Navigating through the results of an investigation

Contents

Navigating through the results of an investigation

After executing an investigation, you are presented with a list of all the items that matched your query conditions. This is the List view of the Finder.

The list displays all the fields and aggregates that you selected when you edited the options of the investigation.

Sorting the results

Order the results in the List view according to the value of one of the displayed fields by clicking its corresponding column header. The arrow to the right of the column name indicates if the sorting is made in ascending (arrow up) or descending (arrow down) order. Click the column header again to change the direction of the arrow.

By default, results are sorted according to the values of the first column in ascending order. You can click on any other column header to sort the results in other ways.

Changing the time frame

The List view displays the time frame that applies to the given results of the investigation in the top-center part of its own tab. To change the time frame of the investigation, click the calendar icon that appears to the right of the current time frame. A dialog very similar to the Time frame section of the investigation designer shows up. Set the new desired time frame and click Apply.

To come back to the original time frame of your investigation, click the calendar icon and then push the button Reset.

If you selected a limited time frame such as a particular day, you can also navigate easily with the arrows you find in both sides of the calendar icon. Just press the arrow to the right to move to the next available day, or the arrow to the left to move to the previous day.

Setting the platform

From the List view, filter the results of an investigation according to platforms at any time:

  1. Click the platform icons at the top of the List view, PlatformWindows.png PlatformMac.png PlatformMobile.png, and a dialog to select the platforms shows up.
  2. Tick the check box for every platform that you want to include in the results.
  3. Optional: To go back to the platforms originally selected by the investigation, click Reset.
  4. Click Apply to filter the results according to the selected plaforms.

Adding and removing display fields

To quickly add or remove fields displayed as columns in the List view:

  1. Right-click anywhere in the column headers (the top part with the names of the columns). A label selector shows up.
  2. Use the label selector to add or remove columns in the same way as you select the columns when creating the investigation.
  3. Click Apply.

To quickly remove a single column, right-click the column header and select Remove column from the context menu.

Drilling-down

Drilling-down to other items from your list of result items is one of the most powerful tools that you have for navigating through the results of your investigations. Drilling-down lets you get items related to the items in the list of results while keeping the context of your investigation, that is, enforcing the time frame and the conditions of the original investigation.

A drill-down is actually a quick investigation on objects, activities, or events that are related to a selection of the results of a previous investigation. For instance, imagine that you execute an investigation on devices, looking for those devices that executed the Nexthink Finder yesterday. You get a list of devices as a result. Imagine now that you want to know the users that executed the Finder yesterday from one or several of those devices. You can get the list of those particular users by drilling-down from the results of your previous investigation. Note that drilling-down keeps the conditions and the time frame of the original investigation, that is, the execution of the Nexthink Finder yesterday.

To drill-down from a list of results of an investigation:

  1. Execute the investigation of your choice.
  2. Select one or more of the items in the List view.
  3. Right-click the items selected. A context menu shows up.
  4. Select the option Drill-down to and choose a type of item. Items are classified into:
    • Objects
    • Activities
    • Events
  5. Choose one class of items and then a particular type of object, activity or event. Only those types of items that can be related in some way to the items in the list of results are eligible for drilling-down.
    • If the items in the list of results are filtered by platform, the drilling-down shows only those items which are compatible with the selected platform.
    • In the case that you selected multiple platforms, the drilling-down shows all those items which are compatible with any of the selected platforms.
  6. A new tab with the list of results for the drill-down opens.

The items that you can select for drilling-down depend also on the platform of the item you drill-down from. For instance, you cannot drill-down to printers from a Mac OS device, because the Mac OS platform does not support printers.

One-click investigations

One-click investigations are similar to drill-down investigations, except for the fact that they do not keep the context of the previous investigation.

For instance, to go on with our previous example, imagine that you are navigating the List view of an investigation that returns all the devices that executed the Nexthink Finder yesterday, and that you want to know all the users of a particular device. Drilling-down to users returns only those users who executed the Finder yesterday on that device. On the other hand, a one-click investigation on users returns all the users who have ever been seen in the device, regardless of what they were doing or when.

To perform a one-click investigation from the list of results of a previous investigation:

  1. Execute the investigation of your choice.
  2. Select one or more of the items in the List view.
  3. Right-click the items selected. A context menu shows up.
  4. Select the option One-click investigation and retrieve all the items of a particular class. Choose among:
    • Retrieve all objects
    • Retrieve all activities
    • Retrieve all events
    Note: for binary objects, specify first if you want to retrieve items related to the binary itself, or to the executable or the application to which the binary belongs. Similarly, for executable objects, choose first if you want to retrieve items related to the executable itself or to the application to which the executable belongs.
  5. Select a particular type of object, activity or event. Only those types of items that can be related in some way to the items in the list of results are eligible for a one-click investigation.
    • If the items in the list of results are filtered by platform, the one-click investigation shows only those items which are compatible with the selected platform.
    • In the case that you selected multiple platforms, the one-click investigation shows all those items which are compatible with any of the selected platforms.
  6. The Finder opens a new tab with the list of results for the one-click investigation.

Again, similarly to what happens with drill-downs, the items that you can select when you do a one-click investigation depend also on the platform of the one-clicked object. For example, you cannot retrieve all events related from a Mobile device because Mobile devices do not support events.

Saving your modifications

When you change the time frame or the displayed fields, or you drill-down, or do a one-click from the List view of an investigation, the system is actually executing a different investigation from the original one.

To save the new investigations that you create by applying modifications to the List view, click the floppy disk icon at the top right of the view.

Getting a graphical representation of the data

The List view gives you a plain text representation of the data stored in the Nexthink database. While this is perfect if you want to have a list with the exact values, it can be difficult for a human to get an insight of what is actually happening inside your IT infrastructure with just a textual representation.

To get a graphical representation of the results in the List view, click one of the buttons in the top-left corner of the List view:

Network activity
To visualize network connections.
Web activity
To visualize web requests.
Local activity
To visualize local program executions.

The visualizations are computed within the context of your investigation. Therefore, not all three visualizations are present for all investigations. A visualization is available only if the context contains relevant information for it.