Kaspersky Machine Learning for Anomaly Detection
- About Kaspersky Machine Learning for Anomaly Detection
- What's new
- Basic concepts of Kaspersky MLAD
- Kaspersky MLAD components
- Common deployment scenarios
- Telemetry and event data flow diagram
- Administering Kaspersky MLAD
- Installing the application
- Updating the application and rolling back to the previous installed version
- Getting started
- Starting and stopping Kaspersky MLAD
- Updating Kaspersky MLAD certificates
- First startup of Kaspersky MLAD
- Configuring Kaspersky MLAD
- Configuring the main settings of Kaspersky MLAD
- Configuring the Anomaly Detector service
- Configuring the Keeper service
- Configuring the Mail Notifier service
- Configuring the Similar Anomaly service
- Configuring the Stream Processor service
- Configuring the HTTP Connector
- Configuring the MQTT Connector
- Configuring the AMQP Connector
- Configuring the OPC UA Connector
- Configuring the KICS Connector
- Configuring the CEF Connector
- Configuring the WebSocket Connector
- Configuring the Event Processor service
- Configuring the statuses and causes of incidents
- Configuring logging of Kaspersky MLAD services
- Configuring time intervals for displaying data
- Configuring how the Kaspersky MLAD main menu is displayed
- Exporting and importing a configuration file for Kaspersky MLAD components
- Starting, stopping, and restarting services
- Managing tags
- Managing ML models and templates
- Configuring settings in the Event Processor section
- Managing user accounts
- Managing incident notifications
- Removing the application
- Connecting to Kaspersky MLAD and closing the session
- Kaspersky MLAD web interface
- Licensing the application
- Processing and storing data in Kaspersky MLAD
- Performing common tasks
- Scenario: Working with Kaspersky MLAD
- Viewing summary data in the Dashboard section
- Viewing incoming data in the Monitoring section
- Viewing data in the History section
- Viewing data in the Time slice section
- Viewing data for a specific preset in the Time slice section
- Selecting a specific branch of the ML model in the Time slice section
- Selecting a date and time interval in the Time slice section
- Navigating through time in the Time slice section
- Configuring how graphs are displayed in the Time slice section
- Working with events and patterns
- Working with incidents and groups of incidents
- Scenario: Analysis of incidents
- Viewing incidents
- Viewing the technical specifications of a registered incident
- Viewing incident groups
- Studying the behavior of the monitored asset at the moment when an incident was detected
- Adding a status, cause, expert opinion or note to an incident or incident group
- Exporting incidents to a file
- Working with ML models and templates
- Managing presets
- Viewing the status of a service
- Troubleshooting
- When connecting to Kaspersky MLAD, the browser displays a certificate warning
- The hard drive has run out of free space
- The operating system restarted unexpectedly
- Cannot connect to the Kaspersky MLAD web interface
- Graphs are not displayed in the History and Monitoring sections
- Events are not transmitted between Kaspersky MLAD and external systems
- Cannot load data to view in the Event Processor section
- Data is incorrectly processed in the Event Processor section
- Events are not displayed in the Event Processor section
- Previously created monitors and the specified attention settings are not displayed in the Event Processor section
- The localization language for Help needs to be changed before connecting to the application
- Contacting Technical Support
- Appendix
- Glossary
- Information about third-party code
- Trademark notices
Performing common tasks > Working with incidents and groups of incidents > Viewing the technical specifications of a registered incident
Viewing the technical specifications of a registered incident
Viewing the technical specifications of a registered incident
In the Incidents section, you can view the technical specifications of registered incidents. To do so, click the right arrow () next to the relevant incident in the incidents table. The following technical specifications will be displayed for the selected incident:
- Incident is the section containing information about the incident.
- Model name refers to the name of the utilized ML model.
- Model branch is the name of the ML model branch. This is absent if the ML model has no branches.
- Detector refers to the name of the detector that identified an anomaly and registered the incident: Forecaster, Limit Detector, XGBoost, Rule Detector, Stream Processor.
- MSE value is the value of the individual mean square error.
- Threshold value refers to the MSE threshold value for the ML model branch in use at the time of incident registration.
- Top tag is the section containing information about the tag for which the incident was registered.
- Top tag name (top tag ID) is the name and ID of the tag whose behavior invoked registration of the incident.
If an incident was registered by the Forecaster Detector, the name of the most anomalous tag that influenced the registration of the incident more than the other tags will be displayed. For the Rule Detector, the value of this parameter shows an indicator tag for the diagnostic rule. For the Limit Detector, the tag whose value exceeded the technical limits defined for this tag will be displayed.
- Top tag value is the value of the top tag registered when the incident occurred.
- Limits refer to the acceptable technical limits of values for a top tag.
- Description refers to a description of the top tag.
- Measurement units refer to the units for measuring the top tag values.
- Top tag name (top tag ID) is the name and ID of the tag whose behavior invoked registration of the incident.
- Stream Processor service incident parameters is a section containing information about the parameters of the incident registered by the Stream Processor service. This group of parameters is displayed if the current incident is registered by the Stream Processor service.
- Incident type is the type of incident registered by the Stream Processor service. The Stream Processor service registers incidents when it detects observations that were received by Kaspersky MLAD too early or too late, or if the incoming data stream from a certain tag is terminated or interrupted.
- Data date and time is the date and time when the observation was generated according to the monitored asset time. This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
- Lag / Lead is the amount of time by which the observation generation time lags behind or is ahead of the time the observation was received in Kaspersky MLAD. If data is received too early, the parameter value is displayed with a plus sign (+). If data is received too late, the parameter value is displayed with a minus sign (-). This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
- Incident cause is the field for selecting the cause of the incident. This field is completed by an expert (process engineer or ICS specialist). If necessary, a user with administrator privileges can create, edit, or delete causes of incidents.
- Expert opinion is the field for adding an expert opinion based on an analysis of the registered incident. This field is completed by an expert (process engineer or ICS specialist).
- Note is the field for entering a comment for the selected incident. If necessary, you can provide a comment for the incident.
Article ID: 238215, Last review: Dec 7, 2022