Computing scores

Contents

Computing scores

Overview

A score applies either to devices or to users and it offers an evaluation of each object from one or several points of view. The value of a score depends thus on the status of the object with respect to a particular aspect or the combination of different aspects.

In this way, scores reduce the complexity of low level analytics to a single numerical value that has business significance. For instance, instead of dealing with multiple measures of network connectivity and their technicalities, gain instant insight into the connectivity status of a device with the help of a single score that combines all of those measures.

Scores are organized into tree structures of up to five levels. Scores at the lowest level of the tree are called leaf scores. A leaf score directly depends either on the computation of an aggregate or on the value of a device or user field. In turn, scores at higher levels of the hierarchy are called composite scores. A composite score depends on lower level scores, which may themselves be either composite or leaf scores.

ScoreLevels.png

Leaf scores

To compute a leaf score, provide one of the following inputs:

  • Field input: The value of a field that belongs either to a device or to a user object.
  • Computation input: The value of an aggregate that results from an NXQL investigation on devices or users.

The final value of a leaf score is computed by applying a normalization function to the raw input value (field or computation) in order to get a number within a predefined range. For example, a score based on the number of system failures which ranges from 0 to 10 (the higher the better) might have a normalization function that maps 0 failures to value 10, more than 5 failures to value 0, and a number failures between 1 and 4 to a list of decreasing intermediate values.

Update of leaf scores

Leaf scores whose input is a field of user or device objects are updated every minute. For their part, leaf scores with a computation input are updated either once per day at a specific time or periodically every 15 minutes, 1 hour, or 6 hours, depending on their configuration.

Composite scores

A composite score is computed by combining the values of the scores at its immediately lower level. To combine the lower level scores, use one of the following operations:

  • Average: Add the scores at the lower level and divide the result by their total number.
  • Weighted Average: Similar to the average operation, but with factors (weights) that multiply each lower level score to reflect their importance.
  • Min: Return the minimum value from the available lower level scores.
  • Max: Return the maximum value from the available lower level scores.
  • Sum: Add the lower level scores.
  • Multiply: Multiply the lower level scores that make up the composite score. Useful for combining closely related scores, for example: the total logon time of a device is the average logon time multiplied by the number of logons.

Update of composite scores

Composite scores are updated when any of the scores on which the composite score depends is modified. Note thus that the modification of a leaf score at the lowest level of the hierarchy may trigger the recalculation of all scores above it.

Scope of a score

A score may apply to a particular group of devices or users, and not to all of them. This group is called the scope of the score. Define the scope of a score by filtering the targeted objects with a condition on a property. For instance, for a score to apply only to laptop computers, put a filter as the scope of the score that returns those devices whose type is set to laptop.