Graphically observing the activity of users and devices


Graphically observing the activity of users and devices


To see at a glance the recent activities or the detailed properties of a particular user or device, open either their user view or device view in the Finder. Both the user and the device views have a Timeline tab and a Properties tab:

  • Select the Timeline tab to explore the activities of a user or device in chronological order.
  • Alternatively, select the Properties tab to display detailed information about a user or device.

By default, the device and user views open the Timeline tab. Note however that mobile devices do not have a Timeline tab, so the device view of mobile devices display only the Properties tab.

To open the user view or the device view of a particular user or device, either:

  • Look for the user or device in the search box of the Start page and click the name of the user or device in the results of the search.
  • From the list of results of an investigation based on users or devices, right-click the entry of the user or device and select Display user view or Display device view, or double-click the entry of the user or device, or select it and press Enter.
  • From any of the other graphical views of the results of an investigation (Network activity, Web activity or Local activity) that display users or devices, right-click the name or the icon of a user or device and select Display user view or Display device view.
  • From the user view itself, open the device view of any of the devices listed in the Devices section of the Timeline tab, or listed in the Last user activity section of the Properties tab, by clicking their name.
  • Likewise, from the device view, open the user view of any of the users that interacted with the device, displayed in the section Users of the Timeline tab, by clicking their name.

At the top of the view, get basic information about the selected object:

User view Device view
The name of the user.
The class of user: local, domain or system.
First Seen
The first time of recorded user activity.
Last Seen
The last time of recorded user activity.
The name of the device.
Platform icon
A pictorial representation of the platform of the device: Windows, Mac or mobile.
The base node in the hierarchy to which the device belongs.
Last IP address
The IP address of the device during its last recorded connection.
Last Seen
The last time of recorded device activity.

Below this basic object information, find the buttons that let you switch between the Timeline and the Properties tabs. When selecting the Properties tab, a comparison tool appears to the right of the basic object information. The rest of this article is dedicated to the Timeline tab, while the article on comparing the properties of users and devices focuses on the Properties tab.

To refresh the view, click the button with a circular arrow placed to the far right of the tab selection buttons. Refreshing the view is particularly useful when it is open for a long time and you want to see the last activity of a user or device.

Exploring activities in the timelines

The Timeline tab displays in fact several timelines grouped by sections. While the actual sections and their content depend on the type of object observed (user or device), the techniques to explore the timelines remain essentially the same.

To know the time scale of the timelines, find a ruler at the top of the view that divides the horizontal space in equal parts. Each subdivision of the ruler corresponds to a time interval of the recent history of the user or device under examination. Date and time labels in the ruler indicate the precise moment associated to a subdivision mark. In accordance with the ruler, an activity or event in the timelines found by following down a vertical line from a particular subdivision occurred during the time interval associated to that subdivision.

Hover the mouse cursor over a timeline with data and keep it there for a moment. A kind of structured tooltip eventually shows up. The tooltip summarizes the activities and events related to the timeline that happened during the time slot under the mouse cursor. A vertical and a horizontal dashed lines, crossing at the timeline slice pointed by the mouse cursor, show up shortly after the tooltip to help you locate the time interval in the ruler and the title of the timeline.

To investigate further what happened during a timeline slice, right-click the timeline at the point of interest. A context menu displays a list of options that let you open different views or drill down to related items, depending on the particular timeline. To directly drill down to the related main objects or events instead, double-click the timeline .

By default, the Timeline tab displays the last 24 hours in the history of a user or device.

Navigating through history

To the left of the date and time ruler, click the button with a triangle pointing to the left to go back in time. Likewise, click the button to the right of the ruler that depicts a triangle pointing to the right to go forward in time. For displaying data further in the past or closer to the present, the ruler and the timelines scroll right or left accordingly, following the opposite direction of the arrow clicked.

Alternatively, hover the mouse pointer over the ruler. The pointer turns into a double-headed horizontal arrow. Click and drag the pointer to the left to go forward in time. To go back in time, click and drag the pointer to the right. The ruler and the timelines scroll as you drag the mouse pointer.

The available history is limited by the amount of events recorded in the in-memory database of the Engine. The Finder stops scrolling to the past once you reach the time of the oldest event in the database. For completeness, the Finder lets you scroll a few hours into the future. It does not make much sense to go beyond the present time though, as the future is naturally empty of data.


The default settings of the Timeline tab let you see the last 24 hours of a user or device. At that zoom level, every subdivision in a timeline represents a time interval of 30 minutes. With this granularity, two events separated by ten minutes, for instance, may reside in the same time slot, giving the appearance of simultaneity.

To know which event happened first, select an area surrounding the apparently simultaneous events and zoom in:

  1. Click the part of the timeline located immediately before the events of interest and keep the mouse left button pressed.
  2. Drag the mouse cursor over the events of interest and release the mouse button as soon as you have covered them with a rectangular selection area.
  3. Click the magnifying glass with the plus sign that is placed in the top right corner of the timelines or press Enter.

This zoom in button is enabled only when you have selected an area in the timelines. It alsow gets disabled when you reach the maximum allowed resolution (one second per subdivision).

Some timelines related to events also propose an option to zoom in in their context menu. As an alternative to the zooming method proposed above, right-click the timeline and select Zoom in on events when available.

To zoom out to the previous level, click the magnifying glass with the minus sign in the top right corner of the timelines or press Backspace. The zoom out button is enabled until you reach the maximum time span allowed.

To go back to the default 24 hours view, click the house icon placed to the left of the two magnifying glasses.

Timeline sections of the user view

In the timelines of the user view, find events and activities related to the devices with which the user interacted, the print jobs that the user started and the services that the user accessed.

Remember that timelines are actionable. Right-clicking a point in the timeline brings up a context menu with drill-downs and other options to jump to information related to the data in the timeline.

Applies to platforms: PlatformWindows.png PlatformMac.png PlatformMobile.png


For every active device linked to the user, find one or several timelines associated to it. The information displayed in the timelines depends on the platform of the device. For Windows or Mac devices, a main timeline groups all the information available. Click the plus icon to the left of the name of the Windows or Mac device to expand the main timeline into its individual components. Mobile devices display the times of synchronization with the server.

Windows or Mac Mobile
Device alerts
Occurrences of investigation-based alerts.
Applications not responding or crashing, bluescreens and hard resets.
Notifications of high cpu load, high memory usage, or a big number input and output operations or page faults.
Times when the user was active on that device (with the keyboard or the mouse), in addition to system boots and user logons.
Exchange ActiveSync synchronization
Synchronization of the mobile device with the Exchange server.

Although Windows and Mac devices share the same timelines, note that all the information available for Windows devices is not yet available in Mac devices. Namely, Mac devices display no warnings and only hard resets as errors.

For device events to appear in the user view, they must be related to some user interaction with the machine.


For each printer, find the print jobs that the user has sent. Click the plus icon to the left of the name of the printer to break down the print jobs by device. Each print job appears then on a different timeline depending on the device that the user employed to send the print job.


See the activity of the user in relation to the services that you have defined. Click the plus button to the left of the name of the service to break down the activity by device. Depending on how you defined the service, you can further break down to the activity of the executables that compose the service.

Timeline sections of the device view

In the timeline, you can quickly detect whether the computer generated any alert, experienced any error or warning, had new software installed, connected properly to networked services, etc. This information is presented in different sections.

Note that the timeline is not available for the Mobile platform and that not all its sections are available or complete for the Mac OS platform. Namely, for Mac OS, the Errors section displays only hard reset errors, whereas the Warnings section as well as the Web services section do not exist.

From top to bottom, the timeline of the device view displays the sections detailed below.

Applies to platforms: PlatformWindows.png PlatformMac.png


There are two separate sections:

  • Global alerts.
  • My alerts (user-defined alerts).

Each defined alert has its own timeline. Occurrences of the alert are marked in the timeline, graphically showing their start time and the duration. For the sake of clarity, only alerts that have been triggered during the selected time frame are displayed.

To see the exact time of triggering and the duration of an alert, hover the mouse cursor over the occurrence of the alert. If more than one occurrences of the alert overlap, the hovering tooltip gives you a list of all the occurrences.

To see a list of all the devices that triggered an alert, right-click the mark of the alert in the time-line, choose an occurrence if more than one is available and select Show Alert.


Signal errors in the device, such as application or system crashes. The error is shown in the timeline as a red circle with a number inside. The number inside the circle is bigger than one if more than one error condition overlap in the timeline. Hovering the mouse over the circle gives you a summary of the reason for the error (or the reasons, in the case of overlapping errors).


Warnings are represented in the timeline as small boxes. The intensity of the color that fills the box indicates the severity of the warning. The more intense the color is, the more severe is the warning. High memory usage, high IO operations, and high page faults warnings use a yellow shade to signal the condition in the timeline.

On their turn, high CPU warnings signal their condition with two different colors, depending on the particular cause for issuing the warning:

  • Yellow, if the overall load in the CPU of the device is high, regardless of the load being caused by the execution of a few or a lot of applications.
  • Blue, if some specific applications have a high CPU consumption, but this load is not enough to signal an overall warning for the device.

Hovering the mouse cursor over a warning displays a summary of the reasons for the warning. For example, when hovering over warnings on applications using too much CPU or memory, a tooltip gives you a list of the applications that contributed the most to consumption of these resources.


In the Activity section, you find information about momentary activities, such as the detection of new binaries, print jobs, sytem boots, user logons and package and patch installations and uninstallations. You find as well information on lasting activities such as executions and connections.

Momentary activities are shown in their own timeline as blue circles with a number inside that indicates the number of overlapping events, similar to the red circles used for displaying errors. Lasting activities, in turn, are shown as blue squared boxes in the timeline, where the brightness of the color indicates the level of the activity (number of executions or connection traffic), similar to the boxes that are used to display warnings. As usual, if the system did not perform any activity of a certain type the activity is not shown at all, instead of displaying an empty timeline.

For every momentary activity, hovering the mouse cursor over the blue circle gives you a summary list of the causes for displaying the activity. For instance, hovering over a New binaries occurrence in the timeline displays a list of the binaries whose execution has been detected for the first time at that precise moment. Right-clicking in a blue circle of a momentary activity lets you choose among different options depending on the type of activity.

For lasting activities, that is Connections and Executions, hovering the mouse over a blue box yields:

  • For Connections, the amount of traffic registered during the time span of the box.
  • For Executions, the number of processes run on the time span of the box.

You can drill-down from a box of a lasting activity to the list of individual connections or executions that make it up by right-clicking in the box and selecting Show connections or Show executions. Connections have an additional option Show network activitiy that lets you navigate directly to a Network activity view and specify the metric to see in it (traffic in, traffic out, failed connections, etc).

In the Activity section, yellow color in the timeline warns you about administrator activity. A warning message notifies the use of administration privileges when you hover the mouse cursor over an activity timeline with yellow color. Two kinds of activities use a yellow display when they are carried out by users with administration privileges: User logons and Executions.

  • When a user logs in to a device with administration privileges, the circle representing the user logon activity is no longer blue, but yellow.
  • When a program is run with administration privileges, the blue boxes that show the executions are crossed by a yellow line to warn that at least one had admin privileges.

Network services

For every defined network-based service, you see a timeline indicating the status of the connections of the selected device to the service. Network connections to the service are displayed again as blue boxes. If any connection problem is detected, the blue boxes are crossed by a yellow line to indicate a warning and by a red line to indicate an error.

To see a summary with the statistics of the connections to the service (total traffic, number of connections, failed connections, response time, etc), hover the mouse over the desired box in the timeline. Additionally, you get a summary list of the errors and warnings that happened during the period delimited by the box, if any.

To open the Service view, click the name of the service at the beginning of the timeline or double-click a box in the timeline. There you find detailed information about the service for the last 24 hours.

Finally, you can also navigate to the Network activity view of the connections to the service from the timeline by right-clicking on any box and selecting Show network activity. Double-click in the box, as with connections in the Activity section.

Web services

If you installed the Web & Cloud module as an addition to the Nexthink Platform, you find a Web services section in the device view dedicated to web-based services. This section is very similar to the one dedicated to network-based services.

By hovering the mouse cursor over the boxes in the timeline, you get the statistics about the web-based service: traffic, requests, type of responses, average response time, etc.

To open the Service view, click the name of the web-based service at the beginning of the timeline or double-click a box in the timeline. To navigate to the Web activity view, right-click a box in the timeline and select Show web activity.


At the lower part of the device view, you find the timelines that measure the interaction of users with the selected device. There is a timeline for each user that interacted with the machine and the account name of the user is displayed to the left of the timeline. Hovering over each box in the timeline gives you the total duration of the interaction.

For privacy reasons, measurement of the interaction time of the user with the computer can be disabled. If user interaction measurement is disabled, the Users section is omitted in the device view.

Click the name of a user to open the corresponding User view.

Related concepts