Adding an attention head

You can create multiple attention heads and use different attention heads for different monitors simultaneously.

The functionality is available after a license key is added.

A large number of attention heads can lead to reduced event processor performance and slow down the core Kaspersky MLAD services, such as data reception, anomaly detection, and the web interface. To clarify the number of attention heads, it is recommended to consult with Kaspersky experts or a certified integrator.

To add an attention head:

  1. In the main menu, select the Event ProcessorMonitoring section.
  2. On the page that opens, click Configure attention.

    The Attention heads panel appears on the right.

  3. To add an attention head, click Add attention head.

    The Add attention head panel appears on the right.

  4. In the Name field, specify the attention head name.
  5. To use the attention head when processing an event flow, set the State toggle switch to Active.
  6. Under Attention subject, do the following:
    1. From the Event parameter drop-down list, select the primary event parameter you want to register events and patterns for.
    2. In the Attention type drop-down list, select one of the following values:
      • Attention. When registering events and patterns, the event processor's attention will be directed to the selected event parameter based on selected value.
      • Generalized attention. When registering events and patterns, the event processor will aggregate the selected values by selected event parameter.

        When this attention type is selected, the event processor will register generic patterns that will not display the selected event parameter with the selected value when viewed. The Event Processor will track each specified event parameter value separately.

    3. Perform one of the following actions:
      • To include or generalize all values of an event parameter in attention, select All values from the Value type drop-down list.

        Selecting All values causes the event processor to track events and patterns for each specific event parameter value separately. To ensure stable event processor performance, we recommend defining specific values for the event subject.

      • To include or generalize specific event parameter values in attention, select Specific values from the Value type drop-down list and enter the relevant value in the Value field. As you start typing a value, all matching parameter values are displayed in the list.

        If you selected Generalized attention as the attention type, select at least two values for the event parameter.

      • To include or generalize event parameter values according to a template in attention, from the Value type drop-down list, select Regular expression and enter the value template using a regular expression in Value.

        You can use special characters of regular expressions to search for events and patterns based on regular expressions.

  7. If you need to generalize other event parameters, set the Generalize condition parameters toggle switch to Enabled.

    If generalized attention was selected as the attention type, then, when the switch is on, the event processor will generalize the remaining event parameters across all their values. In this case, the event processor will not register any event or pattern. To enable the Event Processor to generate events or patterns, you must define at least one event parameter in the Conditions block without generalization based on its values.

  8. To refine the criteria for registering patterns using additional event parameters, do the following under Conditions:
    1. Click the Add condition button.
    2. From the Event parameter drop-down list, select an additional event parameter to refine the data sample for events and patterns registration.
    3. In the Condition type drop-down list, select one of the following values:
      • Parameter. When registering events and patterns, the event processor will consider the values of the selected event parameter while taking into account the data sample obtained for the main event parameter.
      • Generalized parameter. When registering events and patterns, the event processor will aggregate the values of the selected parameter while considering the data sample obtained for the primary event parameter.

        When this condition type is selected, the event processor will register patterns that, when viewed, will not display the selected event parameter with the selected value.

        This value is available if the Generalized attention type is selected for the attention subject.

    4. Perform one of the following actions:
      • To include or generalize the new values of an event parameter in attention, select New values from the Value type drop-down list.

        New values is available in the following cases:

        • The condition type is set to Parameter.
        • The attention type is set to Attention, the Generalize condition parameters toggle switch is off, and the condition type is set to Generalized parameter.
      • To include or generalize all values of an event parameter in attention, select All values from the Value type drop-down list.

        All values is available in the following cases:

        • The Generalize condition parameters toggle switch is on, and the condition type is set to Parameter.
        • The Generalize condition parameters toggle switch is off, and the condition type is set to Generalized parameter.
      • To include or generalize specific event parameter values in attention, select Specific values from the Value type drop-down list and enter the relevant value in the Value field. As you start typing a value, all matching parameter values are displayed in the list.
      • To include or generalize event parameter values according to a template in attention, from the Value type drop-down list, select Regular expression and enter the value template using a regular expression in Value.

        You can use special characters of regular expressions to search for events and patterns based on regular expressions.

    You can set more than one condition for additional event parameters. You can delete a previously added condition by clicking A basket icon. next to the condition.

    The conditions will be additionally applied to the data sample obtained for the main event parameter set under Attention subject. For example, if the Generalized attention type is selected and the Generalize condition parameters toggle switch is on, the Event Processor will register patterns that will display only those event parameters that were specified under Conditions while considering their selected values. If the toggle switch is off, the event processor will register patterns that will not display the generalized parameter specified under Attention subject. In this case, the values of the event parameters specified under Conditions will be considered.

  9. Click the Save button.

Information about the new attention head will be displayed in the table, in the Attention heads panel. You can rename the attention head, and enable or disable the use of the attention head for event processing.

Page top