Attachments

doc/4.0.0/Working With Finder/Explore/Using Investigations

Contents

  1. Creating an Investigation
    1. Managing investigation folders
    2. Create a new investigation
    3. Naming a new investigation
    4. Set and save new created investigation
    5. Edit an existing investigation
  2. Using Matching Conditions
    1. Understanding Conditions rules structures
    2. Matching Conditions
      1. Parameter Entry
      2. Conflicting and Incompatible Conditions
    3. Boolean Logical Expression:
    4. Aggregated Condition: (AND)
    5. Time Frame
  3. Using the Display Panel
    1. Selecting Display Columns
    2. Limiting and Sorting Displayed Results
  4. Using Investigation Results
    1. List View
    2. Network activity
    3. Local activity
    4. Refreshing results
    5. Zooming
    6. Exporting data

1. Creating an Investigation

This section describes how to create, name, set up, edit and save an investigation.

1.1. Managing investigation folders

Creating new folder is performed by right clicking over the Investigations section or any existing investigation folder.

Renaming and deleting a new folder is performed by a right click over any existing investigation folder.

  • Creating a new Investigation folder

1.2. Create a new investigation

There are two easy ways to create a new investigation; you can create new investigation 'from scratch' (next paragraph), or where your planned investigation is similar to an existing investigation, you can duplicate the existing investigation, edit it and save it with a new name (see Edit an existing investigation below).

To create a new investigation, right click over the Investigation section (left hand pane) or an investigation folder, then click on Create new investigation...

1.3. Naming a new investigation

By default, every new investigation is named as Untitled investigation (followed by an incremental number)

To name the new investigation, simply drag over the mouse and select Untitled investigation and type in the desired name

  • Naming a new Investigation

Similarly a brief description can be entered using same method by selecting Enter description here...

Use the same technique to rename an existing investigation.

1.4. Set and save new created investigation

A investigation is set up by selecting the main object to retrieve and associate matching rules, time frame restriction, and defining what information to include in the listed results.

  • Setting up an Investigation

1.5. Edit an existing investigation

If you wish to keep your existing investigation, first duplicate and rename your existing investigation. Right click the investigation you are using as the basis for your new investigation and click on Duplicate. Rename your investigation and description as appropriate. Click on Save (bottom of right frame of the investigation).

Drag the mouse over the investigation name to be edited, then right click and select Edit...

  • Editing an existing Investigation

2. Using Matching Conditions

This section shows how to set one or several matching conditions for a given investigation.

2.1. Understanding Conditions rules structures

An investigation is primarily a query on an object, activity, or event type to retrieve a list of items which can be filtered using one or more condition or a combined set of filters.

There are three distinct mechanisms which can be used to filter out investigation results.

  • Matching Conditions: is a set of rules, linked to a boolean expression and associated to the investigation query.

A matching condition can also be also associated to an aggregated condition, that is AND

  • Within Time Frame: which allow to set a time frame limitation for the investigation

  • Display: which allow to restrict output result list to a limited fixed numbers of items

Associated filtering mechanisms provide cumulative effects.

2.2. Matching Conditions

A matching condition is created by a click on the Click here to add a new condition link.

  • Setting a Matching Condition for an Investigation

Then the user is able to build conditions by setting the different fields to the desired values:

A Condition is made from four distinct fields:

  1. The primary NEXThink Object name (e.g. Source or Executable)
  2. Attribute or category of the object (e.g. Name)
  3. Operator (e.g. 'starts with' or 'is')
  4. Matching value (tested by the condition operator) (e.g. NX or dicom.exe)

One or more matching conditions can be set for a given investigation. Where multiple conditions are set, the conditions are by default ANDed together. While AND is the default Condition operator, this can be changed as illustrated in the next section.

  • Setting Conditions for a Finder Investigation

One or several matching conditions can be set for a given investigation.

  • By default subsequent conditions are ANDed together.

2.2.1. Parameter Entry

If you need to enter a parameter for your investigation, an icon with the question mark appears to the left of the trash can. You can either enter a parameter, or click on the icon to leave the parameter unset, in which case you will be prompted to enter one when the investigation is run. Clicking in the parameter field will shows how to enter an acceptable parameter string as shown below.

  • Prompting for an acceptable parameter

2.2.2. Conflicting and Incompatible Conditions

Some combinations of investigated objects, conditions, and display settings are incompatible. In such cases the red exclamation mark is shown and the investigations cannot be saved. Some examples of where this can happen are shown below:

  • Conditions 1 and 2 are in conflict

  • Conflicting Conditions

  • Condition incompatible with display attributes

  • Condition incompatible with display attributes

In these circumstances, change the conditions until the warning icon disappears or delete the conflicting condition by clicking on the trash can and start again.

2.3. Boolean Logical Expression:

The logical expression can be modified from the default AND operator by clicking on the advanced word.

  • Allowed Boolean operators are AND and OR. Boolean expression such as 1 AND (2 OR 3), where 1, 2, and 3 are the Condition fields, are possible by clicking into a logical field and directly modifying the expression.

  • Using Advanced feature to set Boolean conditions

In above example, the investigation will return a list of events items where the source (device) names start with NX (for example NX1, NX2, et cetera), AND when these devices were executing either dicom.exe OR daemon.exe.

2.4. Aggregated Condition: (AND)

An additional condition can be set using the AND option. This additional condition refines the investigation by setting a simple condition based on aggregated values:

  • Adding additional aggregated condition

On the above example, matching conditions are associated to an additional aggregated condition based on a network response greater than or equal to 300ms.

Aggregate conditions are logical conditions set on these NEXThink engine calculated values.

2.5. Time Frame

Time frame limitations are set using the following options:

  • Limiting the time frame of an Investigation

Note: The investigation Time Frame can be limited by the specific matching conditions selected in the investigation

  1. When investigating Packages, only the Full available period can be selected

  2. A Finder investigation for activity related investigations can cover a period of up to one week. Use Portal for investigating longer periods.

3. Using the Display Panel

3.1. Selecting Display Columns

The columns displayed in the list view resulting from an investigation can be defined with the Display panel.

Selecting columns to be displayed in Investigation

Display is organized in several sections, regrouping the available attributes by relevant topics. The topics differ according to the object one has selected to be retrieved. Only available attributes returned by the investigation are presented for selection in the Display panel.

3.2. Limiting and Sorting Displayed Results

You are able to limit the number of items shown in the investigation return and select a column by which the results can be sorted by selecting "The top xx sources ordered by.." rather than the default "All results". In the screenshot below, we have limited results to no more than "The top 20 sources ordered by Computer Manufacturer in ascending" order. In limiting the number of displayed results, you can either accept one of the default limits or type in your own limit.

  • Limiting the Investigation list length and selecting sort order

The above settings limit the results displayed as shown below.

  • Example of limited, sorted Investigation list

4. Using Investigation Results

This section describes how to use investigation results. Three distinct views are available for analyzing the results.

4.1. List View

List will return and display all results matching the investigation filter rules.

  • Selecting List View

  • Time frame covered in the result (top of frame, to the left of mouse cursor)
  • Quick time-frame edition to include the next or the previous day of the selected period (top of frame, to the right of mouse cursor)
  • Number of objects matching the investigation rules, number of objects selected in the list (bottom middle of frame)

The item order can be sorted by clicking on column name. The sort order (low to high or high to low) alternates following a re-click.

Items can be individually selected by clicking on the first item, then Crtl+clicking subsequent items.

If the items of interest are contiguous, they can be selected by clicking on the first item and shift-clicking on the item at the end of the contiguous range.

The selected items can then be further investigated via a right-click, which provides a range of further investigation options

  • Right-click Drill-down options

  • To add or remove columns, one can right click on the table header and select them directly from the contextual menu:

  • Adding and Removing columns in Display

Using the same contextual menu, the user can also freeze the column on which he clicked; that means that this column along with all others located on its left will remain visible even if the user scrolls the table to the right to view other columns.

The column order can be changed by selecting and moving a column.

4.2. Network activity

Network activity tab displays a graphical representation of the network activity for a given investigation. Here from left to right are displayed sources (devices), users, binaries, port and destination.

  • Displaying Network Activity

  • You can switch the display to full screen mode by clicking on the top right icon in the network display frame (the icon under the refresh icon)

  • The Display setting (top left) can be changed from traffic (by default) to a wide range of network monitoring options (see screenshot Network Activity Display options below)

  • By selecting a path in the network activity (see mouse cursor), the values are displayed for the corresponding display settings and the corresponding objects are highlighted in the listto the left

  • Right-clicking a network path enables you to drill-down, launch a One-click investigation or copy the display as a table (see screenshot Network Activity right-click options below)

  • Multiple network paths can be selected by control clicking (hold the control key down while clicking on subsequent network paths)
  • The contextual menu is also available in the list on the left and in the bar chart

Only the objects with network activity for the displayed time frame are displayed in black in the list. The grayed objects have no network activity for the selected time frame.

Note: If the maximum number of connections resulting from the investigation is reached, a warning icon is shown in the top-right of the window.

  • Warning icon if maximum number of connections is exceeded

As mentioned above, the display can be easily changed to show other network activity monitoring options

  • There's a wide range of Network Activity Display options available

  • Network Activity Display options

Right-clicking on a network path provides a range of options for further investigation. Note that hovering your mouse over an option provides additional information via a tooltip.

  • Right-click to choose further options of analyzing your Network Activity

  • Network Activity right-click options

4.3. Local activity

The Local activity tab displays a graphic representation of the local activity for a given investigation.

  • Local Activity Graphical Display

  • The display setting can be changed from duration (by default) to traffic or executions.
  • By selecting a path in the local view, the values are displayed for the corresponding display settings and the corresponding objects are highlighted in the list.

Only the objects with local activity for the displayed time frame are displayed in black in the list. The grayed objects have no local activity for the selected time frame.

Note: if the maximum number of executions resulting from the investigation is reached, a warning icon is shown in the top-right of the window.

  • Warning icon if maximum number of executions is exceeded

4.4. Refreshing results

The displayed investigation results can be refreshed either by closing and relaunching the investigation window or by clicking the refresh icon.

  • Refreshing Investigation

4.5. Zooming

Network and local activity views allow dynamic zooming operations. Select activity patterns and/or bars in the time chart and click on the zoom-in icon (shortcut: double-click). The display is updated, now showing data for the selected activity and time period only. To navigate back from a zoomed-in view, click on the zoom-out icon.

  • Zooming in Network and Local Activity views

4.6. Exporting data

The list view provides list export functions for either Microsoft Excel or a CSV file. Simply select the rows to export (use Ctrl+click or Shift+click for multiple selection or Crtl-A for all), right click, and select Copy Rows.

  • Exporting List View data

Open a text editor or a spreadsheet-application and Paste the clipboard.

  • Pasting List View data into Excel

In the parallel-coordinates display (that is network activity or local activity views), one can also export data by right-clicking on a selected path and choosing Copy as table:

  • Exporting data from the Parallel Coordinates display

All the investigation information is then copied to the clipboard so it is ready to be pasted, for example, in Microsoft Excel where Pivot tables can be easily defined for your own reports and analyses.

last modified 2011-11-16 08:21:49