1. One-click Investigations
1.1. Concept
One-click Investigation allows Finder users to make a new investigation based on a displayed object or attribute in a single click. More particularly, it allows the user to get new information from an investigation's result without creating a new and dedicated investigation.
1.2. Requirements
1.2.1. Templates in Settings section
One-click Investigations are based on the concept of an Investigation Template. The suggested One-click investigations are directly inherited from all existing templates, which are located in the Settings section of Finder's left window pane. To create or edit a One-click investigation template, go to the 'Select section:' part of Settings and select One-clicks from the drop down list (see screenshot below). Not that above the One-clicks entry, you will see either Global alerts or My alerts depending on whether you are logged in with an admin or non-admin account respectively.
Navigating to the One-click templates in Finder Settings (admin account)
After selecting the One-clicks templates section, you are provided with eleven predefined One-click menus as shown below, most of which contain sample one-click investigations:
Choose from one of the eleven One-click menus available
1.3. Working with One-Click Templates
Below, we have selected the Application One-click menu. Right clicking on a One click investigation provides a range of options for that investigation, namely:
- Edit...
- Run...
- Export (To clipboard or To file),
- Duplicate
- Delete
- Rename
The Edit option launches a graphical environment for you to make changes to your One-click investigation. (See Creating and Editing One-click Templates below) You may want to use the Duplicate option first and edit the 'Copy of...' investigation, keeping the original.
If you want to share a one-click with another user, you can export the one-click to the clipboard or to a file. An xml file structure is used. Importation is accessible from the global one-click menu (see below).
From the One-click Investigation menu, you have a number of options, including exporting an investigation to the clipboard or saving it to a file
Right-clicking in the One-click Investigations window in a clear area provides you with a global menu by which you can:
- create, rename and delete one-click investigations and folders
- sort files and folders alphabetically
- import and export all files and folders at the menu level to/from clipboard or file
- expand and collapse the folder structure (you can also do this at individual folder level by clicking on the [+] or [-] to the left of nested folders)
Imports and exports of one-click folders work in the same manner as for individual files, using an xml file structure.
A right-click in the One-click window provides global options for all One-click investigations within the menu group
1.4. Creating and Editing One-click Templates
If you select Create or Edit from the right-click menus as covered above, you are presented with a One-click template as shown below.
New One-click Investigation Template
The process for creating and editing a One-click template is virtually identical to that for Investigations other that there is a preexisting readonly parameter condition on the menu object id.
For guidance on configuring areas of the One-click template, please refer to the following sections in Using Investigations:
Creating an Investigation: doc/4.0.0/WorkingWithFinder/Explore/UsingInvestigations#Creating_an_Investigation
Using Matching Conditions: doc/4.0.0/WorkingWithFinder/Explore/UsingInvestigations#Using_Matching_Conditions
Selecting Display Columns: doc/4.0.0/WorkingWithFinder/Explore/UsingInvestigations#Selecting_Display_Columns
1.5. Organizing your One-click Templates
1.5.1. Use a Folder Structure to Organize your Templates
Finder supports the organization of One-click Templates through the use of Folders, which can be nested. This organization will determine the organization of the contextual one-click menu. To create a folder, right-click in a clear space in the One-click window and select Create new folder. You can then move One-click templates and folders into different folders using drag and drop.
You are able to organize your One-click templates by creating a directory structure and moving and sorting your templates and folders
Sort your folders and folder contents by using the 'Sort by name' right-click menu item. Just click on the folder containing the content you wish to sort alphabetically, right-click and select Sort by name. If you want to sort your folders and/or templates in another manner, e.g. by priority, simply drag and drop them in the order you desire.
1.5.2. Using the Description field
The description field located under the One-click template name is presented as a tooltip when you hover over the template name, so take the time to update this field when you create or modify an template - particularly if you duplicate an existing one.
Maintain description field information accuracy to provide additional detail on your One-click investigations via tooltips
In the screenshot below, you can see the Description text entered above appear as the mouse cursor is hovered over the One-click template.
Hovering over the One-click investigation name displays information from the Description field
To help you find the correct One-click template in the future, hover over a One-click template name and you will see the additional detail from the One-click Template description field.
1.6. NEXThink Library
Some predefined one-click investigation packs are available in the NEXThink Library.
2. Using a One-click Investigation
2.1. In a list view
By right-clicking an object or a list of objects resulting from an investigation, the one-click investigation drop-down list displays all available investigation templates.
One-click investigation templates available for a source, in this case 'NXT-L16'
The One-click investigation templates presented depend on the context; different investigation templates are available depending on what type of object is selected. Above we are about to select from One-click investigation templates that will 'Retrieve all events', listing Source or Execution warnings or errors for the computer NXT-L16.
In the screenshot below, we have run the investigation 'New executables' and selected the executable setup.exe, which was launched by the installation of Microsoft Visual Studio 2008. In this screenshot, we can select One-click investigation templates that are available for an executable, or from the application related to the executable.
Some of the One-click investigation templates available when you select an application or executable as a parameter
A One-click investigation can be run with a selection of items from an Investigation Listing
It is possible to launch a One-click investigation template with multiple selections by using Ctrl+click repeatedly on different selections from the List before right-clicking. In the above screenshot, we have selected two Microsoft Studio 2005 installations and a Microsoft 2008 installation. Note the One-click investigation text advice that the One-click investigation will be run 'With 3 involved applications' and we are about to 'Retrieve all events' for either 'Execution warnings' or 'Execution errors'
Click the template to run the investigation with the selected objects or attributes as parameters. A new tab appears above the top left of the snapshot as for any other investigation template, including all options to save, edit the parameters, edit the investigation or refresh the result at the top right of the investigation frame. '
When a One-click Investigation is launched the template name appears on the investigation tab and editing icons are available at the top right
Note: if the One-click investigation option is not available, it means that you haven't configured the one-click menu for the selected object. Please refer to the sections above to find out how to manage one-click menus.
2.2. In Network or Local activity views
By right-clicking an object in the network or local activity view resulting from an investigation, the one-click investigation drop-down list displays all available templates. Note the source items consolidated into the clicked on source object are highlighted in the left pane.
One-click Template options available from a Network activity Source object
When you run the One-click connections investigation, a Connections tab appears in the top of the finder frame and connection details are listed.
Output from a One-click Connections Investigation
Right clicking different objects in the Network view provides you with different One-click templates as shown below, where the Application object is right clicked.
When a One-click Investigation is launched
By right-clicking an activity path (connection or execution) in the network or local activity views resulting from an investigation, the one-click investigation enables you to investigate corresponding failed conditions (this one-click is installed by default).
One-click Investigation templates available from an activity path
Note: if the One-click investigation option is not available, it means that you haven't configured the one-click menu for the selected object. Please refer to the sections above to find out how to manage one-click menus.