Kaspersky Machine Learning for Anomaly Detection
- About Kaspersky Machine Learning for Anomaly Detection
- What's new
- Basic concepts of Kaspersky MLAD
- Kaspersky MLAD components
- Common deployment scenarios
- Telemetry and event data flow diagram
- Administering Kaspersky MLAD
- Installing the application
- Updating the application and rolling back to the previous installed version
- Getting started
- Starting and stopping Kaspersky MLAD
- Updating Kaspersky MLAD certificates
- First startup of Kaspersky MLAD
- Configuring Kaspersky MLAD
- Configuring the main settings of Kaspersky MLAD
- Configuring the Anomaly Detector service
- Configuring the Keeper service
- Configuring the Mail Notifier service
- Configuring the Similar Anomaly service
- Configuring the Stream Processor service
- Configuring the HTTP Connector
- Configuring the MQTT Connector
- Configuring the AMQP Connector
- Configuring the OPC UA Connector
- Configuring the KICS Connector
- Configuring the CEF Connector
- Configuring the WebSocket Connector
- Configuring the Event Processor service
- Configuring the statuses and causes of incidents
- Configuring logging of Kaspersky MLAD services
- Configuring time intervals for displaying data
- Configuring how the Kaspersky MLAD main menu is displayed
- Exporting and importing a configuration file for Kaspersky MLAD components
- Starting, stopping, and restarting services
- Managing tags
- Managing ML models and templates
- Configuring settings in the Event Processor section
- Managing user accounts
- Managing incident notifications
- Removing the application
- Connecting to Kaspersky MLAD and closing the session
- Kaspersky MLAD web interface
- Licensing the application
- Processing and storing data in Kaspersky MLAD
- Performing common tasks
- Scenario: Working with Kaspersky MLAD
- Viewing summary data in the Dashboard section
- Viewing incoming data in the Monitoring section
- Viewing data in the History section
- Viewing data in the Time slice section
- Viewing data for a specific preset in the Time slice section
- Selecting a specific branch of the ML model in the Time slice section
- Selecting a date and time interval in the Time slice section
- Navigating through time in the Time slice section
- Configuring how graphs are displayed in the Time slice section
- Working with events and patterns
- Working with incidents and groups of incidents
- Scenario: Analysis of incidents
- Viewing incidents
- Viewing the technical specifications of a registered incident
- Viewing incident groups
- Studying the behavior of the monitored asset at the moment when an incident was detected
- Adding a status, cause, expert opinion or note to an incident or incident group
- Exporting incidents to a file
- Working with ML models and templates
- Managing presets
- Viewing the status of a service
- Troubleshooting
- When connecting to Kaspersky MLAD, the browser displays a certificate warning
- The hard drive has run out of free space
- The operating system restarted unexpectedly
- Cannot connect to the Kaspersky MLAD web interface
- Graphs are not displayed in the History and Monitoring sections
- Events are not transmitted between Kaspersky MLAD and external systems
- Cannot load data to view in the Event Processor section
- Data is incorrectly processed in the Event Processor section
- Events are not displayed in the Event Processor section
- Previously created monitors and the specified attention settings are not displayed in the Event Processor section
- The localization language for Help needs to be changed before connecting to the application
- Contacting Technical Support
- Appendix
- Glossary
- Information about third-party code
- Trademark notices
Performing common tasks > Working with events and patterns > Working with monitors
Working with monitors
Working with monitors
In the Event Processor section on the Monitoring tab, you can create monitors for monitoring specific events, patterns, or values of event parameters.
The Monitoring tab displays all monitors created in the application, including the following brief information:
- Monitor name.
- Monitor threshold.
When this number of monitor activations (threshold) on the sliding window is reached, the application sends an alert about monitor activation to the external system.
- Sliding window used to track the number of monitor activations.
- Number of monitor activations on the sliding window.
If necessary, you can view detailed information about each monitor by clicking the Information button located next to the name of the relevant monitor in the table.
- Monitor ID is the unique identifier of the monitor being viewed.
- Number of activations on the sliding window refers to the number of registered monitor activations on the sliding window.
- Date and time of last activation refers to the date and time when the monitor was last activated.
- Activated refers to the type of element that caused the monitor activation. Monitor activation may be invoked by a new or existing event parameter value, event, pattern, or another monitor.
- Subscription indicates what is being tracked by the viewed monitor: event parameter values, events, or patterns.
- Sliding window indicates the time interval from the current time back to the time sequence for which the number of activations is taken into account. This window shifts synchronously with the passage of time according to the timestamps in events.
- Threshold indicates the number of activations to be registered by the monitor on the sliding window before sending an alert about the monitor activation to the external system via the CEF Connector.
- Filters is a table containing information about filters for event parameters observed by the current monitor to track event parameter values, events, and patterns. The following data is displayed for each element:
- Parameter name refers to the names of event parameters whose values are being observed by the viewed monitor.
Each monitored asset has its own specific incoming events and event parameters. The names of event parameters are defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by an administrator (Kaspersky expert or certified integrator) during configuration of the Event Processor service.
- Type defines which types of values are being tracked by the monitor: specific values, new values, or all values.
- Purpose defines which event parameters are receiving focused attention from the model.
- Values refers to the values of event parameters that are being observed by the viewed monitor.
- Parameter name refers to the names of event parameters whose values are being observed by the viewed monitor.
- Stack limit determines the number of most recent monitor activations displayed in the Activation stack table.
- Activation stack is a table that contains information about the latest activations of the monitor:
- Parameter value ID is the ID of the event parameter value whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event parameter value.
- Event ID is the ID of the event whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event.
- Pattern ID is the ID of the pattern whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
- System parameters is a group of system settings containing the following information:
- Event time is the date and time when the event is detected in the event stream.
- Interval from previous item is the time interval between the current and the previous event in the event stream on the sliding window. Kaspersky MLAD displays the time intervals between events upon the first detection of the pattern containing the events. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for these events.
- Total activations is the number of event occurrences in the event stream on the sliding window.
- Parameter count is the number of event parameters for which the values were received from the monitored asset.
- Last activation is the date and time when the event was last detected in the event stream on the sliding window.
This group of parameters is displayed only when the monitor is activated by an event or an event parameter value.
- Activation date and time is the date and time when the monitor was activated. This parameter is displayed only when the monitor is activated by a pattern.
- Event parameter is the value of the event parameter received from the monitored asset. This parameter is displayed only when the monitor is activated by an event parameter value.
- Event parameters are the values of the parameters of the event received from the monitored asset. This parameter is displayed only when the monitor is activated by an event.
- Events is the number of events included in the pattern that caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
You can view information about the events included in the pattern by clicking the number of events in the corresponding row of the table. Clicking the number of events displays information about IDs, system settings, and parameters of the event included in the selected pattern.
On the Histogram tab, you can also view brief statistics on the number of registered activations for each created monitor.
|
In this Help section |
Article ID: 225610, Last review: Dec 7, 2022