Graphically observing the activity of users and devices

Overview

To see at a glance the recent activities, scores, or detailed properties of a particular user or device, respectively open the user view or the device view in the Finder. Both the user and the device views include a Timeline tab and a Properties tab, as well as up to ten score tabs:

  • Select the Timeline tab to explore the activities of a user or device in chronological order.

  • Select the Properties tab to display detailed information about a user or device.

  • Select a score tab to see the breakdown of the ratings of a user or device, according to the aspects covered by the main score. Optionally launch remote actions on devices with a low score when the documentation of the score includes links to remote actions.

By default, the device and user views open the Timeline tab.

To open the user view or the device view of a particular user or device, either:

  • Look for the user or device in the search box of the Start page

    and click the name of the user or device in the results of the search.

  • From the list of results of an investigation based on users or devices, right-click the entry of the user or device and select Display user view or Display device view, or double-click the entry of the user or device, or select it and press Enter.

  • From any of the other graphical views of the results of an investigation (Network, Web or Local activity views) that display users or devices, right-click the name or the icon of a user or device and select Display user view or Display device view.

  • From the user view itself, open the device view of any of the devices listed in the Devices section of the Timeline tab, or listed in the Last user activity section of the Properties tab, by clicking their name.

  • Likewise, from the device view, open the user view of any of the users that interacted with the device, displayed in the section Users of the Timeline tab, by clicking their name.

At the top of the view, get basic information about the selected object:

User viewDevice view

Name

The name of the user.

Type

The class of user: local, domain or system.

First Seen

The first time of recorded user activity.

Last Seen

The last time of recorded user activity.

Name

The name of the device.

Platform icon

A pictorial representation of the platform of the device: Windows or macOS.

Entity

The leaf node in the hierarchy, followed by the name of the Engine between parentheses, to which the device belongs.

Last IP address

The IP address of the device during its last recorded connection.

Last Seen

The last time of recorded device activity.

Below this basic object information, find the buttons that let you switch between the Timeline, Properties, and scores tabs. When selecting the Properties tab, a comparison tool appears to the right of the basic object information. Because this section focuses on visualizing system activity, the rest of this article is dedicated to the Timeline tab. To know more about the Properties tab, see the article on properties of users and devices. For more information about the score tabs, see how to check the ratings of users and devices.

To refresh the view, click the button with a circular arrow placed to the far right of the tab selection buttons. Refreshing the view is particularly useful when it is open for a long time and you want to see the last activity of a user or device.

Exploring activities in the timelines

The Timeline tab displays in fact several timelines grouped by sections. While the actual sections and their content depend on the type of object observed (user or device), the techniques to explore the timelines remain essentially the same.

To know the time scale of the timelines, find a ruler at the top of the view that divides the horizontal space in equal parts. Each subdivision of the ruler corresponds to a time interval of the recent history of the user or device under examination. Date and time labels in the ruler indicate the precise moment associated to a subdivision mark. In accordance with the ruler, an activity or event in the timelines found by following down a vertical line from a particular subdivision occurred during the time interval associated to that subdivision.

Hover the mouse cursor over a timeline with data and keep it there for a moment. A kind of structured tooltip eventually shows up. The tooltip summarizes the activities and events related to the timeline that happened during the time slot under the mouse cursor. A vertical and a horizontal dashed lines, crossing at the timeline slice pointed by the mouse cursor, show up shortly after the tooltip to help you locate the time interval in the ruler and the title of the timeline.

To investigate further what happened during a timeline slice, right-click the timeline at the point of interest. A context menu displays a list of options that let you open different views or drill down to related items, depending on the particular timeline. To directly drill down to the related main objects or events instead, double-click the timeline .

By default, the Timeline tab displays the last 24 hours in the history of a user or device.

Navigating through history

To the left of the date and time ruler, click the button with a triangle pointing to the left to go back in time. Likewise, click the button to the right of the ruler that depicts a triangle pointing to the right to go forward in time. For displaying data further in the past or closer to the present, the ruler and the timelines scroll right or left accordingly, following the opposite direction of the arrow clicked.

Alternatively, hover the mouse pointer over the ruler. The pointer turns into a double-headed horizontal arrow. Click and drag the pointer to the left to go forward in time. To go back in time, click and drag the pointer to the right. The ruler and the timelines scroll as you drag the mouse pointer.

The available history is limited by the amount of events recorded in the in-memory database of the Engine. The Finder stops scrolling to the past once you reach the time of the oldest event in the database. For completeness, the Finder lets you scroll a few hours into the future. It does not make much sense to go beyond the present time though, as the future is naturally empty of data.

Zooming

The default settings of the Timeline tab let you see the last 24 hours of a user or device. At that zoom level, every subdivision in a timeline represents a time interval of 30 minutes. With this granularity, two events separated by ten minutes, for instance, may reside in the same time slot, giving the appearance of simultaneity.

To know which event happened first, select an area surrounding the apparently simultaneous events and zoom in:

  1. Click the part of the timeline located immediately before the events of interest and keep the mouse left button pressed.

  2. Drag the mouse cursor over the events of interest and release the mouse button as soon as you have covered them with a rectangular selection area.

  3. Click the magnifying glass with the plus sign that is placed in the top right corner of the timelines or press Enter.

This zoom in button is enabled only when you have selected an area in the timelines. It also gets disabled when you reach the maximum allowed resolution (one second per subdivision).

Some timelines related to events also propose an option to zoom in in their context menu. As an alternative to the zooming method proposed above, right-click the timeline and select Zoom in on events when available.

To zoom out to the previous level, click the magnifying glass with the minus sign in the top right corner of the timelines or press Backspace. The zoom out button is enabled until you reach the maximum time span allowed (7 days).

To go back to the default 24 hours view, click the house icon placed to the left of the two magnifying glasses.

Timeline sections of the user view

In the timelines of the user view, find events and activities related to the devices with which the user interacted, the print jobs that the user started and the services that the user accessed.

Remember that timelines are actionable. Right-clicking a point in the timeline brings up a context menu with drill-downs and other options to jump to information related to the data in the timeline.

Applies to platforms | Windows | macOS |

Devices

For every active device linked to the user, find one or several timelines associated to it. If Cross-Engine features are enabled in the Finder, the section includes those devices located on any Engine; otherwise, the section only displays the devices located on the Engine to which the Finder is currently connected. The information displayed in the timelines depends on the platform of the device. For Windows or Mac devices, a main timeline groups all the information available. Click the plus icon to the left of the name of the Windows or Mac device to expand the main timeline into its individual components.

Windows or Mac

Device alerts

Occurrences of investigation-based alerts.

Errors

Applications not responding or crashing, system crashes (Windows bluescreens or macOS kernel panics) and hard resets.

Warnings

Notifications of high cpu load, high memory usage, or a big number input and output operations or page faults.

Interaction

Times when the user was active on that device (with the keyboard or the mouse), in addition to system boots and user logons.

Citrix RTT

The measure of the user screen lag.

Session network latency

Indication of the time delay between a user action and its visual response.

Windows and Mac devices share the same timelines, but warnings about IO operations or page faults are available for Windows devices only.

For device events to appear in the user view, they must be related to some user interaction with the machine.

Printers

For each printer, find the print jobs that the user has sent. Click the plus icon to the left of the name of the printer to break down the print jobs by device. Each print job appears then on a different timeline depending on the device that the user employed to send the print job.

Services

See the activity of the user in relation to the services that you have defined. Click the plus button to the left of the name of the service to break down the activity by device. Again, if Cross-Engine features are enabled, devices located on a different Engine from the Engine to which the Finder is currently connected are also shown on the list.

Depending on how you defined the service, you can further break down to the activity of the executables that compose the service.

Timeline sections of the device view

In the timeline, you can quickly detect whether the computer generated any alert, experienced any error or warning, had new software installed, connected properly to networked services, etc. This information is presented in different sections.

Note as well that a same device that has connected to several Engines because it changed its assignment, is seen as a different device by each Engine. Therefore, all the data in the device view comes from a single Engine and there is no merged data, even when the Cross-Engine features are enabled.

From top to bottom, the timeline of the device view displays the sections detailed below.

Applies to platforms | Windows | macOS |

Alerts

There are two separate sections:

  • Global alerts.

  • My alerts (user-defined alerts).

Each defined alert has its own timeline. Occurrences of the alert are marked in the timeline, graphically showing their start time and the duration. For the sake of clarity, only alerts that have been triggered during the selected time frame are displayed.

To see the exact time of triggering and the duration of an alert, hover the mouse cursor over the occurrence of the alert. If more than one occurrences of the alert overlap, the hovering tooltip gives you a list of all the occurrences.

To see a list of all the devices that triggered an alert, right-click the mark of the alert in the time-line, choose an occurrence if more than one is available and select Show Alert.

Errors

Signal errors in the device, such as application or system crashes. The error is shown in the timeline as a red circle with a number inside. The number inside the circle is bigger than one if more than one error condition overlap in the timeline. Hovering the mouse over the circle gives you a summary of the reason for the error (or the reasons, in the case of overlapping errors).

Warnings

Warnings are represented in the timeline as small boxes. The intensity of the color that fills the box indicates the severity of the warning. The more intense the color is, the more severe is the warning. High memory usage, high IO operations, and high page faults warnings use a yellow shade to signal the condition in the timeline.

On their turn, high CPU warnings signal their condition with two different colors, depending on the particular cause for issuing the warning:

  • Yellow, if the overall load in the CPU of the device is high, regardless of the load being caused by the execution of a few or a lot of applications.

  • Blue, if some specific applications have a high CPU consumption, but this load is not enough to signal an overall warning for the device.

Hovering the mouse cursor over a warning displays a summary of the reasons for the warning. For example, when hovering over warnings on applications using too much CPU or memory, a tooltip gives you a list of the applications that contributed the most to consumption of these resources.

Activity

In the Activity section, you find information about momentary activities, such as the detection of new binaries, print jobs, sytem boots, user logons and package and patch installations and uninstallations. You find as well information on lasting activities such as executions and connections.

Momentary activities are shown in their own timeline as blue circles with a number inside that indicates the number of overlapping events, similar to the red circles used for displaying errors. Lasting activities, in turn, are shown as blue squared boxes in the timeline, where the brightness of the color indicates the level of the activity (number of executions or connection traffic), similar to the boxes that are used to display warnings. As usual, if the system did not perform any activity of a certain type the activity is not shown at all, instead of displaying an empty timeline.

For every momentary activity, hovering the mouse cursor over the blue circle gives you a summary list of the causes for displaying the activity. For instance, hovering over a New binaries occurrence in the timeline displays a list of the binaries whose execution has been detected for the first time at that precise moment. Right-clicking in a blue circle of a momentary activity lets you choose among different options depending on the type of activity.

For lasting activities, that is Connections and Executions, hovering the mouse over a blue box yields:

  • For Connections, the amount of traffic registered during the time span of the box.

  • For Executions, the number of processes run on the time span of the box.

You can drill-down from a box of a lasting activity to the list of individual connections or executions that make it up by right-clicking in the box and selecting Show connections or Show executions. Connections have an additional option Show network activity that lets you navigate directly to a Network activity view and specify the metric to see in it (traffic in, traffic out, failed connections, etc).

In the Activity section, yellow color in the timeline warns you about administrator activity. A warning message notifies the use of administration privileges when you hover the mouse cursor over an activity timeline with yellow color. Two kinds of activities use a yellow display when they are carried out by users with administration privileges: User logons and Executions.

  • When a user logs in to a device with administrator privileges, the circle representing the user logon activity is no longer blue, but yellow.

  • When a program is run with administrative privileges, the blue boxes that show the executions are crossed by a yellow line to warn that at least one had admin privileges.

Network services

For every defined network-based service, you see a timeline indicating the status of the connections of the selected device to the service. Network connections to the service are displayed again as blue boxes. If any connection problem is detected, the blue boxes are crossed by a yellow line to indicate a warning and by a red line to indicate an error.

To see a summary with the statistics of the connections to the service (total traffic, number of connections, failed connections, response time, etc), hover the mouse over the desired box in the timeline. Additionally, you get a summary list of the errors and warnings that happened during the period delimited by the box, if any.

To open the Service view, click the name of the service at the beginning of the timeline or double-click a box in the timeline. There you find detailed information about the service for the last 24 hours.

Finally, you can also navigate to the Network activity view of the connections to the service from the timeline by right-clicking on any box and selecting Show network activity. Double-click in the box, as with connections in the Activity section.

Web services

If you installed the Web & Cloud product as an addition to the Nexthink Platform, you find a Web services section in the device view dedicated to web-based services. This section is very similar to the one dedicated to network-based services.

By hovering the mouse cursor over the boxes in the timeline, you get the statistics about the web-based service: traffic, requests, type of responses, average response time, etc.

To open the Service view, click the name of the web-based service at the beginning of the timeline or double-click a box in the timeline. To navigate to the Web activity view, right-click a box in the timeline and select Show web activity.

Users

In the lower part of the device view, you find the timelines that list the users who interacted with the system. There is a timeline for each one of them and the associated account name is displayed on the left side.

For the users connecting remotely, the timeline provides additional information. The quality of the data transfer is monitored using the session network latency. If the connection is done using the ICA protocol, the Citrix RTT is available. Executions initiated by the user are also added to the timeline.

For privacy reasons, measurement of the interaction time of the user with the computer can be disabled. If user interaction measurement is disabled, the User interaction data is not displayed.

Click the name of a user to open the corresponding User view.


RELATED TASKS

RELATED CONCEPT

RELATED REFERENCES

Last updated