Managing Custom Data data points

A data point is a JSON file that is configured to collect information from your Windows devices. A data point can be used to retrieve the following types of information:

  • hardware and software data accessible through Windows Management Instrumentation (WMI) queries
  • settings, options, or other data available in the Windows Registry
  • hash values of files on the device
  • existence of files on a device

Due to restrictions imposed by Microsoft, data points that use PowerShell are not supported on devices running Windows 11 SE.

About data points

A data point file is a JSON file containing a field name for the data point, the data type being returned, and the query expression that is executed on the device. The values returned can be one of the following data types:

  • boolean
  • datetime (ISO 8601 string), for example: 2020-08-05T14:23:01.000Z
  • double
  • long
  • string

Regardless of the data type, the maximum size of the returned value is 8 KB, or approximately 8000 characters.

There are two types of data points in Custom Data policies: Default data points and Custom data points.

Default data points are part of the DataExplorer Library and are automatically included in the Custom Data policy. Default data points are indicated by the icon and are disabled by default. You can activate and deactivate Default data points but you can't edit the display name or delete them. For a list of available Default data points, see DataExplorer Library.

Custom data points are indicated by the icon and are provided to you by Absolute. For more information, contact Absolute Sales. You can add, edit, activate, deactivate, and delete Custom data points.

Additionally, with the Absolute Resilience product, you can download the DataExplorer Builder tool to create and configure your own Custom data points.

Your account can have a maximum of 100 data points. This includes both Custom and Default data points.

Working with data points

You can add Custom data points to the Custom Data policy and configure which policy groups collect the data points.

Depending on the Absolute product licenses associated with your account, the ability to add Custom data points may not be available.

To add Custom data points:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Custom Data Collection and Policies.
  2. On the navigation bar, click Policies > Custom Data.

  3. Click Create data points.

    If the Create data points button is not available, a license upgrade is required.

  4. To select the data points to add, do one of the following:

    1. In the work area, click browse and navigate to and select one or more data point files that you want to add. Files must be valid JSON files that return one of the supported data types.
    2. Repeat the previous step for all of the data points you want to add.
    1. Navigate and select one or more data point files that you want to add.
    2. Drag the file or files to Drop files here in the work area of the Secure Endpoint Console. Files must be valid JSON files that return one of the supported data types.
    3. Repeat the previous steps for all of the data points you want to add.

    If you select a data point in error, click .

    The selected data points are added to the dialog under Data points. The field name from each data point file shows.

    Two data points can't have the same field name. For information on matching data points, see What happens when matching data points are detected?

  5. [Optional] In the Input friendly name field, enter the name you want to show in reports for this data point. If you don't enter a name, the field name is used.

    • If you enter a duplicate friendly name, you see a warning in the console. Enter a new, unique name for the data point.
    • The validation for matching display names is case insensitive, BatteryHealth and batteryHealth are considered the same.
  6. [Optional] By default, the CDC component A lightweight software component of the Secure Endpoint Agent that detects configured data points on a Windows device. The CDC component is deployed on a device only when the device is associated with a policy group in which the Custom Data policy is activated. on each device scans for data point updates every 24 hours. To increase the frequency of these scans, click the Refresh data field and select one of the following options:
    • Every 6 hours
    • Every 60 minutes

    • Every 15 minutes

    A higher refresh frequency may negatively impact performance of a device.

  7. [Optional] In addition to scheduled scans, scans can be triggered when events occur on a device. To enable this option:
    1. Select the checkbox next to Refresh data when an event triggers.
    2. Click the field that shows and select one or more of the following events:
      • Public IP change: the device's public IP address changes
      • System startup: the device is restarted

      • User login: a device user logs in

      Click anywhere outside the list to close it.

      Scans will be triggered when any of the selected events occur.

  8. By default, the field under Scope contains all policy groups associated with your account. To remove a policy group, click its icon. Repeat this step for each policy group you want to remove from the scope.

  9. Click Save. The data points are added.

  10. [Optional] The new data points are automatically activated. If you want to deactivate a data point for now, click the Custom tab and click the data point's activation slider to set it to Inactive. The data point is deactivated.

The Custom Data policy is configured to collect the data points from devices in the configured policy groups. If a data point is activated, the data points will be collected on the next agent connection, which is typically within the next 15 minutes. Data point scans then follow the Refresh data configurations set in step 6 and 7.

After a data point is activated for at least one policy group, and the CDC component has performed a scan on your devices, you can use the Edit columns option to add the Custom Data > <friendly name> column to most pages or reports. You can also filter and sort the page or report using Custom Data.

To view custom data point information for an individual device, go to its Details page.

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Custom Data Collection and Policies.

  2. On the navigation bar, click Policies > Custom Data. The Custom Data page opens to show the list of active and inactive data points associated with your account.

    Each data point shows the following information:

    • Friendly name

    • Policy group icon (for example, ): the number of policy groups the data point is assigned to. Hover over the icon to see the policy group names in a tooltip.

    • Activation slider set to On (Active) or Off (Inactive)

    • Refresh configuration details

    • Date of the most recent update

    • User that last updated the data point

  3. [Optional] To view the data points of a particular type, click one of the following tabs:

    • Default
    • Custom

  4. To search for a data point, enter all or part of the friendly name or field name in the Search field.

  5. Data points can be set to either active or inactive. Inactive data points are not yet applied to any devices. To refine the list so only active data points show, click the Show inactive checkbox to clear it.

  6. To view more details about a data point, click anywhere on its row background.

To view more information about a data point, click anywhere on the row background. The data point overview opens to the right of the work area.

The following information about the data point shows:

  • Data point field name
  • Status (Active or Inactive)

  • Date of the most recent update (as a relative date, such as 23 days ago)

    Hover over the relative date to view the exact date and time in a tooltip.

  • User that last updated the data point

  • Overview:

    • Data point: field name of the data point

    • Friendly name: name assigned to the data point in the console

    • Refresh rate: frequency of data point scans
    • Refresh events: events that will trigger a scan
  • Scope: policy groups that the data point is assigned to

If your user role is granted the Manage permission for Custom Data Collection and Policies, click Edit to update the data point configurations.

To close the data point overview, click .

You can change the activation status of both Custom and Default data points.

Note that deactivating a data point has the following effect:

  • The data point is no longer collected from devices
  • Information that has already been collected is maintained but is no longer available in reports
  • Reports filtered by the disabled data point are no longer filtered by that field

  • If the data point was used by an Action rule:

    • The rule is deactivated, and a Rule updated event is logged to Event History. Note that if you re-activate the data point later, the rule is not automatically re-enabled. You will need to enable it.
    • In the Policies > Rules area, the rule shows a icon to indicate that an item used by the rule has been deleted or disabled. Edit the rule and remove or replace the data point.

To change the activation status of a data point:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Custom Data Collection and Policies.

    If you are deactivating a data point that is used by an Action rule, your user role also needs to be granted the Manage permission for Rules.

  2. On the navigation bar, click Policies > Custom Data.

    Active data points have a white background; Inactive data points have a gray background.

  3. [Optional] To hide all inactive data points, clear the Show inactive checkbox.

  4. To search for a data point, enter all or part of the friendly name or the field name in the Search box. The search results update dynamically as you type. Optionally, click Custom or Default to limit the search results.

  5. {Optional] Click the data point to view an overview of its configuration.

  6. Do one of the following:

    • To activate a data point for all configured policy groups, click the activation slider to set it to Active.

    • To deactivate a data point for all configured policy groups, click the activation slider to set it to Inactive.

The activation status of the data point is updated.

You can edit the settings for both Custom and Default data points.

You can't change the friendly name of a Default data point.

To edit data points:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Custom Data Collection and Policies.

  2. On the navigation bar, click Policies > Custom Data.

  3. [Optional] To hide all inactive data points, clear the Show inactive checkbox.

  4. To search for a data point, enter all or part of the friendly name or the field name in the Search box. The search results update dynamically as you type. Optionally, click Custom or Default to limit the search results.

  5. Hover over the row of the data point you want to change and click .
  6. [Custom data points only] To update the friendly name of the data point, click the name and update it.

    If you enter a duplicate friendly name, you see a warning in the console. Enter a new, unique friendly name for the data point.
    The validation for matching display names is case insensitive: BatteryHealth and batteryHealth are considered the same.

  7. Update the data point's refresh data settings and assigned policy groups, as required. For detailed instructions, see steps 5 to 9 in Adding custom data points.

  8. Click Save.

The data point is updated.

To collect a data point from devices, the data point needs to be assigned to the devices' policy groups.

You can update data point assignment from either the Custom Data area or the Policy Groups area. Your changes will be reflected in both areas.

To assign multiple data points to a policy group:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for Policies and Custom Data Collection.
  2. On the navigation bar, click Policies > Policy Groups.
  3. On the Policy Groups sidebar, click the policy group that contains the policy you want to update. The policy group opens in the work area.
  4. Next to Custom Data, click Configure. The Custom Data overview opens to the right of the work area, showing the data points that are assigned, and unassigned, to the policy group. If any data points are deactivated, an Inactive label shows next to the data point name.

  5. Under Unassigned, click a data point's icon.

    If the Activate Policy dialog opens, the data point is inactive. Do one of the following:

    1. To activate it now for all assigned policy groups, click Activate.

    2. To leave it deactivated, click Keep inactive.

    The data point is moved to the Assigned section. If you activated the data point, the Inactive label is removed.

  6. Repeat step 5 for each data point you want to assign.
  7. [Optional]To remove a data point, in the Assigned section, click the data point's icon. The data point is moved to the Unassigned section.

  8. [Optional] To edit the data point, hover over its name and click .

  9. Click to close the Custom Data overview.

To assign a data point to multiple policy groups:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Custom Data Collection and Policies.

  2. On the navigation bar, click Policies > Custom Data.

  3. [Optional] To hide all inactive data points, clear the Show inactive checkbox.

  4. To search for a data point, enter all or part of the friendly name or the field name in the Search box. The search results update dynamically as you type. Optionally, click Custom or Default to limit the search results.

  5. Hover over the row of the data point you want to update and click .
  6. Under Scope, click the field and select each policy group to assign the data point to. To remove a policy group, click its icon.
  7. Click Save.

The data point is assigned to the specified policy groups.

You can delete Custom data points if you added them in error, or if you no longer want to collect the information. Note that you can't delete Default data points that are part of the DataExplorer Library.

Deleting a data point has the following effect:

  • The data point is no longer collected from devices
  • Information that has already been collected is deleted
  • The data point is removed from user-defined reports
  • Reports that were saved with the deleted data point as a filter are no longer filtered by that field
  • The field name and display name can be reused

Note that if you delete a Custom data point that is used by an Action rule:

  • The rule is deactivated, and a Rule updated event is logged to Event History.
  • In the Policies > Rules area, the rule shows a icon to indicate that an item used by the rule has been deleted or disabled. Edit the rule and remove or replace the data point.

To delete a Custom data point:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Custom Data Collection and Policies.

    If you are deleting a data point that is used by an Action rule, your user role also needs to be granted the Manage permission for Rules.

  2. On the navigation bar, click Policies > Custom Data.
  3. [Optional] To search for a data point, enter all or part of the friendly name or the field name in the Search field. The search results update dynamically as you type. Click Custom to limit the results to Custom data points.
  4. Hover over the row of the data point you want to delete and click .

  5. On the Delete dialog, review the warning message that all previously collected data will be deleted and removed from reports. Click Continue if you want to proceed.

    When you delete a data point:

The data point is deleted.

Matching data points are data points that have the same field name in the JSON file. Matching is detected while you are adding data points and prevents you from adding two different data points with the same field name.

Matching validation of field names is case insensitive; BatteryHealth and batteryHealth are considered the same.

If the match is detected between two data points you are in the process of adding, the last file selected is the data point that is added when you click Save.

If the match is detected between an existing data point and a new data point you are adding, a warning message appears indicating that the existing data point is going to be overwritten. Do one of the following:

  • To continue using the existing data point, click either Remove or Cancel.
  • To use the new data point, click Save. The data is refreshed within 24 hours for all devices that are online.

If the duplicate data point has a different data type, or if you're unsure, create a new data point. You can create a new data point by opening the JSON file in a text editor and editing the field name. For example, rename BatteryHealth to BatteryHealth1.
Optionally, if you no longer want to collect the information from the old data point and want to replace it with the new data point, you can delete the old data point before adding the new data point. However, any information that was collected using the old data point will be deleted and will no longer be available in reports.

After you activate the Custom Data policy, the CDC component A lightweight software component of the Secure Endpoint Agent that detects configured data points on a Windows device. The CDC component is deployed on a device only when the device is associated with a policy group in which the Custom Data policy is activated. begins to collect the Custom Data information from the devices associated with the applicable policy groups.

Users can view the collected information in the following ways:

  • Use Edit Columns to add the Custom Data > <friendly name> column to most pages or reports that show devices in the results grid. For example, open the All Devices page in the Devices area or open the Makes and Models report. You can also filter pages and reports by Custom Data. Filters are not supported on data points with a double data type.