Support

Configuring AI tools

This Technical Preview is made available to customers free of charge for their evaluation and feedback; in general availability the functionalities of the preview may be subject to additional cost and/or licensing. As such, the Technical Preview, the documentation, and any updates are provided for limited evaluation only and on an ‘as-is’ and ‘as-available’ basis without warranty of any kind.

Define which AI tool requires monitoring for your organization for accurate visibility, labeling, and categorization of AI usage. Involve application and security stakeholders early to help streamline adoption and visibility of your AI portfolio.

Choosing AI tools to configure in Nexthink

The system automatically monitors preconfigured AI Tools out of the box—such as ChatGPT—through traffic pattern recognition, endpoint activity, and employee feedback.

You can manually configure more AI tools for monitoring in Nexthink.

1

Identify AI tools available for configuration in Nexthink:

  • Review telemetry or traffic data from the Nexthink Collector or your network security stack.

  • Consult your SSO provider or identity management platform to list active AI services.

  • Interview product owners to understand user segments and associated risks.

2

Prioritize the tools that require configuration by evaluating:

  • Widely used GenAI tools like ChatGPT, Microsoft Copilot, Gemini, or Claude.

  • Internal or custom AI agents, such as virtual assistants or chatbots developed for specific business functions.

  • AI applications embedded in productivity or communication platforms such as Copilot in Outlook or MS Teams.

  • Tools with rising adoption but uncertain compliance or business value.

Configuring AI tools for Nexthink monitoring

To configure a new AI tool:

  1. Navigate to AI Tools > Manage AI tools from the main navigation.

  2. Click the New AI tool button on the top-right corner (or select an existing tool from the table to edit).

To access and edit the configuration of existing AI tools, click on the AI tool hyperlink located in the table on the Manage AI tools page. Then, continue to follow the steps listed below.

  1. From the AI tools configuration page, fill in the fields:

    • An AI tool name, such as ChatGPT DEV.

      • The system automatically generates NQL ID of the AI tool based on the name. In this case: #chatgpt_dev

    • Description to provide AI tool details for internal use.

  2. Choose one or both Application types: Web or Desktop.

    • For Web AI applications:

      • URL Name is a free-text label to identify the configuration. Example: ChatGPT

      • URL pattern is the main domain of the web application. Defines where the AI tool is accessed. Example:chatgpt.com

      • Conversation endpoint pattern is the specific path used to detect interactions with the AI tool. Helps Nexthink identify when an interaction is occurring. Refer to the Determining the Conversation endpoint pattern using your browser section below.

    • For Desktop AI applications define their respective Binaries.

      • Desktop applications represent binaries grouped with their associated subprocesses. As a result, application-related metrics, dashboards and AI insights include all subprocesses.

      • The system estimates AI usage on Desktop-type applications using the focus_time field from the execution.events table in the NQL data model.

        • If the focus_time opt-in field is not enabled, Nexthink cannot monitor user interactions with AI tools on desktop applications.

  3. Add available Licenses for the AI tool, if available.

  4. Save AI tool configuration.

Determining the Conversation endpoint pattern using your browser

When configuring AI tools, follow these steps to discover and determine the Conversation Endpoint pattern.

From your browser:

  1. Open your AI tool web application.

  2. Navigate to the webpage to chat with the AI Tool.

    • Nexthink recommends opening a new conversation with no chat history.

  3. Open the developer tools in your browser by pressing F12 or by right-clicking to Inspect, depending on the case.

  4. Click and open the Network tab.

  5. Use the newly opened chat to send an easily identifiable message to the AI tool: Hey, let’s chat.

    • Copy the sent message to your clipboard.

  6. Click again on the Network tab to search the sent message—in this case, Hey, let’s chat.—by pressing ctrl+F or command+F, depending on your OS.

  7. Click on the found result and open the Headers subtab within the Network tab.

  8. Find the Request URL field to copy/extract the Conversation endpoint pattern required to configure the AI tool in Nexthink.

    • If the Request URL is https://chatgpt.com/backend-api/conversation , the Conversation endpoint is backend-api/conversation . See the image below.

Exception: Configuring Microsoft Copilot using API credentials

The system uses the Entra ID connector—you must configure—to collect user-license data and tag interaction events based on whether the employee uses a free or licensed version of Microsoft Copilot.

Nexthink AI Tools collects user-license data for Microsoft Copilot by default, even if you do not configure Microsoft Copilot in AI tools.

When monitoring usage of Microsoft Copilot, you can filter data by Copilot type:

  • The Microsoft 365 Copilot filter displays tool-specific data for licensed Copilot usage.

  • The Copilot chat filter displays tool-specific data for unlicensed Copilot usage.

Nexthink supports API-based setup only for Microsoft Copilot.

After setting up the Entra ID connector in Nexthink, follow these steps to configure Microsoft Copilot in AI tools:

  1. Navigate to AI tools > Manage AI tools from the main navigation.

  2. Click on the Microsoft Copilot hyperlink listed in the table on the Manage AI tools page, or use the item's action menu to Edit Copilot settings.

  3. From the AI tools configuration page, fill in the Description to provide AI tool details for internal use.

    • For Microsoft Copilot, the name and NQL ID fields are predetermined—not editable.

  4. From the API credentials dropdown, select the corresponding connector credentials you should preconfigure in Nexthink for Microsoft Copilot.

Configuring connector credentials for Microsoft Copilot.

This section references external sources. Nexthink does not control the accuracy of third-party documentation or any external updates or changes that might create inconsistencies with the information presented on this page. Please report any errors or inconsistencies to Nexthink Support.

Remember, configuring Microsoft Copilot in Nexthink AI tools requires both Copilot credentials (described below) and the Entra ID connector.

Step 1 - Configure the Azure application

Configure the application from the Azure page to retrieve AI-employee interaction data:

  1. Sign in using your Azure credentials.

  2. Register a new application.

    • During the registration process, select the Single tenant option.

  3. For the Redirect URL, select Web.

    • If the application already exists in the Azure portal, you can reuse the application to assign the permissions to retrieve AI-employee interaction data.

  4. Register the application.

  5. Access the API Permissions option from the left-side menu.

  6. Add permission for Microsoft Graph.

    • Select AiEnterpriseInteraction.Read.All and add the API permission. See the images below.

    The Status column on the permissions list indicates if the Azure account you are using lacks proper privileges. Refer to the Register an application with the Microsoft identity platform documentation from Microsoft for more information on the steps listed above.

  7. Access the Overview section of the configured application to copy and save Azure AD credentials for the Nexthink connector configuration.

    • Application (client) ID

    • Directory (tenant) ID

    • Generate and copy the client secret Value in the Azure portal using the Certificates and secret option for the Nexthink tool configuration.

      • Select New client secret.

      • Fill in the Description and Expiration values.

      • Select Add and copy the Value.

After the expiration date, you need to update the client secret in the Azure portal and for the Nexthink connector credentials.

Step 2 - Configure the Microsoft Copilot connector credentials in Nexthink

From the connector credential configuration page, fill out the fields using the information from the connection you created in Azure.

  1. Choose the HTTPS option from the Protocol drop-down.

  2. Paste the Microsoft API https://graph.microsoft.com into the URL address field.

  3. Choose the OAuth 2.0 - Client Credentials option from the Authorization drop-down.

  4. Copy the Directory (tenant) ID from the Copilot connection and paste it into the Access token URL field—include the whole URL string:

    • https://login.microsoftonline.com/<<Tenant ID>>/oauth2/v2.0/token

    • Example: https://login.microsoftonline.com/2efa03d5-62e6-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/token

  5. Enter the Client ID and Client secret you obtained from configuring the Azure application.

  6. Add https://graph.microsoft.com/.default in the Scope field.

  7. Select Header under Authorization information. Nexthink advises against selecting Body based on Request for Comments (RFC) standards.

  8. Save the credential.

  1. Add available Licenses for Microsoft Copilot, if available.

  2. Save AI tool configuration.

Only valid connector credentials enable saving the Microsoft Copilot settings in AI tools. Otherwise, Nexthink displays the existing errors:

Please correct the following Issues:

  • Credential error: Invalid client id.

F.A.Q about Microsoft Copilot data retrieval

Do I always need the connector for Microsoft Entra ID to retrieve Copilot-employee interaction data?

Yes, the connector for Microsoft Entra ID is needed to correctly retrieve AI interaction data from Microsoft Copilot.

How can I verify that I have properly configured the subscription?

When saving the Microsoft Copilot settings in Nexthink AI tools for monitoring, the system automatically checks the connector credentials.

Only valid credentials enable saving the Microsoft Copilot settings in AI tools. Otherwise, Nexthink displays the existing errors.

How often is the Copilot AI interaction data refreshed? Is it instant?

The current mechanism uses a subscription to receive the data from Graph API. Every time an AI interaction happens, the system pushes the interaction details to the Nexthink platform.

The process is not instant, as the data typically arrives less than 1 minute after the interaction happens, but Microsoft Graph API has a maximum latency of 60 minutes for AI interactions.

Configuring custom filters for AI tools dashboards

Requires Nexthink administrator permissions.

After setting up AI tools for Nexthink monitoring, you can leverage Nexthink System configuration to add custom filters for AI tools dashboards based on your organizational employee groups—as defined by your company hierarchy or holacracy.

To add custom filters to AI tools dashboards, follow these steps:

1

Create user organization fields

Add up to six user organization fields representing HR hierarchy or groups:

  • Navigate to Administration > Product configuration from the main navigation, and select the Device and user classification tab.

  • Under User organization, add a new user organization field, including its description, for example: Business unit.

    • The system automatically generates an NQL ID for the created field: Business_unit.

  • Drag and drop the created user-organization-field items to order them according to your company hierarchy.

2

Enrich the user organization fields

The created user organization fields are available in the data model but without values.

To enrich user organization fields with data, use one of the following options:

  • Field mapping using inbound connectors—see the image below—to access your employee-management application, such as Entra ID or Salesforce, and map employee attributes to the user organization fields.

  • Nexthink Enrichment API to update the values of user organization fields with attributes from outside sources.

  • Custom fields management to update user organization fields by uploading a CSV file with user information.

  • Edition of custom fields from Investigations to manually update user organization fields with user information.

The example below uses an inbound connector for Entra ID to map the user organizational field—Business unit—to a chosen Entra ID field.

3

Validate the user organization field

Validate the user organization custom field by running the NQL query from Investigations, aggregating a group of users matching the specific HR hierarchy—in this example, the Business_unit: EMEA Finance.

users
| where user.organization.#business_unit == "EMEA Finance"

By successfully enriching a created user organization field, the system automatically displays this field as a custom filter at the top of all AI tools dashboards.

RELATED TASKS

Last updated

Was this helpful?