Managing Investigations
Last updated
Last updated
The Investigations administration page allows you to create, share and manage all of your investigations in one place.
Click Save as in the top-right corner of the Investigations page to save an investigation.
Saved investigations appear on the Manage Investigations page and in the navigation panel for the Investigations module.
If you are editing an existing investigation:
Click Save to save the changes.
Click Save as to save the investigation under a different name.
Share a saved investigation with groups of Nexthink users based on their user Roles and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation.
You need to have permission to Manage all investigations or to Share private investigations, to be able to Share investigations.
To share an investigation from the investigation page:
Click on the three dots icon in the top-right corner of the Investigations page and select Share to open the Share pop-up.
In the Add role text field, type in the user account role you wish to share the investigation with.
From the Select permissions drop-down menu, select the appropriate permissions for the profile. The choices are:
View: Gives a user read-only access to the investigation and the right to save a copy of it.
Edit: Allows a user to modify and save the investigation to collaborate on it with others.
Clear all to disable all permissions.
Grant permissions to share the investigation.
To remove existing Share permissions:
Hover over the Permissions column for a given permission entry and click on the action menu.
Select Remove all permissions.
All shared investigations appear in the Shared tab of the navigation panel. The investigations that you have editing rights to also appear on the Manage investigations page.
The visibility of shared investigations is determined by the Investigations permissions granted to the user's role.
To share an investigation without saving it, use one of the following options:
Select Copy link from the menu in the top-right corner of the Investigations page. Copy link shares the search query as an URL and is always treated as a new investigation for the user you send the link to.
Copy the page URL from the browser's address bar.
For an investigation that has not been saved, the link shares the search query in the URL and is treated as a new investigation.
For saved investigation the link opens the existing investigation.
Select Export results option from the menu in the top-right corner of the Investigations page to export data returned by the investigation in a CSV file. Nexthink asks you to name this file before downloading it.
By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows.
Selecting the Formatted data checkbox from the Export results in the CSV pop-up, allows you to format Raw data. Open the table below for more details.
The table below displays the differences between exporting Raw data and Formatted data for most data types.
Data type | Example of Raw data | Example of Formatted data |
---|---|---|
bool/bool | 0 1 | No Yes |
bytes/bytes | 5109928912799 | 4.65 TB |
jsontype[]/device/antivirus | Cortex XDR™ Advanced Endpoint Protection; Microsoft Defender Antivirus | |
jsontype[]/device/cpu | Apple M1 Pro | |
jsontype[]/device/disk | APPLE SSD AP1024R | |
jsontype[]/device/firewall | Windows Firewall | |
jsontype[]/device/gpu | NVIDIA Quadro P520; Intel UHD Graphics | |
jsontype[]/device/local_admin | Kanopy@KAN-HDKTYD3; localadmin@KAN-HDKTYD3 | |
jsontype[]/device/monitor | DELL; Wide viewing angle & High density FlexView Display 1920x1080 | |
jsontype[]/device/volume | disk0s1; disk0s2; disk0s3 | |
numeric/duration | 900 | 15min |
numeric/float | 4997.0634765625 | 5k |
numeric/long | 4111 | 4111 |
numeric/integer | 3462 | 3.46k |
numeric/numeric | 65287 | 65287 |
string/bytes | xdt7cS8oDDrk9zGtfV6hcQ== | xdt7cS8oDDrk9zGtfV6hcQ== |
string/datetime | 2024-02-23 17:45:00 | 23/02/2024 17:45:00 |
string/ipAddress | 192.168.1.23 | 192.168.1.23 |
string/ipAddressArray | ::ffff:62.2.17.60,::ffff:62.2.24.162 | ::ffff:62.2.17.60::ffff:62.2.24.162 |
string/jsonArrayString | Appinfo, NaturalAuthentication, TokenBroker, UserManager, XblGameSave, shpamsvc | |
string/string | NXT-FVFWW2RZHV2H | NXT-FVFWW2RZHV2H |
string/uuid | a8572a66-e312-4bda-9515-9b9666555aa4 | a8572a66-e312-4bda-9515-9b9666555aa4 |
string/version | [10,0,22000,653] | 10.0.22000.653 |
Select Export Investigation option from the menu in the top-right corner of the Investigations page to export and download your investigations as a JSON file.
Rename or Delete an existing investigation using the action menu from the Investigations page.
Select Investigations > Manage investigations from the main menu.
The main menu displays Shared and Private investigations sorted by tags.
Refer to the Getting started with Investigations documentation to grant permissions for Investigations.
From the Manage investigations page:
Click on the name of an investigation to edit it or view the results of the NQL query.
Sort the listed investigations by name or by typing/selecting investigation tags.
Import an investigation by selecting the investigation's JSON file.
Hover over an investigation to reveal the action menu on the right side of the table.
Hovering over the action menu on the right side of the table allows you to:
View: See the results of the query on the Investigations page.
Rename: Change the name of the investigation.
Edit tags: Create, assign and edit investigation tags. Refer to the Tagging investigations section.
Share: Grant permissions to other users to view or edit the investigation. Refer to the Sharing saved investigation section on this page.
Export: Export the investigation to a JSON file. Refer to the Exporting investigation section on this page.
Duplicate: Create a copy of the investigation.
Delete: Remove the investigation from the system.
Tagging allows you to quickly sort and filter investigations. Apply one or many tags to investigations.
From the Manage investigations page:
Hover over an investigation to reveal the action menu on the right side of the table.
Click the Edit tags option from the investigation action menu to open the Tags pop-up.
Type a new tag or write the name an existing one to add it to the investigation.
Open the tag’s action menu to remove the tag from the investigation or change the tag color.
Deleting a tag only removes it from the selected investigation.