1. Using Search

1.1. Search Overview

Search provides a powerful technique for leveraging off the knowledge that has been accumulated as it searches across all elements in the NEXThink database. Entering a snippet of text in the search entry field will return search matches in the frame below as you type. You can then explore the search return results which may save you from creating an Investigation to find the same information. For example, typing "powerpoint" into the search box returns the following search report:

• 

• Search result example for powerpoint

Note that Search has returned results under the categories Packages, Executables and Binaries and has found 51 packages. Where there is insufficient room to display all the search returns, a message appears at the bottom of that search category. Clicking on the text launches an Investigation which returns a report in the right frame of Finder (shown above), with full details of the items concerned. Note that for the purposes of illustration, the column order and list order have been modified to show more of what Search can do in the limited area of the above screenshot.

1.2. Performing a Search

Search commences for matches to entered text as soon as you begin typing. The magnifying glass at the end of the Search entry field is replaced by a spinning animation indicating the search is progressing.

• 

• Search in progress indicator

Using our earlier example of searching for "powerpoint", after typing in "power", Search has returned some suggested investigations plus a few different packages, executables and binaries containing the text "power".

• 

• Search returns for the text "power" - perhaps we wanted to know about powering up computers?

As the searches finds matches, it builds up a report below the Search input field. If you need to widen the frame, move the mouse cursor to the frame border and drag it to the right. Alternatively, you can check individual results by hovering the mouse cursor over the partial text. This technique provides a powerful way of identifying the purpose of often meaningless binary names. For example, in the snapshot below, by hovering over the search return result 'ndp40-kb2473228-x64.exe' we are informed that it is an update for Microsoft .NET Framework 4.0. The same return of extended information is provided by hovering over search result returns from the NEXThink Library.

• 

• Hover over a search result for additional information

You can reduce the number of search returns using the wild cards '?" (matches a single character), '*' (matches multiple characters) or by entering a longer text string.

1.3. Working with Search results

The search results are returned in categories. Double clicking on any result of interest under a category will launch an Investigation and return the investigation results in the Finder Investigations reporting frame to the right. You can then work with the investigation result as you would do for a standard investigation, for example, drill down on the list entries or switch to the Network activity or Local activity views and drill down.

There are no time restrictions to the search, it looks into the whole Engine database which can span a whole year if the activity is light.

If Search has returned many items and you have explored a few and have lost the returned search listing, just click on the binoculars icon to the left of the Search field and your results will be visible again without the search being repeated.

1.3.0.1. How Search elements are matched

Search matches on NEXThink Object properties as well as against object tags. For instance, if you search for "peer-to-peer", provided the port type category is defined in Engine, the search will match the ports with this tag and return them under the Port category. (See the Categories section below for more on object tags.)

1.3.1. Search Objects returned and Default left and right click actions

Search returns results under a number of Object Categories as summarised in the table below. Left clicking an item sorted under each category performs a default action as summarised in the column Double Click action. Right clicking an item likewise provides a number of options as summarised in the Right Click actions column. The options available depend on the context, with more than one action often possible. This is indicated in the table by an ellipsis after the action such as Drill down to...

1.3.2. Default double-click actions and the right click alternatives

As can be seen from the above table, the default double-click option is usually 'Run an investigation'. Unless the search return item is already an investigation, you are provided with further options via a right click menu, which may provide you with what you are after in a more direct manner.

1.3.3. Right click actions

The right click actions are context sensitive and hence vary for the different item types. Generally, you are presented with two functionally similar sub-menus for the Drill-down to and One-click investigation options as illustrated below for the Source item.

1.3.3.1. Sources

The next two screenshots show how the right click options provide comparable menus for Drill-down or One-click investigations, so you have the option of choosing which investigation method best suits your need.

• 

• One-click (Object) investigation options for a Source (computer)

• .

• Drill down Object options for a Source - Note that the same objects are presented for investigation as above

A right click on a source item provides you with the opportunity to investigate Objects, Activities and Events. This next screenshot shows the options available for exploration under the Activities option, following which are the options provided for Events.

• 

• Drill down to Activities options for a Source

• 

• Drill down Event options for a Source

Some right click menus provide one or more context appropriate Custom Actions. For a source, we are given opportunities to either open a Remote Desktop connection or to ping the source.

• 

• Custom actions available for a Source

1.3.3.2. Users

Illustrating the context sensitive nature of right click options, the screenshot below shows the object related menu items for a user.

• 

• One-click object investigation options for a User

1.3.3.3. Alerts

The options available for an alert are limited to running an investigation, showing the last alert or editing the alert.

• 

• Drill down options for an Alert

1.3.3.4. Categories

Categories search return items only support a double click on an item, which opens up a template that will enable you to enter rules for automatic tagging. The template is customized appropriately for the item type.

• 

• Auto-tagging template for a network item

For more information on auto-tagging, refer to doc/4.0.0/WorkingWithFinder/Organize/Categories, specifically the sections on tagging objects and auto-tagging rules.

1.3.3.5. Services

The default double click action for Services is to edit the service. Please refer to doc/4.0.0/WorkingWithFinder/Organize/Services for more information on editing services.

Right clicking provides options to edit, or to drill down objects (see screenshot below) or activities for which there is the one menu item "Connections".

• 

• Drill down Objects options for a Service