Managing Investigations

The Investigations administration page allows you to create, share and manage all of your investigations in one place.

Managing Investigations from investigation page

Saving an investigation

Click Save as in the top-right corner of the Investigations page to save an investigation.

Saved investigations appear on the Manage Investigations page and in the navigation panel for the Investigations module.

If you are editing an existing investigation:

Click Save to save the changes.
Click Save as to save the investigation under a different name.

Share a saved investigation with groups of Nexthink users based on their user Roles and collaborate with them on an investigation. Grant permissions to other users to view or edit the investigation.

You need to have permission to Manage all investigations or to Share private investigations, to be able to Share investigations.

To share an investigation from the investigation page:

Click on the three dots icon in the top-right corner of the Investigations page and select Share to open the Share pop-up.

In the Add role text field, type in the user account role you wish to share the investigation with.

From the Select permissions drop-down menu, select the appropriate permissions for the profile. The choices are:
- View: Gives a user read-only access to the investigation and the right to save a copy of it.
- Edit: Allows a user to modify and save the investigation to collaborate on it with others.
Clear all to disable all permissions.
Grant permissions to share the investigation.

To remove existing Share permissions:

Hover over the Permissions column for a given permission entry and click on the action menu.
Select Remove all permissions.

All shared investigations appear in the Shared tab of the navigation panel. The investigations that you have editing rights to also appear on the Manage investigations page.

The visibility of shared investigations is determined by the Investigations permissions granted to the user's role.

To share an investigation without saving it, use one of the following options:

Select Copy link from the menu in the top-right corner of the Investigations page. Copy link shares the search query as an URL and is always treated as a new investigation for the user you send the link to.
Copy the page URL from the browser's address bar.
- For an investigation that has not been saved, the link shares the search query in the URL and is treated as a new investigation.
- For saved investigation the link opens the existing investigation.

Exporting investigation results

Select Export results option from the menu in the top-right corner of the Investigations page to export data returned by the investigation in a CSV file. Nexthink asks you to name this file before downloading it.

By default, the Visual editor limits the maximum number of query results to 10,000 rows on the webpage. The export to CSV feature returns up to 1,000,000 rows.
Selecting the Formatted data checkbox from the Export results in the CSV pop-up, allows you to format Raw data. Open the table below for more details.

Exporting Formatted data versus Raw data

The table below displays the differences between exporting Raw data and Formatted data for most data types.

Data type

Example of Raw data

Example of Formatted data

bool/bool

Yes

bytes/bytes

5109928912799

4.65 TB

jsontype[]/device/antivirus

[{"name":"Cortex XDR‚Ñ¢ Advanced Endpoint Protection","realTimeProtection":2,"upToDate":2},{"name":"Microsoft Defender Antivirus","realTimeProtection":3,"upToDate":2}]

Cortex XDR™ Advanced Endpoint Protection; Microsoft Defender Antivirus

jsontype[]/device/cpu

[{"name":"Apple M1 Pro","numberOfCores":10,"numberOfLogicalCpus":10}]

Apple M1 Pro

jsontype[]/device/disk

[{"name":"APPLE SSD AP1024R","type":3,"bootDisk":true,"size":1.00055561E12}]

APPLE SSD AP1024R

jsontype[]/device/firewall

[{"name":"Windows Firewall","realTimeProtection":2}]

Windows Firewall

jsontype[]/device/gpu

[{"name":"NVIDIA Quadro P520","ram":"2147483648"},{"name":"Intel UHD Graphics","ram":"1073741824"}]

NVIDIA Quadro P520; Intel UHD Graphics

jsontype[]/device/local_admin

[{"name":"Kanopy@KAN-HDKTYD3","type":1},{"name":"localadmin@KAN-HDKTYD3","type":1}]

Kanopy@KAN-HDKTYD3; localadmin@KAN-HDKTYD3

jsontype[]/device/monitor

[{"name":"DELL","serialNumber":"D1CLSS2-4133544C","vendor":"DEL","manufacturingYear":2019,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":27.1},{"name":"Wide viewing angle \u0026 High density FlexView Display 1920x1080","vendor":"LEN","manufacturingYear":2018,"maxHorizontalResolution":1920,"maxVerticalResolution":1080,"diagonalSize":13.9}]

DELL; Wide viewing angle & High density FlexView Display 1920x1080

jsontype[]/device/volume

[{"name":"disk0s1","size":5.24288E8,"usage":0.232,"freeSpace":4.02653184E8,"mount":"disk0s1"},{"name":"disk0s2","system":true,"size":4.94384808E11,"usage":0.9055235,"freeSpace":4.6707769E10,"mount":"disk0s2"},{"name":"disk0s3","size":5.3686641E9,"usage":1.0,"mount":"disk0s3"}]

disk0s1; disk0s2; disk0s3

numeric/duration

900

15min

numeric/float

4997.0634765625

numeric/long

4111

numeric/integer

3462

3.46k

numeric/numeric

65287

string/bytes

xdt7cS8oDDrk9zGtfV6hcQ==

string/datetime

2024-02-23 17:45:00

23/02/2024 17:45:00

string/ipAddress

192.168.1.23

string/ipAddressArray

::ffff:62.2.17.60,::ffff:62.2.24.162

::ffff:62.2.17.60::ffff:62.2.24.162

string/jsonArrayString

["Appinfo","NaturalAuthentication","TokenBroker","UserManager","XblGameSave","shpamsvc"]

Appinfo, NaturalAuthentication, TokenBroker, UserManager, XblGameSave, shpamsvc

string/string

NXT-FVFWW2RZHV2H

string/uuid

a8572a66-e312-4bda-9515-9b9666555aa4

string/version

[10,0,22000,653]

10.0.22000.653

Exporting investigation configuration

Select Export Investigation option from the menu in the top-right corner of the Investigations page to export and download your investigations as a JSON file.

Rename or Delete an existing investigation using the action menu from the Investigations page.

Managing investigations from Manage investigations page

Accessing the Manage investigations page

Select Investigations > Manage investigations from the main menu.

The main menu displays Shared and Private investigations sorted by tags.

Refer to the Getting started with Investigations documentation to grant permissions for Investigations.

Managing investigations

From the Manage investigations page:

Click on the name of an investigation to edit it or view the results of the NQL query.
Sort the listed investigations by name or by typing/selecting investigation tags.
Import an investigation by selecting the investigation's JSON file.
Hover over an investigation to reveal the action menu on the right side of the table.

Hovering over the action menu on the right side of the table allows you to:

View: See the results of the query on the Investigations page.
Rename: Change the name of the investigation.
Edit tags: Create, assign and edit investigation tags. Refer to the Tagging investigations section.
Share: Grant permissions to other users to view or edit the investigation. Refer to the Sharing saved investigation section on this page.
Export: Export the investigation to a JSON file. Refer to the Exporting investigation section on this page.
Duplicate: Create a copy of the investigation.
Delete: Remove the investigation from the system.

Tagging investigations

Tagging allows you to quickly sort and filter investigations. Apply one or many tags to investigations.

From the Manage investigations page:

Hover over an investigation to reveal the action menu on the right side of the table.
Click the Edit tags option from the investigation action menu to open the Tags pop-up.
Type a new tag or write the name an existing one to add it to the investigation.
Open the tag’s action menu to remove the tag from the investigation or change the tag color.