Graphically observing the activity of users and devices with Finder (classic)

Nexthink Finder is a Windows-only desktop application whose functionality is now available within the Nexthink web interface. Nexthink can now be used directly from a browser and most functions no longer require an additional desktop application.

Overview

To see recent activities at a glance, scores, or detailed properties of a particular user or device respectively, open the user view or the device view in Finder. Both the user and the device views include a Timeline tab and a Properties tab, as well as up to ten score tabs:

  • Select the Timeline tab to explore the activities of a user or device in chronological order.

  • Select the Properties tab to display detailed information about a user or device.

  • Select a score tab to see the breakdown of the ratings of a user or device, according to the aspects covered by the main score. Optionally launch remote actions on devices with a low score when the documentation of the score includes links to remote actions.

By default, the device and user views open the Timeline tab.

To open the user view or the device view of a particular user or device, either:

  • Look for the user or device in the search box of the Start page and click the name of the user or device in the results of the search.

  • From the list of results of an investigation based on users or devices, right-click the entry of the user or device and select Display user view or Display device view, or double-click the entry of the user or device, or select it and press Enter.

  • From any of the other graphical views of the results of an investigation (Network, Web or Local activity views) that display users or devices, right-click the name or the icon of a user or device and select Display user view or Display device view.

  • From the user view itself, open the device view of any of the devices listed in the Devices section of the Timeline tab, or listed in the Last user activity section of the Properties tab, by clicking their name.

  • Likewise, from the device view, open the user view of any of the users that interacted with the device, displayed in the section Users of the Timeline tab, by clicking their name.

At the top of the view, get basic information about the selected object:

User viewDevice view

Name

The name of the user.

Type

The class of user: local, domain or system.

First Seen

The first time of recorded user activity.

Last Seen

The last time of recorded user activity.

Name

The name of the device.

Platform icon

A pictorial representation of the platform of the device: Windows or Mac.

Entity

The leaf node in the hierarchy, followed by the name of the Engine between parentheses, to which the device belongs.

Last IP address

The IP address of the device during its last recorded connection.

Last Seen

The last time of recorded device activity.

Below this basic object information, find the buttons that allow you to switch between the Timeline, Properties, and scores tabs. When selecting the Properties tab, a comparison tool appears to the right of the basic object information. Because this section focuses on visualizing system activity, the rest of this article is dedicated to the Timeline tab. To learn more about the Properties tab, see the article on properties of users and devices. For more information about the score tabs, see how to check the ratings of users and devices.

To refresh the view, click the button with the circular arrow placed to the far right of the tab selection buttons. Refreshing the view is particularly useful when it is open for a long time and you want to see the last activity of a user or device.

Exploring activities in the timelines

The Timeline tab displays several timelines grouped by sections. While the actual sections and their content depend on the type of object observed (user or device), the techniques used to explore the timelines remain essentially the same.

To know the time scale of the timelines, find the ruler at the top of the view that divides the horizontal space into equal parts. Each subdivision of the ruler corresponds to a time interval of the recent history of the user or device under examination. Date and time labels in the ruler indicate the precise moment associated with a subdivision mark. In accordance with the ruler, an activity or event in the timelines found by following down a vertical line from a particular subdivision occurred during the time interval associated with that subdivision.

Hover the cursor over a timeline that contains data and keep it there for a moment. A structured tooltip will eventually appear. This tooltip summarizes the activities and events related to the timeline that have happened in the time slot under the cursor. A vertical and horizontal dashed line, crossing at the timeline slice pointed by the mouse cursor, show up shortly after the tooltip to help you locate the time interval in the ruler and the title of the timeline.

To further investigate what has occurred during a timeline slice, right-click the timeline at the point of interest. A context menu displays a list of options that allows you to open different views or drill down to related items, depending on the particular timeline. To directly drill down to the related main objects or events instead, double-click the timeline.

By default, the Timeline tab displays the last 24 hours in the history of a user or device.

Navigating through history

To the left of the date and time ruler, click the button with the left-pointing triangle to go back in time. Likewise, click the button to the right of the ruler with the right-pointing triangle to go forward in time. To display data from further in the past or data in the recent past, the ruler and the timelines scroll right or left accordingly, following the opposite direction of the arrow clicked.

Alternatively, hover the cursor over the ruler. The pointer turns into a double-headed horizontal arrow. Click and drag the pointer to the left to go forward in time. To go back in time, click and drag the pointer to the right. The ruler and the timelines scroll as you drag the cursor.

The available history is limited by the number of events recorded in the in-memory database of the Engine. Finder stops scrolling into the past once you’ve reached the time of the oldest event in the database. To have a complete view, Finder allows you to scroll a few hours into the future. However, it is not necessary to go beyond the present time because the future is naturally empty of data.

Zooming

The default settings of the Timeline tab let you see the last 24 hours of a user or device. At this zoom level, every subdivision in a timeline represents a time interval of 30 minutes. With this granularity, two events separated by ten minutes, for instance, may reside in the same time slot, giving the appearance of simultaneity.

To know which event has happened first, select an area surrounding the seemingly simultaneous events and zoom in:

  1. Click the part of the timeline located immediately before the events of interest and keep the left mouse button pressed.

  2. Drag the cursor over the events of interest and release the mouse button as soon as you have covered them with a rectangular selection area.

  3. Click the magnifying glass with the plus sign that is placed in the top right corner of the timelines or press Enter.

The zoom in button is enabled only when you have selected an area in the timelines. It will be disabled when you reach the maximum allowed resolution (one second per subdivision).

Some timelines related to events also propose an option to zoom in on their context menu. As an alternative to the zooming method suggested above, right-click the timeline and select Zoom in on events when available.

To zoom back out to the previous level, click the magnifying glass with the minus sign in the top right corner of the timelines or press Backspace. The zoom out button is enabled until you reach the maximum time span allowed (7 days).

To go back to the default 24-hour view, click the house icon placed to the left of the two magnifying glasses.

Timeline sections of the user view

In the timelines of the user view, find events and activities related to the devices the user has interacted with and the services that the user has accessed.

Remember that timelines are actionable. Right-clicking a point in the timeline brings up a context menu with drill-downs and other options to jump to information related to the data in the timeline.

Devices

For every active device linked to the user, find one or several timelines associated with it. If Cross-Engine features are enabled in Finder, the section includes those devices located on any Engine; otherwise, the section only displays the devices located on the Engine to which Finder is currently connected. The information displayed in the timelines depends on the platform of the device. For Windows or Mac devices, a main timeline regroups all the information available. Click the plus icon to the left of the name of the Windows or Mac device to expand the main timeline into its individual components.

Windows or Mac

Device alerts

Occurrences of investigation-based alerts.

Errors

Applications not responding or crashing, system crashes (Windows bluescreens or macOS kernel panics) and hard resets.

Warnings

Notifications of high cpu load, high memory usage, or a big number input and output operations or page faults.

Interaction

Times when the user was active on that device (with the keyboard or the mouse), in addition to system boots and user logons.

Citrix RTT

The measure of user screen lag.

Session network latency

Indication of the time delay between a user action and its visual response.

Windows and Mac devices share the same timelines, but warnings about IO operations or page faults are available for Windows devices only.

For device events to appear in the user view, they must be related to some user interaction with the machine.

Services

See the activity of the user in relation to the services that you have defined. Click the plus button to the left of the name of the service to break down the activity by device. Again, if Cross-Engine features are enabled, devices located on a different Engine from the Engine to which Finder is currently connected are also shown on the list.

Depending on how you’ve defined the service, you can further break down the activity of the executables that compose the service.

Timeline sections of the device view

In the timeline, you can quickly detect whether the computer has generated any alert, experienced any error or warning, had new software installed, connected properly to networked services, etc. This information is presented in different sections.

Note that not all the timeline sections are available or complete for the Mac platform. Namely, for macOS, the Web services section does not exist.

Note as well, that the same device that has connected to several Engines because it changed its assignment, is seen as a different device by each Engine. Therefore, all the data in the device view comes from a single Engine and there is no merged data, even when the Cross-Engine features are enabled.

From top to bottom, the timeline of the device view displays the sections detailed below.

Alerts

There are two separate sections:

  • Global alerts.

  • My alerts (user-defined alerts).

Each defined alert has its own timeline. Occurrences of the alert are marked in the timeline, graphically showing their start time and duration. For the sake of clarity, only alerts that have been triggered during the selected time frame are displayed.

To see the exact time of triggering and the duration of an alert, hover the cursor over the occurrence of the alert. If more than one occurrence of the alert overlaps, the hovering tooltip gives you a list of all the occurrences.

To see a list of all the devices that triggered an alert, right-click the mark of the alert in the timeline, choose an occurrence if more than one is available and select Show Alert.

Errors

Signal errors in the device, such as application or system crashes. The error is shown in the timeline as a red circle with a number inside. The number inside the circle is bigger than one if more than one error condition overlap in the timeline. Hovering the mouse over the circle gives you a summary of the reason for the error (or the reasons, in the case of overlapping errors).

Warnings

Warnings are represented in the timeline as small boxes. The intensity of the color that fills the box indicates the severity of the warning. The more intense the color is, the more severe the warning is. High memory usage, high IO operations, and high page fault warnings use a yellow shade to signal the condition in the timeline.

High CPU warnings signal their condition with two different colors, depending on the particular cause for issuing the warning:

  • Yellow, if the overall load in the CPU of the device is high, regardless of whether the load is caused by the execution of a few or many applications.

  • Blue, if some specific applications have a high CPU consumption, but this load is not enough to signal an overall warning for the device.

Hovering the cursor over a warning displays a summary of the reasons for the warning. For example, when hovering over warnings on applications using too much CPU or memory, a tooltip gives you a list of the applications that have contributed the most to the consumption of these resources.

Activity

In the Activity section, you find information about momentary activities, such as the detection of new binaries, system boots, user logons and package and patch installations and uninstallations. You find as well information on lasting activities such as executions and connections.

Momentary activities are shown in their own timeline as blue circles with a number inside that indicates the number of overlapping events, similar to the red circles used for displaying errors. Lasting activities, in turn, are shown as blue squared boxes in the timeline, where the brightness of the color indicates the level of the activity (number of executions or connection traffic), similar to the boxes that are used to display warnings. As usual, if the system has not performed an activity of a certain type, the activity will not be shown at all, instead of displaying an empty timeline.

For every momentary activity, hovering the cursor over the blue circle gives you a summary list of the causes for displaying the activity. For instance, hovering over a New binaries occurrence in the timeline displays a list of the binaries whose execution has been detected for the first time at that precise moment. Right-clicking in a blue circle of a momentary activity allows you to choose among different options depending on the type of activity.

For lasting activities, that is Connections and Executions, hovering the mouse over a blue box yields:

  • For Connections, the amount of traffic registered during the time span of the box.

  • For Executions, the number of processes run on the time span of the box.

You can drill-down from the box of a lasting activity to the list of individual connections or executions that compose it by right-clicking in the box and selecting Show connections or Show executions. Connections have an additional option Show network activity that allows you to navigate directly to a Network activity view and specify the metric to view in it (traffic in, traffic out, failed connections, etc).

In the Activity section, the color yellow in the timeline warns you about administrator activity. A warning message notifies the use of administration privileges when you hover the cursor over a yellow-colored activity timeline. Two kinds of activities use a yellow display when they are carried out by users with administration privileges: User logons and Executions.

  • When a user logs in to a device with administrator privileges, the circle representing the user logon activity is no longer blue, but yellow.

  • When a program is run with administrative privileges, the blue boxes that show the executions are crossed by a yellow line to warn that at least one has admin privileges.

Network services

For every defined network-based service, you see a timeline indicating the status of the connections of the selected device to the service. Network connections to the service are displayed again as blue boxes. If any connection problem is detected, the blue boxes are crossed by a yellow line to indicate a warning and by a red line to indicate an error.

To see a summary with the statistics of the connections to the service (total traffic, number of connections, failed connections, response time, etc.), hover the mouse over the desired box in the timeline. Additionally, you get a summary list of the errors and warnings that happened within the period delimited by the box, if any.

To open the Service view, click the name of the service at the beginning of the timeline or double-click a box in the timeline. There you find detailed information about the service for the last 24 hours.

Finally, you can also navigate to the Network activity view of the connections to the service from the timeline by right-clicking on any box and selecting Show network activity. Double-click in the box, as with connections in the Activity section.

Web services

If you installed the Web & Cloud product as an addition to Nexthink Platform, you find a Web services section in the device view dedicated to web-based services. This section is very similar to the one dedicated to network-based services.

By hovering the cursor over the boxes in the timeline, you get statistics about the web-based service: traffic, requests, type of responses, average response time, etc.

To open the Service view, click the name of the web-based service at the beginning of the timeline or double-click a box in the timeline. To navigate to the Web activity view, right-click a box in the timeline and select Show web activity.

Users

In the lower part of the device view, you find the timelines that list the users who have interacted with the system. There is a timeline for each one of them and the associated account name is displayed on the left side.

For users connecting remotely, the timeline provides additional information. The quality of the data transfer is monitored using the session network latency. If the connection is done using the ICA protocol, the Citrix RTT is available. Executions initiated by the user are also added to the timeline.

For privacy reasons, the measurement of the interaction time of the user with the computer can be disabled. If user interaction measurement is disabled, the User interaction data is not displayed.

Click the name of a user to open the corresponding User view.

Last updated

#451: 2024.8-Overview of integration DOC

Change request updated