Examples of metrics
Overview
Creating a new metric may be a daunting task for beginners because of the many options available. To help you with the creation of metrics, let us walk through a first example that covers the creation of three metrics, each one of a different type: count, quantity, and top. Then let us explore how to create a quantity metric based on the output of a remote action.
The first example gets information on binaries that are considered dangerous. To that end, we propose the creation of three metrics, which the reader can later refine and expand:
Devices executing dangerous binaries (Count metric)Count the number of devices that execute dangerous binaries.
Cumulated execution time of dangerous binaries (Quantity metric)Measure how long your devices were exposed to the execution of dangerous binaries.
Top most executed dangerous executables (Top metric)List the top ten executables associated to dangerous binaries by number of executions.
In this example, we consider a binary to be dangerous when its Threat level field is set to high threat. Nexthink automatically sets the value of this field via the application library. You may later come up with your own definition of a dangerous binary and adapt the conditions in the example metrics accordingly.
The second example of a quantity metric gets information about the battery status of laptop devices. As this is not an information that Nexthink retrieves by default, we need a remote action that returns on demand data:
Average battery health (Quantity metric)With the help of a remote action, get the average battery health of all devices and compare by manufacturer.
For every step in the creation of the metrics that requires the choice of an option, we explain our decision in detail. We assume however that you know the basics of creating a metric.
Count metric
The first metric reflects the number of devices impacted by the execution of dangerous binaries.
Create a count metric in the Finder and edit its options:
Type in the name of the metric: Devices executing dangerous binaries.
Optional: Type in a description for the metric.
In the RETRIEVE section, click devices.
In the COMPUTE DAILY section:
Select the option the total number of all devices to create a count metric.
Assuming that we might be interested in the status of the antivirus of those devices executing dangerous binaries, choose Group by antivirus up-to-date and antivirus RTP to classify the devices by the update status of their antivirus and their activation of the real-time protection.
In the MATCHING section:
Add the condition Binary Threat level is high.
Leave the default option Count devices that meet conditions on at least one day in period. We want to count the devices that executed a dangerous binary anytime within the observed interval (that is, the period that you set in the navigation tool of the Portal when watching the results of the metric). We do not select thus the option the last active day, which is intended for metrics that have an inventory function.
In the OPTIONS section:
Tick the box Include ratio without including any new condition. In that way, you compare the number of impacted devices with the total number of devices.
Tick the box and select the option Include variation indicator only. We do not need to set any threshold and we keep the default option for the sense of the variation: an increase in the value of the metric is bad (red arrow up) and a decrease of its value is good (green arrow down).
Optional: Tick any of the Additional display fields that you want to add.
Quantity metric
From aggregate values
As second metric, let us measure for how long dangerous binaries have been executing on the devices.
Create a new metric and edit its options:
Type in the name of the metric: Cumulated execution of dangerous binaries.
Optional: Type in a description for the metric.
In the RETRIEVE section, click devices, since quantity metrics can only be selected for devices.
In the COMPUTE DAILY section:
Select the second option to create a quantity metric and build the sentence: the cumulated execution duration of active devices.
In the Group by option, keep the default - none -, as we do not need to break down the results.
In the Aggregate by option, select sum over all devices and the whole timeframe. We are interested in the total execution time over all devices and not in the average execution time per device, which is the other available option.
In the MATCHING section:
Add the condition Binary Threat level is high.
In the OPTIONS section:
Tick the box and select the option Include variation indicator and two thresholds. We want to set warning and error conditions if the cumulated execution time of dangerous binaries exceeds some values.
In the bar to indicate the thresholds, keep the sense of variation (red arrow up, green arrow down) and set the first threshold to 10 min and the second to 1 hours.
From numerical outputs of remote actions
Build a third metric directly based on the output of a remote action that yields a numerical value. In general, scores let you build quantity metrics for devices based on any kind of output from a remote action, but only numerical outputs are allowed as a direct value in quantity metrics.
To create a quantity metric that measures the average health of the battery on all your devices and compares by manufacturer:
Install the required Library pack for the example.
Open the Nexthink Library page of the Battery Status pack from your favorite web browser.
Click the Install button.
Log in to the Finder as a user with the right to create metrics.
Right-click the Metrics section and a context menu shows up.
Select Create new metric from the menu.
Type in the name of the metric: Average battery health.
Optional: Type in a description for the metric.
In the RETRIEVE section, click devices, since quantity metrics can only be selected for devices.
In the COMPUTE DAILY section:
Select the second option to create a quantity metric and build the sentence: the get Battery Status / Battery1 Health of all devices.
In the Group by option, select device manufacturer as first grouping criterion and - none - as the second, to make it possible to break down the results by the manufacturer of the device.
In the Aggregate by option, select average value per device.
In the MATCHING section:
Add the condition Get Battery Status / Battery1 Health is greater or equal to 0.1 to exclude devices that return zero instead of a valid value.
Top metric
Finally, let us add a metric that retrieves the top 10 most executed executables whose binary representations are considered dangerous. Remember that an executable in Nexthink groups the different versions (binary images) of a program in a single object. In this case, a metric retrieving executables is probably more convenient than a top metric retrieving the individual binaries. Indeed, having a list of different executables is preferable to seeing different binary versions of the same executable repeated in a list.
Create a new metric and edit its options:
Type in the name of the metric: Top most executed dangerous executables.
Optional: Type in a description for the metric.
In the RETRIEVE section, click executables.
In the COMPUTE DAILY section:
Select the second option to create a top metric and build the sentence: the top 10 executables with highest number of executions.
In the Aggregate by option, select maximum value per day. A perfectly valid option as well would be sum over the whole timeframe to see the total number of executions of each executable. For this time, however, we want to classify the executables by their maximum burst of executions in one day and, in that way, find out the dangerous executables which are run more aggressively. We are not much interested either in the other available aggregation option average value per day, because we want to detect the extreme cases.
In the MATCHING section:
Add the condition Binary Threat level is high.
In the OPTIONS section:
Optional: Tick any of the Additional display fields that you want to add.
Conclusion
We hope that these examples have helped you clarify some of the concepts behind the creation of a metric. Keep on reading to know how to create widgets in the Portal to display the values of the metrics in the Portal. For more information on how the Portal computes and presents metric data, read this article on aggregation and grouping.
RELATED TASK
RELATED REFERENCES