: 

/* Find devices with >50% CPU usage */
devices during past 7d
| include device_performance.events
| compute avg_cpu = cpu_usage.avg()
| where avg_cpu > 50
| list device.name,
       operating_system.name,
       avg_cpu.as(format = percent)
| sort avg_cpu desc
| limit 20

Template 5: Low Disk Space Alert

Use when: Identifying devices needing disk space attention

devices during past 7d
| include device_performance.events
| compute free_space_gb = free_disk_space.last() / 1000
| where free_space_gb < <THRESHOLD_GB>  # e.g., 20 for 20GB
| list device.name,
       operating_system.name,
       free_space_gb.as(format = bytes),
       volumes.size.as(format = bytes)
| sort free_space_gb asc
| limit 50

Example: 

devices during past 7d
| include device_performance.events
| compute free_space_gb = free_disk_space.last() / 1000
| where free_space_gb < 20
| list device.name,
       operating_system.name,
       free_space_gb.as(format = bytes),
       volumes.size.as(format = bytes)
| sort free_space_gb asc
| limit 50

Template 6: Memory Usage by Device

Use when: Analyzing memory consumption

devices during past 7d
| include device_performance.events
| compute
    avg_free_memory = free_memory.avg(),
    total_memory = hardware.memory.max(),
    memory_used_pct = 100 - ((free_memory.avg() * 100) / hardware.memory.max())
| where memory_used_pct > <THRESHOLD>  # e.g., 80 for 80%
| list device.name,
       memory_used_pct.as(format = percent),
       avg_free_memory.as(format = bytes),
       total_memory.as(format = bytes)
| sort memory_used_pct desc
| limit 20

Application Monitoring

Template 7: Process CPU and Memory Usage

Use when: Analyzing specific application performance

execution.events during past 7d
| where binary.name == "<PROCESS_NAME>"  # e.g., "outlook.exe"
| summarize
    avg_cpu = cpu_time.avg(),
    avg_memory = real_memory.avg(),
    device_count = device.name.count()
  by device.name
| list device.name,
       avg_cpu,
       avg_memory.as(format = bytes),
       device_count
| sort avg_cpu desc
| limit 20

Example: 

execution.events during past 7d
| where binary.name == "outlook.exe"
| summarize
    avg_cpu = cpu_time.avg(),
    avg_memory = real_memory.avg(),
    device_count = device.name.count()
  by device.name
| list device.name,
       avg_cpu,
       avg_memory.as(format = bytes),
       device_count
| sort avg_cpu desc
| limit 20

Template 8: Application Crash Analysis

Use when: Investigating application stability issues

/* Crash analysis by version - Replace <PROCESS_NAME> (e.g., "outlook.exe") */
execution.crashes during past 7d
| where binary.binary.name == "<PROCESS_NAME>"
| summarize
    crash_count = count(),
    affected_devices = device.name.count(),
    affected_users = user.name.count()
  by binary.real_binary.version
| list binary.real_binary.version,
       crash_count,
       affected_devices,
       affected_users
| sort crash_count desc
| limit 20

Example: 

/* Outlook crash analysis by version */
execution.crashes during past 7d
| where binary.binary.name == "outlook.exe"
| summarize
    crash_count = count(),
    affected_devices = device.name.count(),
    affected_users = user.name.count()
  by binary.real_binary.version
| list binary.real_binary.version,
       crash_count,
       affected_devices,
       affected_users
| sort crash_count desc
| limit 20

Template 9: Top Crashing Applications

Use when: Dashboard widget showing most unstable apps

execution.crashes during past 7d
| summarize
    crash_count = count(),
    affected_devices = device.name.count()
  by application.name
| where crash_count > <MIN_CRASHES>  # e.g., 10
| list application.name,
       crash_count,
       affected_devices
| sort crash_count desc
| limit 20

Example: 

execution.crashes during past 7d
| summarize
    crash_count = count(),
    affected_devices = device.name.count()
  by application.name
| where crash_count > 10
| list application.name,
       crash_count,
       affected_devices
| sort crash_count desc
| limit 20

Network & Connectivity

Template 10: Connection Failures by Destination

Use when: Troubleshooting network connectivity issues

connection.events during past 7d
| where event.destination.domain = "<DOMAIN>"  # e.g., "*.service.com"
| summarize
    total_connections = event.number_of_connections.sum(),
    failed_connections = (event.number_of_no_host_connections.sum() +
                          event.number_of_no_service_connections.sum()),
    avg_failure_rate = event.failed_connection_ratio.avg(),
    affected_devices = device.name.count()
  by event.destination.domain
| where avg_failure_rate > <THRESHOLD>  # e.g., 0.10 for 10%
| list event.destination.domain,
       total_connections,
       failed_connections,
       avg_failure_rate.as(format = percent),
       affected_devices
| sort avg_failure_rate desc
| limit 20

Example: 

connection.events during past 7d
| where event.destination.domain = "*.company.com"
| summarize
    total_connections = event.number_of_connections.sum(),
    failed_connections = (event.number_of_no_host_connections.sum() +
                          event.number_of_no_service_connections.sum()),
    avg_failure_rate = event.failed_connection_ratio.avg(),
    affected_devices = device.name.count()
  by event.destination.domain
| where avg_failure_rate > 0.10
| list event.destination.domain,
       total_connections,
       failed_connections,
       avg_failure_rate.as(format = percent),
       affected_devices
| sort avg_failure_rate desc
| limit 20

Template 11: Network Latency Analysis

Use when: Investigating slow network connections

connection.events during past 7d
| where event.destination.domain = "<DOMAIN>"
| summarize
    avg_rtt = connection_establishment_time.avg(),
    max_rtt = connection_establishment_time.max(),
    connection_count = event.number_of_connections.sum()
  by event.destination.domain
| list event.destination.domain,
       avg_rtt,
       max_rtt,
       connection_count
| sort avg_rtt desc
| limit 20

Trend Analysis

Template 12: Daily Metric Trend

Use when: Creating time-series charts for dashboards

<EVENT_TABLE> during past 30d
| where <FILTER>
| summarize
    metric = <AGGREGATION>  # e.g., count(), field.avg()
  by 1d
| sort start_time asc

Example - Daily crash trend: 

execution.crashes during past 30d
| where application.name == "Microsoft Outlook"
| summarize
    crash_count = count()
  by 1d
| sort start_time asc

Example - Daily CPU usage: 

execution.events during past 30d
| where binary.name == "outlook.exe"
| summarize
    avg_cpu = cpu_time.avg()
  by 1d
| sort start_time asc

Template 13: Hourly Spike Investigation

Use when: Pinpointing exact timing of issues

<EVENT_TABLE> during past 48h
| where <FILTER>
| summarize
    metric = <AGGREGATION>
  by 1h
| sort metric desc  # or start_time asc for chronological
| limit 20

Example - Hourly crash spikes: 

execution.crashes during past 48h
| where application.name == "Microsoft Outlook"
| summarize
    crash_count = count()
  by 1h
| sort crash_count desc
| limit 20

Software Deployment

Template 14: Package Installation Verification

Use when: Verifying software deployment success

devices
| with package.installed_packages
| where package.name = "<PACKAGE_NAME>"  # e.g., "Microsoft Teams"
| compute
    has_package = package.count(),
    installed_version = package.version.last()
| list device.name,
       has_package,
       installed_version,
       operating_system.name,
       department
| sort device.name asc
| limit 100

Example: 

devices
| with package.installed_packages
| where package.name = "Microsoft Teams"
| compute
    has_package = package.count(),
    installed_version = package.version.last()
| list device.name,
       has_package,
       installed_version,
       operating_system.name,
       department
| sort device.name asc
| limit 100

Template 15: Devices Missing Required Software

Use when: Finding devices that need software installed

/* All devices */
devices
| compute device_count = 1

/* Devices WITH the package */
devices
| with package.installed_packages
| where package.name = "<PACKAGE_NAME>"
| compute has_package = package.count()

/* Compare to find missing */
devices
| include package.installed_packages
| compute has_package = package.name.countif(package.name = "<PACKAGE_NAME>")
| where has_package == 0
| list device.name,
       operating_system.name,
       last_seen,
       department
| sort device.name asc
| limit 100

User Activity

Template 16: Most Active Users by Application

Use when: Identifying heavy application users

execution.events during past 7d
| where binary.name == "<PROCESS_NAME>"
| summarize
    execution_time = execution_duration.sum(),
    device_count = device.name.count()
  by user.name
| list user.name,
       execution_time,
       device_count
| sort execution_time desc
| limit 20

Example: 

execution.events during past 7d
| where binary.name == "outlook.exe"
| summarize
    execution_time = execution_duration.sum(),
    device_count = device.name.count()
  by user.name
| list user.name,
       execution_time,
       device_count
| sort execution_time desc
| limit 20

Web Application Performance

Template 17: Web Application Load Times

Use when: Analyzing web app performance

web.page_views during past 7d
| where application.name == "<APPLICATION_NAME>"  # e.g., "Salesforce"
| summarize
    avg_load_time = page_load_time.backend.avg(),
    max_load_time = page_load_time.backend.max(),
    page_view_count = count(),
    device_count = device.name.count()
  by device.name
| list device.name,
       avg_load_time,
       max_load_time,
       page_view_count,
       device_count
| sort avg_load_time desc
| limit 20

Example: 

web.page_views during past 7d
| where application.name == "Salesforce"
| summarize
    avg_load_time = page_load_time.backend.avg(),
    max_load_time = page_load_time.backend.max(),
    page_view_count = count(),
    device_count = device.name.count()
  by device.name
| list device.name,
       avg_load_time,
       max_load_time,
       page_view_count,
       device_count
| sort avg_load_time desc
| limit 20

Boot Performance

Template 18: Devices with No Recent Boots

Use when: Finding devices that haven't rebooted (potential uptime issues)

devices during past 30d
| include device_performance.boots
| where boot.type == full_boot
| compute num_of_boots = boot.number_of_boots.sum()
| where num_of_boots == null or num_of_boots == 0
| list device.name,
       last_seen,
       operating_system.name,
       department
| sort last_seen desc
| limit 100

Template 19: Boot Duration Analysis

Use when: Investigating slow startup times

device_performance.boots during past 30d
| where boot.type == full_boot
| summarize
    avg_boot_time = boot.duration.avg(),
    max_boot_time = boot.duration.max(),
    boot_count = count()
  by device.name
| where avg_boot_time > <THRESHOLD_SECONDS>  # e.g., 120 for 2 minutes
| list device.name,
       avg_boot_time,
       max_boot_time,
       boot_count
| sort avg_boot_time desc
| limit 20

Multi-Filter Combinations

Template 20: Complex Device Filter

Use when: Combining multiple criteria for targeted reporting

devices during past 7d
| where operating_system.name in ["Windows 10", "Windows 11"]
  and hardware.memory > <MIN_MEMORY>  # e.g., 8589934592 for 8GB
  and department in ["<DEPT1>", "<DEPT2>"]
| include device_performance.events
| compute
    avg_cpu = cpu_usage.avg(),
    free_space_gb = free_disk_space.last() / 1000
| where avg_cpu > <CPU_THRESHOLD>
  or free_space_gb < <DISK_THRESHOLD>
| list device.name,
       operating_system.name,
       hardware.memory.as(format = bytes),
       avg_cpu.as(format = percent),
       free_space_gb.as(format = bytes),
       department
| sort avg_cpu desc
| limit 50

Example: 

devices during past 7d
| where operating_system.name in ["Windows 10", "Windows 11"]
  and hardware.memory > 8589934592
  and department in ["IT", "Engineering"]
| include device_performance.events
| compute
    avg_cpu = cpu_usage.avg(),
    free_space_gb = free_disk_space.last() / 1000
| where avg_cpu > 60
  or free_space_gb < 30
| list device.name,
       operating_system.name,
       hardware.memory.as(format = bytes),
       avg_cpu.as(format = percent),
       free_space_gb.as(format = bytes),
       department
| sort avg_cpu desc
| limit 50

Template Selection Guide

Choose your template based on what you're investigating:

If you need... Use Template
Device inventory report #1, #2
Offline devices #3
High CPU devices #4
Low disk space #5
Memory issues #6
App performance by device #7
Crash analysis by version #8
Most unstable apps #9
Network connectivity issues #10
Network latency #11
Daily trend chart #12
Hourly spike investigation #13
Software deployment check #14, #15
User activity analysis #16
Web app performance #17
Boot/reboot monitoring #18, #19
Complex multi-criteria search #20

Common Placeholder Values

Process names (binary.name): - "outlook.exe", "OUTLOOK.EXE" - Microsoft Outlook - "chrome.exe" - Google Chrome - "teams.exe" - Microsoft Teams - "excel.exe", "winword.exe", "powerpnt.exe" - Office apps - "msedge.exe" - Microsoft Edge - "firefox.exe" - Firefox

Application names (application.name): - "Microsoft Outlook", "Microsoft Teams", "Google Chrome" - "Salesforce", "Confluence", "Jira" - Web apps

Platforms (operating_system.platform): - windows, macos, linux

Thresholds:

  • CPU: 50 (50%), 80 (80%)
  • Memory GB: 8589934592 (8GB), 17179869184 (16GB)
  • Disk space GB: 20 (20GB), 50 (50GB)
  • Failure rate: 0.10 (10%), 0.15 (15%)

Tips for Using Templates

Start with | limit 10

Add | limit 10 to any template while testing, then remove or increase for production.

Test with Short Time Windows First

Replace past 7d with past 1d while developing, then expand once query works.

Adjust Sort Order as Needed

  • sort <field> desc - Highest/newest first (default for top N)
  • sort <field> asc - Lowest/oldest first (for time series or bottom N)
  • sort start_time asc - Always for chronological trends

Wildcards in Filters

Use * for flexible matching: - binary.name = "sense*.exe" - Matches any starting with "sense" - application.name = "*Office*" - Matches any containing "Office" - destination.domain = "*.company.com" - All subdomains

Combine Templates

Mix and match filters and calculations from different templates to create custom queries.

Additional Resources