- Creating an Investigation
- Using Matching Conditions
- Using the Display Panel
- Using Investigation Results
1. Creating an Investigation
This section describes how to create, name, set up, edit and save an investigation.
1.1. Managing investigation folders
Creating new folder is performed by right clicking over the Investigations section or any existing investigation folder.
Renaming and deleting a new folder is performed by a right click over any existing investigation folder.
1.2. Create a new investigation
There are two easy ways to create a new investigation; you can create new investigation 'from scratch' (next paragraph), or where your planned investigation is similar to an existing investigation, you can duplicate the existing investigation, edit it and save it with a new name (see Edit an existing investigation below).
To create a new investigation, right click over the Investigation section (left hand pane) or an investigation folder, then click on Create new investigation...
1.3. Naming a new investigation
By default, every new investigation is named as Untitled investigation (followed by an incremental number)
To name the new investigation, simply drag over the mouse and select Untitled investigation and type in the desired name
Similarly a brief description can be entered using same method by selecting Enter description here...
Use the same technique to rename an existing investigation.
1.4. Set and save new created investigation
A investigation is set up by selecting the main object to retrieve and associate matching rules, time frame restriction, and defining what information to include in the listed results.
1.5. Edit an existing investigation
If you wish to keep your existing investigation, first duplicate and rename your existing investigation. Right click the investigation you are using as the basis for your new investigation and click on Duplicate. Rename your investigation and description as appropriate. Click on Save (bottom of right frame of the investigation).
Drag the mouse over the investigation name to be edited, then right click and select Edit...
2. Using Matching Conditions
This section shows how to set one or several matching conditions for a given investigation.
2.1. Understanding Conditions rules structures
An investigation is primarily a query on an object, activity, or event type to retrieve a list of items which can be filtered using one or more condition or a combined set of filters.
There are three distinct mechanisms which can be used to filter out investigation results.
Matching Conditions: is a set of rules, linked to a boolean expression and associated to the investigation query.
A matching condition can also be also associated to an aggregated condition, that is AND
Within Time Frame: which allow to set a time frame limitation for the investigation
Display: which allow to restrict output result list to a limited fixed numbers of items
Associated filtering mechanisms provide cumulative effects.
2.2. Matching Conditions
A matching condition is created by a click on the Click here to add a new condition link.
Then the user is able to build conditions by setting the different fields to the desired values:
A Condition is made from four distinct fields:
- The primary NEXThink Object name (e.g. Source or Executable)
- Attribute or category of the object (e.g. Name)
- Operator (e.g. 'starts with' or 'is')
- Matching value (tested by the condition operator) (e.g. NX or dicom.exe)
One or more matching conditions can be set for a given investigation. Where multiple conditions are set, the conditions are by default ANDed together. While AND is the default Condition operator, this can be changed as illustrated in the next section.
One or several matching conditions can be set for a given investigation.
By default subsequent conditions are ANDed together.
2.2.1. Parameter Entry
If you need to enter a parameter for your investigation, an icon with the question mark appears to the left of the trash can. You can either enter a parameter, or click on the icon to leave the parameter unset, in which case you will be prompted to enter one when the investigation is run. Clicking in the parameter field will shows how to enter an acceptable parameter string as shown below.
2.2.2. Conflicting and Incompatible Conditions
Some combinations of investigated objects, conditions, and display settings are incompatible. In such cases the red exclamation mark is shown and the investigations cannot be saved. Some examples of where this can happen are shown below:
Condition incompatible with display attributes
In these circumstances, change the conditions until the warning icon disappears or delete the conflicting condition by clicking on the trash can and start again.
2.3. Boolean Logical Expression:
The logical expression can be modified from the default AND operator by clicking on the advanced word.
Allowed Boolean operators are AND and OR. Boolean expression such as 1 AND (2 OR 3), where 1, 2, and 3 are the Condition fields, are possible by clicking into a logical field and directly modifying the expression.
In above example, the investigation will return a list of events items where the source (device) names start with NX (for example NX1, NX2, et cetera), AND when these devices were executing either dicom.exe OR daemon.exe.
2.4. Aggregated Condition: (AND)
An additional condition can be set using the AND option. This additional condition refines the investigation by setting a simple condition based on aggregated values:
On the above example, matching conditions are associated to an additional aggregated condition based on a network response greater than or equal to 300ms.
Aggregate conditions are logical conditions set on these NEXThink engine calculated values.
2.5. Time Frame
Time frame limitations are set using the following options:
Note: The investigation Time Frame can be limited by the specific matching conditions selected in the investigation
When investigating Packages, only the Full available period can be selected
A Finder investigation for activity related investigations can cover a period of up to one week. Use Portal for investigating longer periods.
3. Using the Display Panel
3.1. Selecting Display Columns
The columns displayed in the list view resulting from an investigation can be defined with the Display panel.
Display is organized in several sections, regrouping the available attributes by relevant topics. The topics differ according to the object one has selected to be retrieved. Only available attributes returned by the investigation are presented for selection in the Display panel.
3.2. Limiting and Sorting Displayed Results
You are able to limit the number of items shown in the investigation return and select a column by which the results can be sorted by selecting "The top xx sources ordered by.." rather than the default "All results". In the screenshot below, we have limited results to no more than "The top 20 sources ordered by Computer Manufacturer in ascending" order. In limiting the number of displayed results, you can either accept one of the default limits or type in your own limit.
The above settings limit the results displayed as shown below.
4. Using Investigation Results
This section describes how to use investigation results. Three distinct views are available for analyzing the results.
4.1. List View
List will return and display all results matching the investigation filter rules.
- Time frame covered in the result (top of frame, to the left of mouse cursor)
- Quick time-frame edition to include the next or the previous day of the selected period (top of frame, to the right of mouse cursor)
- Number of objects matching the investigation rules, number of objects selected in the list (bottom middle of frame)
The item order can be sorted by clicking on column name. The sort order (low to high or high to low) alternates following a re-click.
Items can be individually selected by clicking on the first item, then Crtl+clicking subsequent items.
If the items of interest are contiguous, they can be selected by clicking on the first item and shift-clicking on the item at the end of the contiguous range.
The selected items can then be further investigated via a right-click, which provides a range of further investigation options
To add or remove columns, one can right click on the table header and select them directly from the contextual menu:
Using the same contextual menu, the user can also freeze the column on which he clicked; that means that this column along with all others located on its left will remain visible even if the user scrolls the table to the right to view other columns.
The column order can be changed by selecting and moving a column.
4.2. Network activity
Network activity tab displays a graphical representation of the network activity for a given investigation. Here from left to right are displayed sources (devices), users, binaries, port and destination.
- You can switch the display to full screen mode by clicking on the top right icon in the network display frame (the icon under the refresh icon)
The Display setting (top left) can be changed from traffic (by default) to a wide range of network monitoring options (see screenshot Network Activity Display options below)
- By selecting a path in the network activity (see mouse cursor), the values are displayed for the corresponding display settings and the corresponding objects are highlighted in the listto the left
Right-clicking a network path enables you to drill-down, launch a One-click investigation or copy the display as a table (see screenshot Network Activity right-click options below)
- Multiple network paths can be selected by control clicking (hold the control key down while clicking on subsequent network paths)
- The contextual menu is also available in the list on the left and in the bar chart
Only the objects with network activity for the displayed time frame are displayed in black in the list. The grayed objects have no network activity for the selected time frame.
Note: If the maximum number of connections resulting from the investigation is reached, a warning icon is shown in the top-right of the window.
As mentioned above, the display can be easily changed to show other network activity monitoring options
Network Activity Display options
Right-clicking on a network path provides a range of options for further investigation. Note that hovering your mouse over an option provides additional information via a tooltip.
Network Activity right-click options
4.3. Local activity
The Local activity tab displays a graphic representation of the local activity for a given investigation.
- The display setting can be changed from duration (by default) to traffic or executions.
- By selecting a path in the local view, the values are displayed for the corresponding display settings and the corresponding objects are highlighted in the list.
Only the objects with local activity for the displayed time frame are displayed in black in the list. The grayed objects have no local activity for the selected time frame.
Note: if the maximum number of executions resulting from the investigation is reached, a warning icon is shown in the top-right of the window.
4.4. Refreshing results
The displayed investigation results can be refreshed either by closing and relaunching the investigation window or by clicking the refresh icon.
Network and local activity views allow dynamic zooming operations. Select activity patterns and/or bars in the time chart and click on the zoom-in icon (shortcut: double-click). The display is updated, now showing data for the selected activity and time period only. To navigate back from a zoomed-in view, click on the zoom-out icon.
4.6. Exporting data
The list view provides list export functions for either Microsoft Excel or a CSV file. Simply select the rows to export (use Ctrl+click or Shift+click for multiple selection or Crtl-A for all), right click, and select Copy Rows.
Open a text editor or a spreadsheet-application and Paste the clipboard.
In the parallel-coordinates display (that is network activity or local activity views), one can also export data by right-clicking on a selected path and choosing Copy as table:
All the investigation information is then copied to the clipboard so it is ready to be pasted, for example, in Microsoft Excel where Pivot tables can be easily defined for your own reports and analyses.