Health Scores & Alerts
Understand how device health scores are calculated, configure alert rules across seven categories, and route notifications to Slack, email, or webhooks.
Health Scores
Every device has a health score from 0 to 100, calculated from its security posture, update status, system condition, and threat exposure. The score updates automatically whenever a health report arrives (every 30 minutes) or when conditions change.
Score Breakdown
The 100 points are distributed across these categories:
| Category | Max Points | What it measures |
|---|---|---|
| Security Posture | 35 | Antivirus, firewall, disk encryption, OS patches |
| Malware | 20 | Active malware threats |
| Registry | 10 | Registry issues found |
| Software Updates | 10 | Pending software updates |
| Drivers | 5 | Pending driver updates |
| Privacy | 10 | Privacy protection score |
| System Resources | 10 | Disk capacity and disk health |
How Points Are Lost
Points are deducted for specific issues. Here are the most impactful:
Security (up to 35 points):
- No antivirus enabled: -15 points
- Real-time protection off: -10 points
- Antivirus signatures outdated: -3 to -5 points
- Firewall profiles disabled: -3 points per profile (up to -9)
- Disk not encrypted (BitLocker): -5 points
- OS patches overdue: -5 to -15 points depending on how long
Malware (up to 20 points):
- Each high-severity threat: -10 points
- Each medium-severity threat: -5 points
- Each low-severity threat: -3 points
Staleness penalty: If the health report is outdated, additional points are deducted — up to 15 points if the report is more than 7 days old. This encourages keeping devices connected and reporting.
Network threats: Active threat detections apply additional penalties based on severity — critical threats (botnets, ransomware) deduct more than informational ones.
Risk Flags
When specific issues are detected, the device is tagged with risk flags that appear on the dashboard:
- malware_detected — Active malware threats found
- av_disabled — No antivirus enabled
- av_realtime_off — Real-time protection is off
- firewall_off — One or more firewall profiles disabled
- bitlocker_off — Disk encryption not active
- patches_stale — OS updates overdue
- av_signatures_stale — Antivirus signatures outdated
- major_updates_pending — Major software updates available
- disk_critical — Disk space above 90% capacity
- event_log_anomaly — Unusual event log patterns detected
- threat_detected — Network threats detected
Fleet Health
The dashboard shows fleet-wide health statistics:
- Average health score across all devices
- Distribution: how many are healthy (90+), fair (70–89), at risk (50–69), or critical (below 50)
- Top risk flags across the fleet
- Devices most in need of attention
Alert System
The alert system watches your devices and notifies you when something needs attention. Alerts fire automatically based on conditions and resolve themselves when the issue clears.
Alert Categories
| Category | What it watches |
|---|---|
| Health | Risk flag conditions — malware, disabled antivirus, stale patches, etc. |
| Compliance | Compliance check failures |
| Telemetry | Resource pressure — CPU over 95%, memory over 95%, degraded disk health |
| Event Log | Event log anomalies — critical events, error floods |
| Device Status | Device going offline |
| Network | DNS non-compliance, missing VPN, rogue interfaces, network changes |
| Threat | Active network threat detections |
| Analytics | Custom rules you define on telemetry metrics |
Alert Severity
- Critical — Needs immediate attention (e.g., malware detected, firewall disabled)
- Warning — Should be addressed soon (e.g., patches overdue, VPN disconnected)
- Info — Worth knowing but not urgent (e.g., network config changed)
Alert Lifecycle
- Triggered — A condition is detected and an alert is created
- Acknowledged — A team member marks it as "seen" to indicate someone is working on it
- Resolved — The condition clears and the alert is automatically resolved (or you can resolve it manually)
Alerts are deduplicated — if the same issue on the same device is already active, a duplicate alert won't be created.
Managing Alerts
- Acknowledge — Mark an alert as seen
- Resolve — Close an alert manually
- Acknowledge All / Resolve All — Bulk actions for clearing your alert queue
- Mute — Silence a specific alert type for a specific device (e.g., if you know a device legitimately doesn't need a VPN)
Custom Alert Rules
Create your own alert rules based on telemetry metrics:
- Choose a metric (CPU usage, memory usage, etc.)
- Set a threshold and comparison (e.g., CPU greater than 90%)
- Set a duration — how long the condition must persist before the alert fires (e.g., 15 minutes)
- Choose a severity level
This lets you tailor alerting to your environment. For example, a build server might legitimately run at high CPU, while a file server shouldn't.
Alert Checks
The system evaluates alert conditions every 5 minutes, checking health flags, compliance status, telemetry thresholds, event log anomalies, network security, threats, and your custom rules.
Notifications
Alerts can be routed to email and Slack. See Settings for how to configure notification channels and routing rules.