System administrator tasks

This section contains a description of the system administrator tasks performed in the administrator menu of the application.

Managing user accounts

This section contains information about managing Kaspersky MLAD user accounts.

Kaspersky MLAD user accounts can be managed only by system administrators.

To ensure that users securely work with Kaspersky MLAD, install a trusted certificate for connecting to the web interface and create an account for each user.

All created user accounts and information about them are displayed in the table tn the Users section of the administrator menu.

When installing the application, a special User System account is created. This account is not intended for use by personnel when working with Kaspersky MLAD. This account cannot be used to connect to the application web interface. To clarify whether or not you can change its settings, you are advised to consult with Kaspersky experts or a certified integrator.

If necessary, you can also add and edit user accounts. Kaspersky MLAD does not allow you to delete user accounts. To prevent a specific account from accessing Kaspersky MLAD web interface, it is recommended to block this account. You can unblock this user account later if necessary. If an account was locked when the number of unsuccessful login attempts for that user was reached, you can unblock this account before the blocking period expires. You can specify the number of unsuccessful authorization attempts and the account blocking period when configuring the security settings of Kaspersky MLAD.

Next to each account, there is a vertical menu  that lets you revoke authentication tokens or view the list of rights for the specific user account.

Users section

Creating a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

To create a user account:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Users section.
3. Click the Add user button.

   The Add user window opens.

4. In the Last name field, enter the last name of the user.
5. In the First name field, enter the first name of the user.
6. If necessary, enter the middle name of the user in the Middle name field.
7. In the Email address field, enter the email address of the user.
8. In the Password field, enter a password for the user account.

   The password must meet the following requirements:

   • Must contain the minimum number of characters defined in the Minimum password length setting.
   • Must contain letters of the English alphabet, numerals and/or special characters in accordance with the password policy that was set when configuring the security settings.
9. In the Confirm password field, type the password again to confirm the password for the user account.
10. Click the Save button.

Information about the new user will be displayed in the table. If necessary, you can modify user accounts and revoke their authentication tokens

When creating an account, you cannot assign a role to a user. You can assign a role to a user only when editing the user account.

Editing a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

When you edit a user account, you can assign the desired role to the user. You can also block or unblock a user account. If an account is blocked, the user cannot log in to Kaspersky MLAD.

If the user was logged in when the account was blocked, the application session is active until one of the following conditions is met:

• The user logged out of the account.
• The application automatically terminated the connection session when the authentication token for the user account expired.
• Authentication tokens have been revoked for the user account.

To edit a user account:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Users section.
3. Click the Edit button in the row of the user account that you want to edit.

   The Edit user window opens.

4. If necessary, do the following:
   1. In the Last name field, enter a new last name for the user.
   2. In the First name field, enter a new first name for the user.
   3. In the Middle name field, enter a new middle name for the user.
5. In the Roles field, assign a role for the user account by selecting the corresponding check box.
6. If you need to change the password, enter the new password in the Password and Confirm password fields.

   The new password must meet the following requirements:

   • Must not match previously used passwords. The specific number of most recently used passwords that must not be reused is defined by the value of the Number of user passwords stored in history setting.
   • Must contain the minimum number of characters defined in the Minimum password length setting.
   • Must contain letters of the English alphabet, numerals and/or special characters in accordance with the password policy that was set when configuring the security settings.
7. If you want to block or unblock a user account, perform one of the following actions:
   • If you want to unblock a user account, set the State toggle switch to the Active position.
   • If you want to block a user account, set the State toggle switch to the Blocked position.

   Kaspersky MLAD does not allow you to delete user accounts. If you want to prevent a specific user account from accessing Kaspersky MLAD, it is recommended to block this user account.

8. Click the Save button.

The updated information about the user will be displayed in the table. If the password for a user account is changed, Kaspersky MLAD automatically terminates the user session of the user account whose password was changed.

Revoking authentication tokens for a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

After a user connects to the Kaspersky MLAD web interface, an individualized token is created so that the user authorization in the application can be saved between connection sessions to the application web interface, including when the browser is restarted. If a user is authorized on multiple assets, a token is created for each user session. If necessary, you can revoke tokens for a user account at any time. For the user whose tokens are revoked, their work session in the application is terminated simultaneously on all assets where they were authorized. Revoking tokens may be useful if you need to immediately terminate application connection sessions for a specific user.

To revoke a token or tokens for a user account:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Users section.
3. Click the vertical menu , which is located in the row of the user account whose authentication tokens you want to revoke.
4. Select Revoke tokens.
5. In the confirmation window, click Yes.

The user account tokens are revoked, and the user session is terminated.

Viewing access rights for a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

In the Users section, you can view the list of rights for a specific user account.

To view the access rights for a user account:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Users section.
3. Click the vertical menu , which is located in the row of the user account whose list of access rights you want to view.
4. Select List of rights.

The page displays a window containing information about the role and access rights of the selected user account.

Manage roles

In Kaspersky MLAD, you can use common roles to restrict user access to application functions depending on the tasks performed by specific users.

A role is a set of rights to access application functions that you can assign to a user.

Accounts with the following roles can be used to access application functions:

• The system administrator role is created automatically during installation of the application. The system administrator role is automatically assigned to the first user created during installation of Kaspersky MLAD. A user with the system administrator role has access to all functions of the application. The system administrator role cannot be modified or removed.
• A user role is created manually in the Roles section. Access to application functions depends on the list of rights granted to the user role. The number of user roles is unlimited.

The Roles section displays a table with information about all created roles.

Role management is available to system administrators.

Creating role

Role management is available to system administrators.

You can create user roles and select the access rights to application functions for them. After an active role is created, it will become available for assignment to application users.

To create a role:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Click the Create button.

   The Creating role pane will appear on the right.

4. In the Role name field, specify the required role name.

   You can enter up to 30 characters.

5. If necessary, enter a new description for the tag in the Role description field.
6. To grant access rights to a role, do the following:
   1. Click the Select rights button.

      The Grant rights to role pane appears on the right.

   2. In the list of rights, select the access rights to application functions that you want to grant to the role.

      When you select Rights to all actions, all system administrator functions will be available to the role.

   3. Click the Save button.
7. To enable the use of the role for application users, set the State switch to the Active position.
8. Click the Save button.

Editing role

Role management is available to system administrators.

To change a role:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Click the Edit button.

   The Editing role panel appears on the right.

4. In the Role name field, specify a new role name.

   You can enter up to 30 characters.

5. If necessary, enter a new description for the role in the Role description field.
6. To edit the access rights of a role, do the following:
   1. Click the Number of rights button.

      The Grant rights to role pane appears on the right.

   2. In the list of rights, change the selection of access rights to application functions that you want to grant to the role.

      When you select Rights to all actions, all system administrator functions will be available to the role.

   3. Click the Save button.
7. Perform one of the following actions:
   • If you need to use a role for application users, set the State switch to the Active position.
   • If you need to disable the use of a role for application users, set the State toggle switch to the Inactive position.
8. Click the Save button.

Deleting role

Role management is available to system administrators.

You can delete user roles that are not assigned to Kaspersky MLAD users.

System administrator role cannot be deleted.

To delete a role:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Select the check boxes next to the names of the roles that you want to remove.
4. Click the Delete button.
5. In the opened window, click Yes to confirm deletion.

Viewing access rights for a role

Role management is available to system administrators.

In the Roles section, you can view a list of access rights to application functions for users with a specific role.

To view the access rights for a role:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Click the List of rights button in the line of the role for which you want to view the list of rights.

   A window opens on the page with information about access rights to application functions for the selected role.

Managing incident notifications

This section describes how to manage notifications for incident registration. Notifications are emailed to the users for whom these notifications have been configured.

Only system administrators can manage incident notifications.

The Mail Notifier service must be configured and started in advance.

All created notifications about incidents and information about them are displayed in the Notifications section in the administrator menu.

If necessary, you can change the number of notifications displayed on one page.

You can create, edit, and delete notifications regarding specific incidents for Kaspersky MLAD users.

Notifications section

Creating an incident notification

Only system administrators can manage incident notifications.

To create an incident notification for a user:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Notifications section.
3. On the opened page, click the Create button.

   The Create notification window opens.

4. In the User drop-down list, select the user for whom you want to create a notification.

   The User list displays the last names and first names of users specified when user accounts were created.

5. In the Email address field, specify the email address to which incident notifications are sent.

   By default, Kaspersky MLAD automatically fills in the Email address field with the address specified for the selected user when the user account was created.

6. Specify the types of incidents for which the application will send notifications:
   • If you want to configure a notification about predicted tag values, select the Forecaster check box.
   • If you want to configure a notification about a tag value approaching the blocking threshold, select the Limit Detector check box.
   • If you want to configure a notification about a tag reaching the threshold set for a diagnostic rule, select the Rule Detector check box.
   • If you want to configure a notification about the termination or interruption of the input data stream for a specific tag, or about the detection of observations that arrived too soon or too late, select the Stream Processor check box.
7. In the Delivery language field, select the language of the delivered incident notifications.

   By default, the current localization language of the Kaspersky MLAD web interface is used for incident notifications. It is available in English and Russian.

8. To enable sending of notifications, set the State toggle switch to the Activated position.
9. Click the Save button.

Information about the new notification will be displayed in the table. If necessary, you can edit or delete notifications.

Editing an incident notification

Only system administrators can manage incident notifications.

To edit an incident notification:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Notifications section.
3. Select the check box next to the notification that you want to change and click the Edit button.

   The Edit button is available if only one notification is selected.

4. Make the necessary changes.
5. If necessary, enable or disable sending incident notifications using the State toggle switch.
6. Click the Save button to save the changes.

The updated information about the notification will be displayed in the table. If necessary, you can delete notifications.

Enabling and disabling sending notifications about incidents

Only system administrators can manage incident notifications.

Kaspersky MLAD allows you to temporarily disable sending of notifications instead of deleting their configuration. Information about notifications is saved in the Notifications section. You can enable sending of a notification at any time.

To enable or disable sending of incident notifications:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Notifications section.
3. Perform one of the following actions:
   • If you want to enable sending incident notifications, set the toggle switch in the State column to the Activated position for the relevant notification.
   • If you want to disable sending incident notifications, set the toggle switch in the State column to the Not activated position for the relevant notification.

Deleting an incident notification

Only system administrators can manage incident notifications.

To delete an incident notification:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Notifications section.
3. Select the check box next to the notification that you want to delete and click the Delete button.

   The Delete button is available if at least one notification is selected. You can select multiple notifications at the same time.

4. In the opened window, click Yes to confirm deletion.

Information about the notification will be deleted from the table.

Kaspersky MLAD lets you temporarily disable sending of notifications instead of deleting them.

Configuring Kaspersky MLAD

This section contains instructions on configuring the settings of Kaspersky MLAD services and connectors, as well as on configuring security settings, logging levels for application services, settings for displaying the application menu, and on managing typical statuses and causes of incidents.

Configuring the main settings of Kaspersky MLAD

Kaspersky MLAD lets you specify the name of the monitored asset, web address and IP address for connecting users to the application web interface, and the frequency of receiving new data from the monitored asset. The name of the monitored asset will be displayed in each section of the Kaspersky MLAD web interface.

System administrators can configure the main settings of Kaspersky MLAD.

To configure the main settings of Kaspersky MLAD:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the System parameters → Main section.

   A list of options appears on the right.

3. In the Name of monitored asset field, specify the name of the monitored asset.
4. In the Application web address field, specify the web address of the application.
5. In the Application connection IP address field, specify the IP address of the application.
6. In the Interval for receiving data from the Message Broker service (ms) field, specify the interval for updating telemetry data in the application web interface.

   The higher the specified parameter value, the less frequently the data is updated.

7. In the Interval for receiving incident statistics from the database (ms) field, indicate how frequently data on incidents registered by the application should be updated in the application web interface.
8. In the Monitored asset time zone drop-down list, select the required time zone.
9. Click the Save button.

Configuring the security settings of Kaspersky MLAD

Kaspersky MLAD lets you specify the conditions for blocking user accounts, the user inactivity period in accordance with the enterprise security policy, and the settings for storing information security event logs in the Kaspersky MLAD database. Information security event logs are automatically written to the database. If necessary, you can specify the settings of an external system to which the information security event logs should be sent.

System administrators may be responsible for configuring the security settings of Kaspersky MLAD.

To configure the main settings of Kaspersky MLAD:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the System parameters → Security section.

   A list of options appears on the right.

3. In the Authorization parameters block, do the following:
   1. In the Number of authentication attempts field, specify the number of unsuccessful authorization attempts. When this number is reached, Kaspersky MLAD blocks the corresponding user account.
   2. In the User lock duration (sec) field, specify the time period (in seconds) to block a user account after reaching the specified number of unsuccessful authorization attempts.
   3. In the User inactivity period (min) field, specify the permissible duration of an inactive user session (in minutes).

      When the specified time period is reached, Kaspersky MLAD automatically terminates the inactive user session.

   4. If you need to prevent users from ignoring the password change recommendation when they connect to the application web interface for the first time, turn on the Require password change on first login toggle switch.
4. In the Password policy settings block, do the following:
   1. In the Number of user passwords stored in history field, specify the number of most recent user passwords that are stored in the application.

      You can specify a value starting with 1.

      When the user password is changed, the new password must not match any passwords stored in Kaspersky MLAD. The application stores passwords in encrypted form.

   2. In the Password expiration period (days) field, specify the number of days during which the user can use their current password to connect to the application without changing it.
   3. In the Minimum password length field, specify the minimum number of characters for user passwords.

      You can specify a value in the range of 8 to 128.

   4. If your security policy stipulates that user passwords must contain uppercase letters of the English alphabet, turn on the Require use of uppercase letters of the English alphabet (A-Z) toggle switch.
   5. If your security policy stipulates that user passwords must contain lowercase letters of the English alphabet, turn on the Require use of lowercase letters of the English alphabet (a-z) toggle switch.
   6. If your security policy stipulates that user passwords must contain numerals, turn on the Require use of numerals (0-9) toggle switch.
   7. If your security policy stipulates that user passwords must contain special characters, turn on the Require use of special characters (_!@#$%^&*) toggle switch.
5. In the Storage parameters for information security event logs block, do the following:
   1. In the Volume of information security event logs (MB) field, specify the volume limit (in megabytes) for storing information security event logs in the database.

      If the field is blank, Kaspersky MLAD stores all information security event logs for the time period specified in the Storage time for information security event logs (days) setting.

      If the specified volume of information security event logs in the database is exceeded, Kaspersky MLAD deletes the oldest entries.

   2. In the Storage time for information security event logs (days) field, specify the number of days to store information security event logs in the database.
6. Click the Save button.

Configuring the Anomaly Detector service

In Kaspersky MLAD, an ML model can contain the following detectors:

• Limit Detector detects anomalies whenever the tag value falls below the minimum value or exceeds the maximum value.
• Forecaster predicts the current behavior of an object based on data about its behavior in the recent past.
• XGBoost with a certain probability detects anomalies in the monitored asset data based on the data sample for the examined time interval learned by the XGBoost classifier.
• Rule Detector builds predictions for the tag values during normal operation of the monitored asset and registers incidents whenever one or multiple rules are triggered.

You can configure the procedure for detecting anomalies based on the specific features of your monitored asset by enabling or disabling the necessary detectors in the Anomaly Detector service settings.

System administrators can configure the Anomaly Detector service.

To configure the settings of the Anomaly Detector service in Kaspersky MLAD:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → Anomaly Detector.

   A list of options appears on the right.

3. Enable or disable the Limit Detector using the Use Limit Detector toggle switch.
4. Enable or disable the Forecaster detector using the Use Forecaster detector toggle switch.
5. Enable or disable the XGBoost detector using the Use XGBoost detector toggle switch.
6. Enable or disable use of the Rule Detector using the Use Rule Detector toggle switch.
7. Enable or disable the function for skipping gaps in the incoming data stream using the Skip gaps in data toggle switch.
8. In the Maximum number of records requested from the Message Broker service field, enter the number of records that must be requested from the Message Broker service for subsequent processing in the Anomaly Detector.
9. In the Number of messages sent in one block to the Message Broker service field, enter the number of incidents that must be sent to the Message Broker service at one time.
10. In the Number of simultaneously running models field, enter the maximum number of ML models that can analyze telemetry data at the same time.

    For maximum performance of Kaspersky MLAD, the number of ML models running at the same time must not exceed 80% of the number of cores of the server where Kaspersky MLAD is installed.

11. Click the Save button.

Configuring the Keeper service

Kaspersky MLAD uses the Keeper service to route telemetry data that should be saved in the database. You can configure the settings that define the rate of incoming data received from connectors and external sources, and the volume of data that is saved in the Kaspersky MLAD database.

System administrators can configure the data routing settings in Kaspersky MLAD.

To configure the Kaspersky MLAD data routing settings:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the System parameters → Keeper section.

   A list of options appears on the right.

3. Perform one of the following actions:
   • To save both known and unknown tags from external sources to the database, turn on the Save all tags toggle.
   • To save only the tags that are known to the application, turn off the Save all tags toggle.
4. In the Timeout for receiving tags (ms) field, enter the maximum timeout (in milliseconds) for receiving the values of tags.
5. In the Timeout for receiving incidents (ms) field, enter the maximum timeout (in milliseconds) for receiving incidents.
6. In the Timeout for receiving metrics (ms) field, enter the maximum timeout (in milliseconds) for receiving metrics.

7. Click the Save button.

Configuring the Mail Notifier service

Kaspersky MLAD uses the Mail Notifier service to notify users when incidents are registered by the application.

System administrators can configure the Mail Notifier service.

Configuring the Mail Notifier service is optional; it is performed if an SMTP server is configured in the monitored asset network.

To configure the Mail Notifier service:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → Mail Notifier.

   A list of options appears on the right.

3. In the SMTP server address field, enter the IP address of the SMTP server.
4. In the SMTP server port field, enter the port of the SMTP server.
5. In the SMTP server user name field, enter the user name for the SMTP server.
6. In the SMTP server password field, enter the password for the SMTP server.
7. If necessary, enable secure TLS connection using the Use TLS connection toggle switch.

   By default, use of a secure TLS connection is disabled.

   To avoid compromising the received and/or sent data, it is recommended to enable the use of a secure TLS connection. It is recommended to use a secure TLS connection via the TLS-1.2 or TLS-1.3 protocol using a cipher suite from the list of recommended ciphers.

8. If you are using a secure TLS connection, do the following:
   • Upload the SMTP server certificate using the Browse button under SMTP server certificate.
   • Upload the key to the SMTP server certificate file using the Browse button under the Key to SMTP server certificate setting.

   It is recommended to use a certificate created according to the X.509 standard with a certificate key length of at least 4096 bits.

   To delete the certificate file or certificate key, click the Clear icon () in the corresponding field. To save the certificate file or certificate key on your computer, click the Download icon () in the corresponding field.

9. Click the Save button.

Configuring the Similar Anomaly service

Kaspersky MLAD uses the Similar Anomaly service to identify similar incidents and combine them into groups. In groups, you can view similar incidents that were registered at different times.

System administrators can configure the Similar Anomaly service.

To configure the Similar Anomaly service:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → Similar Anomaly.

   A list of service settings appears on the right.

3. In the Minimum number of incidents in group field, enter the minimum number of similar incidents for forming a group.
4. In the Maximum number of incidents in group field, enter the maximum number of incidents that can be put into one group.

   The larger the specified value, the more incidents the application can assign to one group.

5. In the Maximum distance between similar incidents field, enter the maximum distance that similar incidents can lag behind each other.

   You can specify a value in the range of 0 to 1.

6. Click the Save button.

Configuring the Stream Processor service

The Stream Processor service gathers real-time telemetry data (input stream) received from the monitored asset at arbitrary points in time and converts this data to a UTG (output stream). Based on the accumulated data, the Stream Processor service determines the values of tags in the output data stream. After converting data into an output stream, the Stream Processor service forwards this data to the ML model for processing.

When converting incoming telemetry data, the Stream Processor service accounts for potential data losses (for example, if the network of the monitored asset temporarily goes down) and processes observations that were received in Kaspersky MLAD too early or too late. In these cases, the Stream Processor service generates default incidents and/or forwards default tag values to the output data stream.

The Stream Processor service can also compute derivative tags based on incoming telemetry data (for example, to calculate the moving average or average value of a group of tags).

The Stream Processor service configuration file for uploading is provided by Kaspersky specialists or a certified integrator.

System administrators can configure the Stream Processor service.

To configure the Stream Processor service:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → Stream Processor.
3. In the Fixed-interval sequence frequency (sec) field, specify the period (in seconds) for which the Stream Processor service will process incoming telemetry data.
4. Using the Browse button under the Configuration file setting, add a file that contains configuration settings for the Stream Processor service.

   To delete the configuration file for the Stream Processor service, click Clear (). To save the configuration file on your computer, click the Download icon ().

5. Click the Save button.

Configuring the HTTP Connector

Kaspersky MLAD uses the HTTP Connector to receive data from CSV files during scheduled uploads of data using the POST method. You can download data via HTTP or HTTPS by specifying the relevant protocol in a request.

System administrators can configure the HTTP Connector.

The HTTP Connector does not support a secure connection. If you want to use a secure connection to receive and send data, it is recommended to use additional means to secure the network connection (for example, use a VPN) or use another method to prevent unauthorized access to the communication channel.

To configure the HTTP Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → HTTP Connector.

   A list of options appears on the right.

3. Use the Write data to the Message Broker service toggle switch to enable writing data to the Message Broker service.
4. If necessary, use the Save received file toggle switch to enable the function for saving received CSV files.
5. In the Size of written block (tag count) field, specify the number of tags that are written to the Message Broker service at one time.
6. In the Maximum size of uploaded file (MB) field, specify the maximum size (in megabytes) of a file transmitted to the HTTP Connector.

   If you try to download a larger CSV file, the file would not be passed to the HTTP Connector.

7. Click the Save button.

Kaspersky MLAD will receive data from CSV files using the HTTP Connector.

The following is an example of sending a CSV file to the HTTP Connector via cURL over HTTP using the POST method to port 4999 of the Kaspersky MLAD server:

The HTTP Connector accepts CSV files with the following fields:

timestamp;tag_name;value

where:

• timestamp is the time stamp in the format %Y-%m-%dT%H:%M:%S.
• tag_name is the name of the tag.
• value is the tag value.

  If a tag value contains a fractional portion, use a dot to separate the integer from the fractional portion.

Configuring the MQTT Connector

Kaspersky MLAD uses the MQTT Connector to receive data and send messages about incident registration via the MQTT (Message Queuing Telemetry Transport) protocol.

System administrators can configure the MQTT Connector.

To configure the MQTT Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → MQTT Connector.

   A list of options appears on the right.

3. If necessary, use the Use TLS connection toggle switch to enable secure TLS connection.

   By default, use of a secure TLS connection is disabled.

   To avoid compromising the received and/or sent data, it is recommended to enable the use of a secure TLS connection. It is recommended to use a secure TLS connection via the TLS-1.2 or TLS-1.3 protocol using a cipher suite from the list of recommended ciphers.

4. In the MQTT broker (address:port) field, specify the host name and port of the external MQTT broker that the MQTT Connector will interact with.

   The default value of this parameter is mqtt_broker:1883.

5. In the User name for MQTT connection field, enter the user name.
6. In the Password for MQTT connection field, enter the user's password.
7. If you enabled the use of a secure TLS connection and a self-signed certificate is installed on the MQTT broker, add the root certificate for the MQTT broker using the Browse button under the CA certificate setting.

   To delete the certificate file, click the Clear icon (). To save the certificate file on your computer, click the Download icon ().

8. If you enabled the use of a secure TLS connection and client authentication is enabled on the MQTT broker, do the following:
   • Add the MQTT client application certificate by using the Browse button under the Client certificate setting.
   • Add the key to the MQTT client application certificate by using the Browse button under the Key to client certificate setting.

   It is recommended to use a certificate created according to the X.509 standard with a certificate key length of at least 4096 bits.

   To delete the certificate file or certificate key, click the Clear icon () in the corresponding field. To save the certificate file or certificate key on your computer, click the Download icon () in the corresponding field.

9. In the List of MQTT subscriptions for receiving tags field, enter the name of the list of MQTT subscriptions from which the MQTT Connector will receive tag values.

   The default value of this parameter is tags.

10. In the MQTT topic for publishing messages field, specify the name of the topic where the MQTT Connector will publish messages about incident registration.

    If no value is defined for this setting, messages are not sent.

    This setting has no value by default.

11. In the Data format drop-down list, select the format to receive data from external systems and send incident alerts.

    The following options are available: JSONBatch, Topic, SmartHome, KISG.

    The default value of this parameter is JSONBatch.

    If none of the incident data and alert formats suits you, you can contact Kaspersky Lab experts to add the required format.

12. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

    To delete the certificate file, click the Clear icon (). To save the certificate file on your computer, click the Download icon ().

13. If you need to recalculate the tag values based on the parameter values specified in the preset file, turn on the Scale obtained tag values toggle switch.

    By default, scaling of the received data is disabled.

14. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the MQTT protocol.

Configuring the AMQP Connector

Kaspersky MLAD uses the AMQP Connector to receive data and send messages about incident registration via AMQP (Advanced Message Queuing Protocol).

System administrators can configure the AMQP Connector.

To configure the AMQP Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → AMQP Connector.

   A list of options appears on the right.

3. If necessary, use the Use TLS connection toggle switch to enable secure TLS connection.

   By default, use of a secure TLS connection is disabled.

   To avoid compromising the received and/or sent data, it is recommended to enable the use of a secure TLS connection. It is recommended to use a secure TLS connection via the TLS-1.2 or TLS-1.3 protocol using a cipher suite from the list of recommended ciphers.

4. In the AMQP broker (address:port) field, specify the host name and port of the external AMQP broker that the AMQP Connector will interact with.

   The default value of this parameter is rabbitmq:5672.

5. In the User name for AMQP connection field, enter the user name.
6. In the Password for AMQP connection field, enter the user's password.
7. If you enabled the use of a secure TLS connection and a self-signed certificate is installed on the AMQP broker, add the root certificate for the AMQP broker using the Browse button under the CA certificate setting.

   To delete the certificate file, click the Clear icon (). To save the certificate file on your computer, click the Download icon ().

8. If you enabled the use of a secure TLS connection and client authentication is enabled on the AMQP broker, do the following:
   • Add the AMQP client application certificate by using the Browse button under the Client certificate setting.
   • Add the key to the AMQP client application certificate by using the Browse button under the Key to client certificate setting.

   It is recommended to use a certificate created according to the X.509 standard with a certificate key length of at least 4096 bits.

   To delete the certificate file or certificate key, click the Clear icon () in the corresponding field. To save the certificate file or certificate key on your computer, click the Download icon () in the corresponding field.

9. In the AMQP virtual host field, specify the virtual host for establishing a connection between the AMQP Connector and the external AMQP broker.

   The default value of this parameter is /.

10. In the AMQP exchange point name for receiving tags field, specify the name of the exchange point to receive tags from an external AMQP broker.

    If a value is not defined for this parameter, tags will not be received via the AMQP Connector.

    This setting has no value by default.

11. In the List of AMQP subscriptions for receiving tags field, specify the name of the list of subscriptions from which the AMQP Connector will receive tag values.

    The default value of this parameter is #.

12. In the AMQP queue for receiving tags field, specify the name of the queue for the AMQP connector. This field is optional.
13. In the AMQP exchange point name for publishing messages field, specify the name of the exchange point for sending messages about events.

    If no value is defined for this parameter, messages will not be sent. You can specify the same name that you indicated in step 10 of these instructions.

    This setting has no value by default.

14. In the AMQP topic for publishing messages field, specify the name of the topic where the AMQP Connector will publish messages about incident registration.

    The default value of this parameter is alert.

15. In the Data format drop-down list, select the format to receive data from external systems and send incident alerts.

    The following options are available: JSONBatch, Topic, SmartHome, KISG.

    The default value of this parameter is JSONBatch.

    If none of the incident data and alert formats suits you, you can contact Kaspersky Lab experts to add the required format.

16. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

    To delete the connector configuration file, click the Clear icon (). To save the connector configuration file on your computer, click the Download icon ().

17. If you need to recalculate the tag values based on the parameter values specified in the preset file, turn on the Scale obtained tag values toggle switch.

    By default, scaling of the received data is disabled.

18. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the AMQP protocol.

Configuring the OPC UA Connector

Kaspersky MLAD uses the OPC UA Connector to receive data over a protocol described by the OPC Unified Architecture specification.

System administrators can configure the OPC UA Connector.

The OPC UA Connector does not support a secure connection. If you want to use a secure connection to receive and send data, it is recommended to use additional means to secure the network connection (for example, use a VPN) or use another method to prevent unauthorized access to the communication channel.

To configure the OPC UA Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → OPC UA Connector.

   A list of options appears on the right.

3. In the Connection point field, specify the connection address.

   For example: opc.tcp://10.0.0.0:8001/freeopcua/server/.

4. In the OPC UA server connection timeout (sec) field, specify the time period (in seconds) that the OPC UA Connector will attempt to establish a connection with the OPC UA server.
5. Using the Browse button under the Configuration file setting, add a file containing settings for configuring the OPC UA Connector.

   To delete the connector configuration file, click the Clear icon (). To save the connector configuration file on your computer, click the Download icon ().

6. In the Historical data interval (sec) field, specify the time interval (in seconds) for which the OPC UA Connector requests historical data stored on the OPC UA server.

   Enter 0 if you do not need to download historical data. Enter -1 if you need to download all historical data.

7. In the Start of historical data period (YYYY/MM/DD HH:MM:SS) field, specify the start date and time of the period for which you want to download data from the OPC UA server.
8. In the End of historical data period (YYYY/MM/DD HH:MM:SS) field, specify the end date and time of the period for which you want to download data from the OPC UA server.
9. In the Size of historical data block sent by OPC UA server (numvalues parameter) field, specify the number of tags that will be transmitted in the historical data block sent to the OPC UA Connector from the OPC UA server.
10. In the Size of historical data block sent to Message Broker service field, specify the number of tags that will be transmitted in the historical data block sent from the OPC UA Connector to the Message Broker service.
11. Click the Save button.

Configuring the KICS Connector

Kaspersky MLAD uses the KICS Connector to receive data from Kaspersky Industrial CyberSecurity for Networks 4.0 and later and to send back incident registration messages.

The connector for integration with Kaspersky MLAD must be created and added to Kaspersky Industrial CyberSecurity for Networks in advance. For detailed information about creating and adding a connector, please refer to the Adding a connector section of Kaspersky Industrial CyberSecurity for Networks Help Guide.

System administrators can perform integration with Kaspersky Industrial CyberSecurity for Networks version 4.0 or higher.

To configure the KICS Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → KICS Connector.

   A list of options appears on the right.

3. Using the Browse button under the setting Communication data package for KICS Connector (zip) field, add the file containing the settings for configuring interaction between Kaspersky MLAD and Kaspersky Industrial CyberSecurity for Networks.

   For detailed information about creating a communication data package, please refer to the Kaspersky Industrial CyberSecurity for Networks Help Guide. The created communication data package must be saved on the computer where Kaspersky MLAD is installed.

   To delete a communication data package, in the Communication data package for KICS Connector (zip) field, click the Clear () icon. To save the communication data package on your computer, click the Download icon ().

4. In the Password for KICS Connector field, enter the password that you specified when adding the connector to Kaspersky Industrial CyberSecurity for Networks.
5. If you need to send incident registration notifications to Kaspersky Industrial CyberSecurity for Networks, turn on the Send messages to Kaspersky Industrial CyberSecurity for Networks toggle switch.
6. In the Tag sampling frequency (Hz) field, specify the frequency (in Hz) at which you need to receive tag values from Kaspersky Industrial CyberSecurity for Networks.

   Indicate 0 in this field if data sampling is not required. Data sampling is a method of adjusting a training sample to balance the distribution of classes in the original data set.

7. If you need to recalculate the tag values based on the parameter values specified in the preset file, turn on the Scale obtained tag values toggle switch.

   By default, scaling of the received data is disabled.

8. Click the Save button.

Kaspersky MLAD receives data from Kaspersky Industrial CyberSecurity for Networks and sends back messages about incident registration.

Configuring the CEF Connector

Kaspersky MLAD uses the CEF Connector to receive data from external sources of events (such as the Industrial Internet of Things, network devices and applications) and to send incident registration messages to an external system.

You can also use the CEF Connector to send information security event logs of Kaspersky MLAD to an external system. Information security event logs are automatically written to the Kaspersky MLAD database.

To receive events from external sources using the CEF Connector, configure the Event Processor service.
Before configuring the CEF Connector settings in the Kaspersky MLAD web interface, the IP address and port number to be used for connecting the external event source to the CEF Connector must be specified in the .env file. The settings of the configuration file can be changed only by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

System administrators can configure the CEF Connector.

The CEF Connector does not support a secure connection. If you want to use a secure connection to receive and send data, it is recommended to use additional means to secure the network connection (for example, use a VPN) or use another method to prevent unauthorized access to the communication channel.

To configure the CEF Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → CEF Connector.

   A list of options appears on the right.

3. If necessary, use the Receive events for Event Processor service toggle switch to enable use of the CEF Connector for receiving events from an external system.
4. If you need to send messages about incidents registered by the application to an external system, turn on the Send registered incidents to SIEM system toggle switch.
5. To send messages about the events registered by the Event Processor service to an external system, enable the Send registered events to SIEM system option.
6. In the IP address for sending events and incidents to SIEM system field, specify the IP address for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
7. In the Port for sending events and incidents to SIEM system field, specify the port number for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
8. If you need to send information security event logs of Kaspersky MLAD to an external system, turn on the Send information security event logs to Syslog server toggle switch and do the following:
   1. In the Transport protocol for sending information security events to Syslog server drop-down list, select the protocol that you want to use for sending information security event logs.

      Kaspersky MLAD supports the TCP and UDP protocols for sending information security event logs to an external system.

   2. In the Syslog server address for sending information security events field, specify the IP address or host name of the external system to which the information security event logs must be sent.
   3. In the Syslog server port for sending information security events field, specify the port number of the external system to which the information security event logs must be sent.
9. Click the Save button.

Configuring the WebSocket Connector

Kaspersky MLAD uses the WebSocket Connector to receive data and send messages about incident registration via the WebSocket protocol.

System administrators can configure the WebSocket Connector. The instructions in this section are provided for information purposes.

To configure the WebSocket Connector:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → WebSocket Connector.

   A list of options appears on the right.

3. In the WebSocket server web address field, specify the web address of the WebSocket server that the WebSocket Connector will interact with.

   Enter the web address in the format: WebSocket protocol://address:port/.

4. If it is necessary to use a secure connection and a self-signed certificate is installed on the WebSocket server, add the root certificate for the WebSocket server using the Browse button under the CA certificate setting.

   To delete the certificate file, click the Clear icon (). To save the certificate file on your computer, click the Download icon ().

5. If it is necessary to use a secure connection and client authentication is enabled on the WebSocket server, do the following:
   • Add the WebSocket client application certificate by using the Browse button under the Client certificate setting.
   • Add the key to the WebSocket client application certificate by using the Browse button under the Key to client certificate setting.

   It is recommended to use a certificate created according to the X.509 standard with a certificate key length of at least 4096 bits.

   To delete the certificate file or certificate key, click the Clear icon () in the corresponding field. To save the certificate file or certificate key on your computer, click the Download icon () in the corresponding field.

6. In the Data format drop-down list, select the format to receive data from external systems and send incident alerts.

   The following options are available: JSONBatch, Topic, SmartHome, KISG.

   The default value of this parameter is JSONBatch.

   If none of the incident data and alert formats suits you, you can contact Kaspersky Lab experts to add the required format.

7. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

   To delete the connector configuration file, click the Clear icon (). To save the connector configuration file on your computer, click the Download icon ().

8. If you need to recalculate the tag values based on the parameter values specified in the preset file, turn on the Scale obtained tag values toggle switch.

   By default, scaling of the received data is disabled.

9. To send alerts about the incidents registered in Kaspersky MLAD to a WebSocket server, enable the Submit incidents option.
10. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the WebSocket protocol.

Configuring the Event Processor service

Kaspersky MLAD uses the Event Processor service to identify patterns and anomalous sequences of events and patterns. You can configure the settings of the Event Processor service.

If Kaspersky MLAD is restarted, you do not need to re-configure the Event Processor service settings. Kaspersky MLAD restores the Event Processor service state from the database or file in bit format. This restoration process may take several minutes if there is a significantly large number of processed events or registered patterns. Until the state of the Event Processor service is restored in the Event Processor section, requests will not be fulfilled, data will not be updated, and data received from the CEF Connector will not be processed. This data is temporarily stored in the system message queue and is processed after the state of the Event Processor service is restored.

The Event Processor service may require a large amount of RAM on the server where Kaspersky MLAD is installed. The amount of RAM usage depends on the rate of the event stream and the volume of events history that is processed. The specific configuration of the Event Processor service also has an effect on the amount of RAM usage.

System administrators can configure the Event Processor service.

To configure the Event Processor service:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → Event Processor.

   A list of service settings appears on the right.

3. In the Online mode section, do the following:
   1. Using the Browse button under the setting Event processor configuration file field, add the file containing the configuration settings for the Event Processor service.

      The Configuration file is created by a qualified technical specialist of the Customer, a Kaspersky Lab employee or a certified integrator.

      To delete the configuration file for the Event Processor service, click Clear (). To save the configuration file on your computer, click the Download icon ().

      Changing the configuration file of the Event Processor service results in a complete loss of the service's data.

   2. If you need to process incidents registered by the Anomaly Detector service, turn on the Process incidents as events toggle switch.
   3. In the Maximum number of network layers field, specify the number of layers of the semantic neural network that will be used.

      The default number of network layers for event data that is based on a specific structure is ten layers. In most cases, ten layers are enough for the hierarchical presentation of data in the semantic neural network at the core of the Event Processor. To identify patterns of periodic processes that span an extended period of time, you may need to increase the value of the Maximum number of network layers parameter.

   4. In the Coefficient defining the permitted dispersion of the pattern duration field, specify the coefficient used to determine the permissible dispersion of intervals between elements in the same pattern.

      If the actual dispersion value is less than or equal to one that is specified, the identified sequences of events will be registered as one pattern.

   5. In the Interval for receiving batch events (sec.) field, specify the time interval (in seconds) for which the Event Processor service forms an episode from incoming events received for processing.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate this value as the interval for receiving new events so that you receive a number of events close to the value indicated in the Batch size in online mode (number of events) field during the specified period. If the rate of incoming events is a lot lower than this value, you should adjust the interval for receiving new events to ensure an optimal frequency of event processing.

   6. In the Batch size in online mode (number of events) field, specify the maximum number of events per episode to be subsequently processed by the Event Processor service.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate a value equal to 4096 in this field.

   7. In the Method of saving the state of the Event Processor service drop-down list, select one of the following options for saving the Event Processor service state:
      • Database table – Kaspersky MLAD saves the results from processing each episode in the database table.
      • File in bit format – Kaspersky MLAD saves the state of the Event Processor service according to the frequency defined in the Component backup frequency field. The application saves the state of the service to the file specified in the File containing a backup copy of the component state field.

        Saving the Event Processor service state to a file in bit format is recommended for debugging and configuring the application settings by Kaspersky employees during the deployment of Kaspersky MLAD.

      By default, the Event Processor service saves the results of event stream processing in a database table.

      Changing the way of saving the Event Processor service state results in a complete loss of the service's data.

   8. If you select to store the Event Processor service state in a file in bit format, in the Component backup frequency field, specify how often (in days, hours, and minutes) to perform a backup of the Event Processor service.
   9. If you chose to store the status of the Event Processor service as a bitmap file, add the file that contains a backup copy of the Event Processor service via the Browse button under the File containing a backup copy of the component state setting.

      This file will be used if you ever need to restore the state of the Event Processor service. The state of the Event Processor service can be restored by Kaspersky experts as part of their extended technical support.

      To delete the file containing a backup copy of the Event Processor service, click Clear (). To save the file containing a backup copy of the service on your computer, click the Download () icon.

4. In the Sleep mode section, do the following:
   1. In the Batch size in sleep mode (number of events) field, specify the number of events for forming an episode in sleep mode.

      The Event Processor service generates episodes based on the history of events received for reprocessing during the time interval specified in the Events history interval for processing in sleep mode field.

   2. In the Send alerts when the monitor is activated in sleep mode field, select one of the following values:
      • Send alerts when the monitor is activated by any pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if the patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Do not send alerts when the monitor is activated – Kaspersky MLAD does not send alerts when the monitor is activated in the sleep mode.
      • Send alerts when the monitor is activated by a new pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if new patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Send alerts when the monitor is activated by a previously registered pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if stable patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
   3. In the Sleep mode frequency field, specify how often (in days) and at what time (according to the UTC standard) the Event Processor service goes to the sleep mode to reprocess events.

      It is recommended to specify the time when the event stream is the least intensive as the start time for the sleep mode.

      If the specified sleep time has not yet come on the current day, the Event Processor will go to the sleep mode on that day. If the sleep time has already been missed on the current day, the Event Processor will go to the sleep mode at the specified time after the specified number of days.

   4. In the Sleep mode duration (HH:MM) field, specify the time period (in hours and minutes) during which the Event Processor service processes events in the sleep mode.
   5. In the Events history interval for processing in sleep mode field, specify the time interval (in days, hours, and minutes) during which the analyzed events must be forwarded for reprocessing in the sleep mode to the Event Processor service.
5. Click the Save button.

Configuring the statuses and causes of incidents

Kaspersky MLAD lets you specify the causes of incidents and the statuses of incidents and groups of incidents.

The status of an incident or a group of incidents is a mark about the status of incident analysis performed by an expert. After installation of Kaspersky MLAD, the following statuses of incidents and incident groups are available by default: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore and False positive.

The incident cause is a mark of the cause of the incident added by an expert based on the results of the incident analysis.

You can add causes and statuses for incidents. The created causes and statuses of incidents will become available for selection in the Incidents section. You can also change and delete statuses and causes of incidents.

System administrators can configure the causes and statuses of incidents.

To add statuses of incidents:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the System parameters → Incidents section.
3. In the Statuses of incidents section, click the Create button.

   The Create element pane will appear on the right.

4. In the Value, in Russian field, specify the name of the incident status in Russian.
5. In the Value, in English field, specify the name of the incident status in English.
6. In the Sort field, indicate the sequence number for which the incident status will be sorted in the Status drop-down list in the Incidents section.

   The statuses of incidents will be sorted by their names if the sequence numbers of incident statuses coincide.

7. To send incident registration notifications together with the added status and display its indicator in the MSE subsection of the Monitoring and History sections, select the Notify about an incident check box.
8. Click the Save button.

To add causes for incidents:

1. In the administrator menu, select System parameters → Incidents.
2. In the Causes of incidents section, click the Create button.

   The Create element pane will appear on the right.

3. In the Incident cause field, specify the name of the incident cause.
4. In the Sort field, indicate the sequence number for which the incident cause will be sorted in the Incident cause drop-down list in the Incidents section.

   The causes of incidents will be sorted by their names if the sequence numbers of incident causes coincide.

5. Click the Save button.

To change the statuses or causes of incidents:

1. In the administrator menu, select System parameters → Incidents.
2. To change the parameters of incidents, do one of the following:
   • If you need to change the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Edit button.
   • If you need to change the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Edit button.
3. Make the necessary changes.
4. Click the Save button.

To remove statuses or causes of incidents:

1. In the administrator menu, select System parameters → Incidents.
2. To remove parameters of incidents, do one of the following:
   • If you need to delete the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Delete button.
   • If you need to delete the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Delete button.
3. In the opened window, click Yes to confirm deletion.

Kaspersky MLAD will remove information about the incident statuses and causes from the corresponding tables and will remove them from the information about incidents and incident groups in the Incidents section for which these incident causes or statuses were selected.

Configuring logging of Kaspersky MLAD services

You can configure the log level for Kaspersky MLAD services to write specific information about the state of the application and display it in the logging system (Grafana). To view how Kaspersky MLAD services are mapped to the names of Docker containers and images, see the Appendix.

System administrators can configure the logging of Kaspersky MLAD services.

To configure the log levels of Kaspersky MLAD services:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the System parameters → Logging section.

   The list of Kaspersky MLAD services will be displayed on the right.

3. If necessary, use the drop-down lists next to the name of the relevant service to change the log level of the service.

   The following log levels are available in Kaspersky MLAD:

   • Debug – log all information in the application.
   • Info – log basic information about application operations.
   • General – log important information about application operations.
   • Warning – log errors that occur during operation of the application and log events that could lead to errors in application operations.
   • Error – log errors that occur in application operations.
   • Critical – log critical errors that occur in application operations.

   The General log level is used for most services by default. The Info log level is used for the API Server service by default.

4. Click the Save button.

Configuring time intervals for displaying data

Kaspersky MLAD lets you specify the time interval (scale) for displaying data on graphs in the Monitoring, History and Time slice sections. After installation of Kaspersky MLAD, the following time intervals are available by default:

• 1, 5, 10, 15, and 30 minutes
• 1, 3, 6, and 12 hours
• 1, 2, 15, and 30 days
• 3 and 6 months
• 1, 2, and 3 years

You can add time intervals for displaying data on graphs. The created time intervals will become available for selection in the Monitoring, History and Time slice sections. You can also edit and delete time intervals.

System administrators can configure the time intervals for displaying data on charts.

To add time intervals for displaying data:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the System parameters → Graphs section.
3. In the Time intervals settings group, click the Create button.

   The Create element pane will appear on the right.

4. In the Time interval (sec.) field, specify the time interval for which you want to display data on graphs.

   When a time interval is entered, Kaspersky MLAD automatically breaks down the time interval into specific units of time (years, months, weeks, days, hours, minutes, and seconds) in the Value, in Russian and Value, in English fields.

5. If necessary, change the Russian name of the time interval in the Value, in Russian field.
6. If necessary, change the English name of the time interval in the Value, in English field.

7. In the Sort field, indicate the sequence number for which the time interval will be sorted in the drop-down lists in the Monitoring, History and Time slice section.
8. Click the Save button.

To change the time intervals for displaying data:

1. In the administrator menu, select System parameters → Graphs.
2. In the Time intervals settings group, select one or more time intervals and click the Edit button.
3. Make the necessary changes.
4. Click the Save button.

To delete time intervals for displaying data:

1. In the administrator menu, select System parameters → Graphs.
2. In the Time intervals settings group, select one or more time intervals and click the Delete button.
3. In the opened window, click Yes to confirm deletion.

Information about the time interval will be deleted from the table.

Configuring how the Kaspersky MLAD main menu is displayed

System administrators can configure settings for displaying the main menu of Kaspersky MLAD.

To configure how the main menu and the administrator menu of Kaspersky MLAD are displayed:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. On the opened page, in the menu on the left, select System parameters → Menu.

   A list of options appears on the right.

3. In the Availability of main menu items settings group, use the toggle switch to enable or disable the display of a specific section in the main menu.
4. In the Availability of administrator menu items settings group, use the toggle switch to enable or disable the display of a specific section in the administrator menu.
5. Click the Save button.

Export and import of Kaspersky MLAD settings

Kaspersky MLAD allows you to export and import configuration files that contain the settings of application services and connectors, as well as security settings, application service logging levels, settings for displaying the application menu and for managing typical statuses and causes of incidents, which are configured through the web interface. This could substantially reduce the time spent on configuring Kaspersky MLAD if you have to re-deploy the application.

When exporting settings, Kaspersky MLAD does not save to the archive file the passwords specified in the System parameters section, as well as the certificate files and certificate file keys uploaded in this section.

Only system administrators are allowed to export and import configuration files for Kaspersky MLAD services.

To export configuration files from Kaspersky MLAD:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters.
3. Click the Export button in the upper part of the opened page.

Kaspersky MLAD configuration files will be saved in an archive named mlad-settings.tar.gz on the local computer.

To upload configuration files to Kaspersky MLAD:

1. In the administrator menu, select System parameters.
2. Click the Import button in the upper part of the opened page.
3. In the opened window, select the archive file containing the necessary configuration of Kaspersky MLAD parameters.

Kaspersky MLAD configuration files will be uploaded to the application.

Managing assets and tags

System administrators can manage assets and tags.

Assets and tags are the primary elements of the monitored asset hierarchical structure. The hierarchical structure is displayed as an asset tree.

Observations of the monitored asset are transmitted to Kaspersky MLAD as tags. Based on the values obtained from the created tags, you can perform training and inference of ML models.

In the Assets section of the administrator menu, you can view

assets

A section of a hierarchical structure representing, for example, a plant, a shop, or a separate unit of a monitored asset.

tags

Variable that contains the value of a specific process parameter such as temperature.

Kaspersky MLAD can receive data from assets registered in external systems (for example, Kaspersky Industrial CyberSecurity for Networks). Kaspersky MLAD saves the tags received from external assets in the Time Series Database service. When saving of all tags is enabled, the Time Series Database service also saves IDs and values of unknown tags (not listed in the asset tree). You can compare the current asset tree structure with the structure in the Time Series Database service and add missing tags to the current structure, if necessary.

If Kaspersky MLAD detects unknown tags received from external devices through KICS Connector, these tags will be automatically created in the KICS section of the asset tree. The application automatically assigns IDs to tags and fills in the following information received from Kaspersky Industrial CyberSecurity for Networks:

• IDs of the tags
• Names of the tags
• Descriptions of the tags
• Units of measure for the tags
• Names of the assets for which the tags are received

Kaspersky MLAD is compatible with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.

You can also delete existing tags, import tags and assets from an XLSX file, or export them to a an XLSX file.

Creating an asset in the asset tree

System administrators can manage assets and tags.

In Kaspersky MLAD, you can create assets in the asset tree and categorize tags by asset as you see fit. For example, you can create assets for the assets of the monitored asset from which telemetry data is received.

To create a new asset:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the upper part of the page, click the Create button.

   The Create tag pane opens on the right.

4. In the Element type drop-down list, select the Asset value.
5. If necessary, click the Choose icon button and select an icon for the asset in the opened window.

   You can upload an asset icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the asset icon, click the tag icon and then click Delete in the opened window.

6. In the Asset drop-down list, select the section of the asset tree within which you want to create the asset.
7. Specify the asset name in the Name field.
8. In the Description field, provide a description for the asset.
9. Select the type of asset from the Asset type drop-down list.

   If you have uploaded the configuration of assets and tags to Kaspersky MLAD, you can select one of the asset types defined in the configuration file. Asset types are specified in the directory_types tab of the configuration file.

10. If you have selected one of the asset types defined in the imported configuration file, specify values for the special parameters of the assets.

    The names of special parameters are specified in the directory_types tab of the configuration file.

11. Click the Save button.

The asset will be created. If necessary, you can change the position of an asset in the tree.

You can also create nested assets in the asset tree.

To create an asset using the asset tree:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, next to the name of the section to which you want to add the asset, open the vertical menu and select Add asset.

   The Create asset pane opens on the right.

4. If necessary, click the Choose icon button and select an icon for the asset in the opened window.

   You can upload an asset icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the asset icon, click the tag icon and then click Delete in the opened window.

5. Specify the asset name in the Name field.
6. In the Description field, provide a description for the asset.
7. Select the type of asset from the Asset type drop-down list.

   If you have uploaded the configuration of assets and tags to Kaspersky MLAD, you can select one of the asset types defined in the configuration file. Asset types are specified in the directory_types tab of the configuration file.

8. If you have selected one of the asset types defined in the imported configuration file, specify values for the special parameters of the assets.

   The names of special parameters are specified in the directory_types tab of the configuration file.

9. Click the Save button.

The asset will be created. If necessary, you can change the position of an asset in the tree.

Changing the parameters of an asset in the asset tree

System administrators can manage assets and tags.

You can edit the settings of previously created assets.

To edit the settings of an asset in the asset tree:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, next to the name of the asset whose settings you want to change, open the vertical menu  and select Edit asset.

   The Edit asset pane opens on the right.

4. If you need to change the icon of the asset, click the Choose icon button and select an icon for the asset in the opened window.

   You can upload an asset icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the asset icon, click the tag icon and then click Delete in the opened window.

5. In the Asset drop-down list, select the section of the asset tree to which you want to assign the asset.

   The asset subsections and their tags are moved to the new asset.

6. In the Name field, specify a new name for the asset.
7. In the Description field, specify a new description for the asset.
8. Select the type of asset from the Asset type drop-down list.

   If you have uploaded the configuration of tags and assets to Kaspersky MLAD, you can select one of the asset types defined in the configuration file. Asset types are specified in the directory_types tab of the configuration file.

9. If you have selected one of the asset types defined in the imported configuration file, specify values for the special parameters of the asset.

   The names of special parameters are specified in the directory_types tab of the configuration file.

10. Click the Save button.

The asset will be modified. If necessary, you can change the position of an asset in the tree.

Create tag

System administrators can manage assets and tags.

In Kaspersky MLAD, you can create new tags to describe data received from the monitored asset (source tags) or from the Stream Processor service.

To create a new tag:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the upper part of the page, click the Create button.

   The Create tag pane opens on the right.

4. In the Element type drop-down list, select Tag.
5. If necessary, click the Choose icon button and select an icon for the tag in the opened window.

   You can upload the tag icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the tag icon, click the tag icon and then click Delete in the opened window.

6. In the Asset drop-down list, select the section of the asset tree to which you want to assign the created tag.

   Assets in the asset tree must be preloaded or created manually.

7. Specify the unique tag name in the Name field. If you want to receive tag values from an external system, specify the tag name in the external system.
8. Enter a description for the tag in the Description field.
9. If necessary, specify an alternative name for the tag in the Alternative name field.
10. Enter the unique numerical identifier of the tag in the ID field.
11. In the Dimension field, specify the measurement units for the tag (for example % or mPa).
12. In the X, Y, and Z fields, specify the spatial coordinates for the location of the monitored asset's sensor.

    You can use an arbitrary point as the origin of the coordinate system.

    You can use sensor coordinates to calculate tag values when creating a preset and displaying them on the graph in the Time slice section.

13. In the Blocking threshold block, in the Lower and Upper fields, specify the lower and upper thresholds of tag values, upon reaching which it is necessary for the ICS to take emergency response measures.

    These settings are required for correct operation of the Limit Detector. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.

    If the Always display blocking threshold option is enabled, the vertical scale of the graph will be defined by threshold lines drawn at the lower and upper boundaries of the tag graph, provided that the tag values are within the specified range. If the tag values go beyond the specified thresholds, the vertical scale will be automatically changed to display the tag values exceeding the limits.

14. In the Alarm threshold, in the Lower and Upper fields, specify the lower and upper thresholds of the tag values, upon reaching which it is necessary for the ICS to take emergency response measures.
15. In the Measurement confidence thresholds block, in the Lower and Upper fields, specify the lower and upper thresholds for physically possible tag values.
16. In the Display boundaries section, in the Lower and Upper fields, specify the lower and upper boundaries for displaying tag values on graphs.

    If tag values go beyond the defined boundaries, they will not be displayed on the tag graph. The permissible boundaries for displaying tag values take priority over the display of blocking thresholds, even if the Always display blocking threshold function is enabled.

17. In the External system asset field, specify the name of the asset created in the external system, for which you need to receive tags.
18. In the Comment field, enter a brief comment for the tag.
19. If you want to add additional horizontal threshold lines for this tag on the charts in the Monitoring and History sections, do the following:
    1. Click the Add line button.
    2. In the Threshold value field that appears, specify the value that you want to display on the charts.
    3. In the Line color field, select the color in which the threshold line will be displayed on the charts.

    Additional horizontal threshold lines help visually evaluate the fluctuations of tag values within certain limits. You can add multiple additional horizontal threshold lines.

20. Click the Save button.

The new tag appears in the Tags group of the asset tree. The Tags group is created automatically and displayed as part of the selected section of the asset tree. If necessary, you can change the position of tags in the tree.

Adding a tag to an asset

System administrators can manage assets and tags.

In Kaspersky MLAD, you can add tags to created assets.

To add a tag to an asset:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, next to the section to which you want to add a tag, open the vertical menu and select Add tag.

   The Create tag pane opens on the right.

4. If necessary, click the Choose icon button and select an icon for the tag in the opened window.

   You can upload the tag icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the tag icon, click the tag icon and then click Delete in the opened window.

5. Specify the unique tag name in the Name field. If you want to receive tag values from an external system, specify the tag name in the external system.
6. Enter a description for the tag in the Description field.
7. If necessary, specify an alternative name for the tag in the Alternative name field.
8. Enter the unique numerical identifier of the tag in the ID field.
9. In the Dimension field, specify the measurement units for the tag (for example % or mPa).
10. In the X, Y, and Z fields, specify the spatial coordinates for the location of the monitored asset's sensor.

    You can use an arbitrary point as the origin of the coordinate system.

    You can use sensor coordinates to calculate tag values when creating a preset and displaying them on the graph in the Time slice section.

11. In the Blocking threshold block, in the Lower and Upper fields, specify the lower and upper thresholds of tag values, upon reaching which it is necessary for the ICS to take emergency response measures.

    These settings are required for correct operation of the Limit Detector. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.

    If the Always display blocking threshold option is enabled, the vertical scale of the graph will be defined by threshold lines drawn at the lower and upper boundaries of the tag graph, provided that the tag values are within the specified range. If the tag values go beyond the specified thresholds, the vertical scale will be automatically changed to display the tag values exceeding the limits.

12. In the Alarm threshold, in the Lower and Upper fields, specify the lower and upper thresholds of the tag values, upon reaching which it is necessary for the ICS to take emergency response measures.
13. In the Measurement confidence thresholds block, in the Lower and Upper fields, specify the lower and upper thresholds for physically possible tag values.
14. In the Display boundaries section, in the Lower and Upper fields, specify the lower and upper boundaries for displaying tag values on graphs.

    If tag values go beyond the defined boundaries, they will not be displayed on the tag graph. The permissible boundaries for displaying tag values take priority over the display of blocking thresholds, even if the Always display blocking threshold function is enabled.

    In the External system asset field, specify the name of the asset created in the external system, for which you need to receive tags.

15. In the Comment field, enter a brief comment for the tag.
16. If you want to add additional horizontal threshold lines for this tag on the charts in the Monitoring and History sections, do the following:
    1. Click the Add line button.
    2. In the Threshold value field that appears, specify the value that you want to display on the charts.
    3. In the Line color field, select the color in which the threshold line will be displayed on the charts.

    Additional horizontal threshold lines help visually evaluate the fluctuations of tag values within certain limits. You can add multiple additional horizontal threshold lines.

17. Click the Save button.

The new tag appears in the Tags group of the asset tree. The Tags group is created automatically and displayed as part of the selected section of the asset tree. If necessary, you can change the position of tags in the tree.

Editing a tag

System administrators can manage assets and tags.

You can edit previously created tags.

To edit a tag:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.

   In the asset tree, next to the name of the tag that you want to change, open the vertical menu and select Edit tag.

   You can show or hide the data in the asset tree by using the plus () and minus () icons to the left of the asset names.

   The Edit tag pane opens on the right. In the upper part of the pane that opens, the number of ML models that use the selected tag is displayed.

3. If you need to change the icon of the tag, click the Choose icon button and select an icon for the tag in the opened window.

   You can upload the tag icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the tag icon, click the tag icon and then click Delete in the opened window.

4. In the Asset drop-down list, select the new asset to which you want to assign the selected tag.

   Specify the new name of the tag in the Name field. If you want to receive tag values from an external system, specify the tag name in the external system.

   Kaspersky MLAD periodically verifies information about tags received from Kaspersky Industrial CyberSecurity for Networks. If the tag name was changed manually, the application automatically updates the tag name to match the tag name in Kaspersky Industrial CyberSecurity for Networks after the next scan.

5. Enter a new description for the tag in the Description field.
6. If necessary, specify an alternative name for the tag in the Alternative name field.
7. In the Dimension field, specify new units of measure for the tag (for example, % or mPa).
8. In the X, Y, and Z fields, specify the spatial coordinates for the location of the monitored asset's sensor.

   You can use an arbitrary point as the origin of the coordinate system.

   You can use sensor coordinates to calculate tag values when creating a preset and displaying them on the graph in the Time slice section.

9. In the Blocking threshold block, in the Lower and Upper fields, specify the lower and upper thresholds of tag values, upon reaching which it is necessary for the ICS to take emergency response measures.

   These settings are required for correct operation of the Limit Detector. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.

   If the Always display blocking threshold option is enabled, the vertical scale of the graph will be defined by threshold lines drawn at the lower and upper boundaries of the tag graph, provided that the tag values are within the specified range. If the tag values go beyond the specified thresholds, the vertical scale will be automatically changed to display the tag values exceeding the limits.

10. In the Alarm threshold, in the Lower and Upper fields, specify the lower and upper thresholds of the tag values, upon reaching which it is necessary for the ICS to take emergency response measures.
11. In the Measurement confidence thresholds block, in the Lower and Upper fields, specify the lower and upper thresholds for physically possible tag values.
12. In the Display boundaries section, in the Lower and Upper fields, specify the lower and upper boundaries for displaying tag values on graphs.

    If tag values go beyond the defined boundaries, they will not be displayed on the tag graph. The permissible boundaries for displaying tag values take priority over the display of blocking thresholds, even if the Always display blocking threshold function is enabled.

    In the External system asset field, specify the name of the asset created in the external system, for which you need to receive tags.

    Kaspersky MLAD periodically verifies information about tags received from Kaspersky Industrial CyberSecurity for Networks. If information about the tag asset was changed manually, the application automatically updates the information about the asset according to the asset name in Kaspersky Industrial CyberSecurity for Networks after the next scan.

13. In the Comment field, enter a brief comment for the tag.
14. If you want to add additional horizontal threshold lines for this tag on the charts in the Monitoring and History sections, do the following:
    1. Click the Add line button.
    2. In the Threshold value field that appears, specify the value that you want to display on the charts.
    3. In the Line color field, select the color in which you want the threshold line to be displayed on the charts in the Monitoring and History sections.

    Additional horizontal threshold lines help visually evaluate the fluctuations of tag values within certain limits. You can add multiple additional horizontal threshold lines.

15. Click the Save button.

If necessary, you can change the position of tags in the tree.

Moving assets and tags

System administrators can manage assets and tags.

You can move assets and/or tags within the asset tree. All assets and tags that are part of the selected asset will be moved.

To move an asset and/or tag:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, select the check boxes next to the names of the assets and/or tags that you want to move.
4. In the upper part of the page, click the Move button.

   The Moving tags pane opens on the right.

5. In the Asset drop-down list, select the asset to which you want to transfer the selected assets and/or tags.
6. Click the Save button.

The modified asset tree appears in the Assets section.

You can also change the location of assets and tags in the tree using the dots () to the left of the name of the required asset or tag. To do this, click and hold the dots () to the left of the relevant asset or tag and drag the relevant asset or tag up or down in the tree.

Deleting an asset or tag

System administrators can manage assets and tags.

You can delete previously created assets and/or tags from the asset tree if the selected tags or tags associated with the selected asset are not used by ML models.

To delete a tag:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Perform one of the following actions:
   • In the asset tree, select the check box next to the name of the tag that you want to delete and click the Delete button at the top of the page.
   • In the vertical menu  to the right of the relevant tag, click the Delete tag button.
4. In the window that opens, confirm the deletion of the tag.

To delete an asset:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Perform one of the following actions:
   • In the asset tree, select the check box next to the name of the asset that you want to delete and click the Delete button at the top of the page.
   • In the vertical menu  to the right of the relevant asset, click the Delete asset button.
4. In the window that opens, confirm the deletion of the asset.

To remove one or more assets and/or tags:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, select the check boxes next to the names of the assets and/or tags.

   If you need to remove one or more tags from an asset, expand the corresponding section of the asset tree by clicking the plus sign (), and select the relevant tags.

4. Click the Delete button in the upper part of the page.
5. In the window that opens, confirm the removal of assets and/or tags.

If the selected assets and/or tags are not used by ML models, a check mark icon () is displayed in the window opposite the line Checking links between tags and loaded models. The selected tags will be permanently deleted from Kaspersky MLAD.

If the selected assets and/or tags are used by ML models, a cross icon () is displayed in the window opposite the line Checking links between tags and loaded models. In this case, you cannot delete the selected assets and/or tags. To delete assets and/or tags, you must delete the ML models in which they are used.

Checking the current structure of tags

System administrators can manage assets and tags.

Kaspersky MLAD saves the tags received from external assets in the Time Series Database service. When unknown tags are received via KICS Connector, the application also automatically creates these tags in the KICS asset tree section.

Kaspersky MLAD allows you to compare the current tag structure displayed in the asset tree and used for a monitored asset to the one saved for this monitored asset in the Time Series Database service. Kaspersky MLAD detects tags that were received from external assets, but are missing in the current tag structure and are not used for the monitored asset. If necessary, you can add these tags to the current tag structure.

To compare the current tag structure with the structure in the Time Series Database service:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the upper part of the page, click the Check tags button.

   The current tag structure used for the monitored asset is compared with the tag structure stored in the Time Series Database service. The comparison result is displayed in the upper part of the page.

   If missing tags are detected, Kaspersky MLAD displays a list of these tags with the names in the Tag <tag ID> format.

4. To add missing tags, do the following:
   1. For each detected tag, in the Asset field select the asset to which you want to assign the tag.
   2. Click the Add button.

   Kaspersky MLAD will add tags to the asset tree. Only the IDs, names in the Tag <tag ID> format, and the assets to which the tags are assigned are specified for these tags. If necessary, you can change the added tags.

Uploading tag and asset configuration to the system

Tag and asset configuration is created while deploying Kaspersky MLAD and building an ML model. Tag and asset configuration is provided in XLSX file format.

System administrators can manage assets and tags.

To upload tag and asset configuration to Kaspersky MLAD:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Click the Import button.

   The Hierarchical structure import pane opens on the right.

4. In the File import field, add an XLSX file containing the required configuration of assets and hierarchical structure tags.

   To delete the asset and tag configuration file, click the trash bin icon ().

5. In the Asset drop-down list, select the section of the asset tree to which you want to load the configuration of assets and tags from a file.
6. In the Import mode drop-down list, select one of the following values:
   • Add and update. Kaspersky MLAD will add new assets and tags from the configuration file and update information about previously created and/or imported assets and tags within the selected section.
   • Only update. Kaspersky MLAD will update information about previously created and/or imported assets and tags within the selected section.
   • Overwrite. Kaspersky MLAD will delete previously created and/or imported assets and tags from the selected section and create new assets and tags from the configuration file.
7. If you want all assets and tags from the configuration file to be treated as new occurrences, enable the Treat all elements as new check box.

   You can use this toggle switch to upload assets that are duplicated in different sections of the asset tree in Add and update import mode. However, you cannot load tags with names that match the names of previously created and/or loaded tags.

8. Click the Save button.

Tag and asset configuration will be uploaded to Kaspersky MLAD. The assets and tags are displayed as an asset tree.

Saving tag and asset configuration to a file

System administrators can manage assets and tags.

You can save the structure of tags to a file in XLSX format for subsequent use. The hierarchical asset structure will be saved together with the tag structure in the file.

To save tag and asset configuration to a XLSX file:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Click the Export button.

The asset and tag configuration will be saved to a file named mlad_structure.xlsx (see the example in the Appendix).