Examples of metrics

Contents

Examples of metrics

Overview

Creating a new metric may be a daunting task for beginners because of the many options available. To help you with the creation of metrics, let us walk through an example that covers the creation of three metrics, each one of a different type: count, quantity, and top.

The example gets information on binaries that are considered dangerous. To that end, we propose the creation of three metrics, which the reader can later refine and expand:

Devices executing dangerous binaries
Count the number of devices that execute dangerous binaries.
Cumulated execution time of dangerous binaries
Measure how long your devices were exposed to the execution of dangerous binaries.
Top most executed dangerous executables
List the top ten executables associated to dangerous binaries by number of executions.

In this example, we consider a binary to be dangerous when its Threat level field is set to high threat. Nexthink automatically sets the value of this field via the application library. You may later come up with your own definition of a dangerous binary and adapt the conditions in the example metrics accordingly.

For every step in the creation of the metrics that requires the choice of an option, we explain our decision in detail. We assume however that you know the basics of creating a metric.

Count metric

The first metric reflects the number of devices impacted by the execution of dangerous binaries.

Create a count metric in the Finder and edit its options:

  1. Type in the name of the metric: Devices executing dangerous binaries.
  2. Optional: Type in a description for the metric.
  3. In the RETRIEVE section, click devices.
  4. In the COMPUTE DAILY section:
    1. Select the option the total number of devices to create a count metric.
    2. Assuming that we might be interested in the status of the antivirus of those devices executing dangerous binaries, choose Group by antivirus up-to-date and antivirus RTP to classify the devices by the update status of their antivirus and their activation of the real-time protection.
  5. In the MATCHING section:
    1. Add the condition Binary Threat level is high.
    2. Leave the default option Count devices that meet conditions on at least one day in period. We want to count the devices that executed a dangerous binary anytime within the observed interval (that is, the period that you set in the navigation tool of the Portal when watching the results of the metric). We do not select thus the option the last active day, which is intended for metrics that have an inventory function.
  6. In the OPTIONS section:
    1. Tick the box Include ratio without including any new condition. In that way, you compare the number of impacted devices with the total number of devices.
    2. Tick the box and select the option Include variation indicator only. We do not need to set any threshold and we keep the default option for the sense of the variation: an increase in the value of the metric is bad (red arrow up) and a decrease of its value is good (green arrow down).
    3. Optional: Tick any of the Additional display fields that you want to add.

Quantity metric

As second metric, let us measure for how long dangerous binaries have been executing on the devices.

Create a new metric and edit its options:

  1. Type in the name of the metric: Cumulated execution of dangerous binaries.
  2. Optional: Type in a description for the metric.
  3. In the RETRIEVE section, click devices, since quantity metrics can only be selected for devices.
  4. In the COMPUTE DAILY section:
    1. Select the second option to create an quantity metric and build the sentence: the cumulated execution duration of devices.
    2. In the group by option, keep the default - none -, as we do not need to break down the results.
    3. In the aggregate by option, select sum over all devices and the whole timeframe. We are interested in the total execution time over all devices and not in the average execution time per device, which is the other available option.
  5. In the MATCHING section:
    1. Add the condition Binary Threat level is high.
  6. In the OPTIONS section:
    1. Tick the box and select the option Include variation indicator and two thresholds. We want to set warning and error conditions if the cumulated execution time of dangerous binaries exceeds some values.
    2. In the bar to indicate the thresholds, keep the sense of variation (red arrow up, green arrow down) and set the first threshold to 10 min and the second to 1 hours.

Top metric

Finally, let us add a metric that retrieves the top 10 most executed executables whose binary representations are considered dangerous. Remember that an executable in Nexthink groups the different versions (binary images) of a program in a single object. In this case, a metric retrieving executables is probably more convenient than a top metric retrieving the individual binaries. Indeed, having a list of different executables is preferable to seeing different binary versions of the same executable repeated in a list.

Create a new metric and edit its options:

  1. Type in the name of the metric: Top most executed dangerous executables.
  2. Optional: Type in a description for the metric.
  3. In the RETRIEVE section, click executables.
  4. In the COMPUTE DAILY section:
    1. Select the second option to create a top metric and build the sentence: the top 10 executables with highest number of executions.
    2. In the aggregate by option, select maximum value per day. A perfectly valid option as well would be sum over the whole timeframe to see the total number of executions of each executable. For this time, however, we want to classify the executables by their maximum burst of executions in one day and, in that way, find out the dangerous executables which are run more aggressively. We are not much interested either in the other available aggregation option average value per day, because we want to detect the extreme cases.
  5. In the MATCHING section:
    1. Add the condition Binary Threat level is high.
  6. In the OPTIONS section:
    1. Optional: Tick any of the Additional display fields that you want to add.

Conclusion

We hope that this example has helped you clarify some of the concepts behind the creation of a metric. Keep on reading to know how to create widgets in the Portal to display the values of the metrics in the Portal. For more information on how the Portal computes and presents metric data, read this article on aggregation and grouping.

Related tasks