Kaspersky Machine Learning for Anomaly Detection
4.0
English

Contents

Working with events and patterns

The Event Processor section provides data on

events
and the structure of
patterns
detected by the Event Processor service in the event stream received from external sources or from the Anomaly Detector service.

In the Event Processor section, you can view the history of received events and the registration history of new and/or persistently recurring patterns. You can also configure the display of event parameters and can configure pattern registration settings. On the Monitoring tab, you can monitor specific events, patterns, or values of event parameters received by the Event Processor within the data stream from monitored assets.

If restarted, Kaspersky MLAD restores the state of the Event Processor service and pauses the processing of data received from the CEF Connector. This data is temporarily stored in the internal queue of the application message broker. Until the Event Processor service is restored, the Event Processor section tabs will display a notification informing you that the Event Processor service has stopped. This service restoration process may take several minutes if there is a significantly large number of processed events or registered patterns.

The Event history tab contains information about events received from the external event sources.

Event Processor section

In this Help section

Configuring settings in the Event Processor section

Managing monitors

Viewing the events history

Viewing the pattern history
Page top
[Topic 248082]

Configuring settings in the Event Processor section

Before events are processed by the Event Processor service, attention settings and display of event parameters must be configured.

System administrators can manage the attention settings and display of event parameters.

A large number of attention directions can slow down the operation of Kaspersky MLAD main services (data reception, anomaly detection, web interface). To clarify the number of attention directions, it is recommended to consult with Kaspersky experts or a certified integrator.

To configure attention settings and display of event parameters:

  1. In the main menu, select the Event ProcessorMonitoring section.
  2. On the opened page, click the Settings button.

    The Event Processor settings pane will appear on the right.

  3. In the Configure attention section, do one of the following for each event parameter:
    • If you need to register patterns for all values of an event parameter, use the drop-down list to select All parameter values.
    • To register patterns for a specific event parameter value, select the event parameter value in the drop-down list. As you start typing a value, all matching parameter values are displayed in the list.

      If the parameter value is not listed, enter the required value and select Create Value: <event parameter value>.

    • If you need to register patterns based on an event parameter value template, turn on the Regular expression toggle switch for the relevant event parameter, use the drop-down list to enter the value template with a regular expression, and select Regular expression: <value template>.

      You can use special characters of regular expressions to search for patterns based on regular expressions.

    Each attention direction is defined by the parameter value that must be present in all events of this direction. When configuring attention directions, you can indicate specific values or templates of values of one or more parameters or define attention directions for all possible values of one or more parameters.

  4. To configure the display of filters for the event parameters, in the Filters section on the Event history and Patterns history tabs, in the Configure display of event parameter filters section, select the check boxes next to the names of the desired event parameters.

    By default, the Configure display of event parameter filters section displays the event parameters from the Anomaly Detector service. To display custom event parameters, load the Event Processor service configuration file. All available event parameters are selected by default.

    If the Process incidents as events function is enabled, the Event Processor receives events with the following parameters:

    • incident_detection_system – the name of the detector that registered the incident.
    • incident_model_name – the name of the ML model used.
    • incident_tag_name – the name of the tag whose behavior invoked registration of the incident.
    • incident_group_name – the name of the incident group to which the registered incident belongs.
    • incident_triggered_tag_value – the value of the tag whose behavior invoked registration of the incident.
    • incident_id – the ID of the registered incident.
    • incident_tag_id – the ID of the tag whose behavior invoked registration of the incident.

    If necessary, in the Filters section you can change the display order for the event parameters. For this purpose, drag the required event parameter up or down in the Configure display of event parameter filters section.

  5. To save your changes, click the Apply button.
Page top
[Topic 248037]

Working with monitors

Expand all | Collapse all

Monitor management is available to system administrators.

In the Event Processor → Monitoring section, you can create monitors for monitoring specific events, patterns, or values of event parameters.

The Monitoring tab displays all monitors created in the application, including the following brief information:

  • Monitor name.
  • Monitor threshold.

    When this number of monitor activations (threshold) on the sliding window is reached, the application sends an alert about monitor activation to the external system.

  • Sliding window used to track the number of monitor activations.
  • Number of monitor activations on the sliding window.

If necessary, you can view detailed information about each monitor by clicking the Information button located next to the name of the relevant monitor in the table.

  • Monitor ID is the unique identifier of the monitor being viewed.
  • Number of activations on the sliding window refers to the number of registered monitor activations on the sliding window.
  • Date and time of last activation refers to the date and time when the monitor was last activated.
  • Activated refers to the type of element that caused the monitor activation. Monitor activation may be invoked by a new or existing event parameter value, event, pattern, or another monitor.
  • Subscription indicates what is being tracked by the viewed monitor: event parameter values, events, or patterns.
  • Sliding window indicates the time interval from the current time back to the time sequence for which the number of activations is taken into account. This window shifts synchronously with the passage of time according to the timestamps in events.
  • Threshold indicates the number of activations to be registered by the monitor on the sliding window before sending an alert about the monitor activation to the external system via the CEF Connector.
  • Filters is a table containing information about filters for event parameters observed by the current monitor to track event parameter values, events, and patterns. The following data is displayed for each element:
    • Parameter name refers to the names of event parameters whose values are being observed by the viewed monitor.

      Each monitored asset has its own specific incoming events and event parameters. The names of event parameters are defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator during configuration of the Event Processor service.

    • Type defines which types of values are being tracked by the monitor: specific values, new values, or all values.
    • Purpose defines which event parameters are receiving focused attention from the model.
    • Values refers to the values of event parameters that are being observed by the viewed monitor.
  • Stack limit determines the number of most recent monitor activations displayed in the Activation stack table.
  • Activation stack is a table that contains information about the latest activations of the monitor:
    • Parameter value ID is the ID of the event parameter value whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event parameter value.
    • Event ID is the ID of the event whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event.
    • Pattern ID is the ID of the pattern whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
    • System parameters is a group of system settings containing the following information:
      • Event time is the date and time when the event is detected in the event stream.
      • Interval from previous item is the time interval between the current and the previous event in the event stream on the sliding window. Kaspersky MLAD displays the time intervals between events upon the first detection of the pattern containing the events. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for these events.
      • Total activations is the number of event occurrences in the event stream on the sliding window.
      • Parameter count is the number of event parameters for which the values were received from the monitored asset.
      • Last activation is the date and time when the event was last detected in the event stream on the sliding window.

    This group of parameters is displayed only when the monitor is activated by an event or an event parameter value.

    • Activation date and time is the date and time when the monitor was activated. This parameter is displayed only when the monitor is activated by a pattern.
    • Event parameter is the value of the event parameter received from the monitored asset. This parameter is displayed only when the monitor is activated by an event parameter value.
    • Event parameters are the values of the parameters of the event received from the monitored asset. This parameter is displayed only when the monitor is activated by an event.
    • Events is the number of events included in the pattern that caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.

    You can view information about the events included in the pattern by clicking the number of events in the corresponding row of the table. Clicking the number of events displays information about IDs, system settings, and parameters of the event included in the selected pattern.

On the Histogram tab, you can also view brief statistics on the number of registered activations for each created monitor.

In this Help section

Creating a monitor

Deleting a monitor
Page top
[Topic 248083]

Creating a monitor

Monitor management is available to system administrators.

To create a monitor:

  1. In the main menu, select the Event Processor → Monitoring section.
  2. Click the Create monitor button.

    The Create monitor pane appears on the right.

  3. Specify the monitor name in the Name field.
  4. In the Sliding window (sec.) field, specify the interval (in seconds) from the current point in time back to the time sequence for which the monitor will process incoming values of parameters, events or patterns.
  5. In the Threshold field, specify the number of monitor activations in the sliding window after which the monitor sends an alert to the external system.
  6. In the Stack limit field, specify the number of monitor activations that must be displayed when viewing information about the monitor.
  7. In the Subscription type drop-down list, select one of the following values:
    • If you need to process data on the values of event parameters, select Parameter values.
    • If you need to process data on events, select Events.
    • If you need to process data on detected patterns, select Patterns.
  8. If you need to track new events, patterns, or values of event parameters, turn on the Only new toggle switch in the Filters section.
  9. To focus the attention of the model on specific directions of events, do one of the following:
    • If you selected Events from the Subscription type drop-down list, select Attention for the relevant event parameter. If you need to track events without specifying the attention direction, clear the Attention check box.
    • If you selected Patterns from the Subscription type drop-down list, select the Attention check box for the relevant event parameter.

    You can select only one attention direction.

  10. For each event parameter, do one of the following:
    • If you need to process data on all values of an event parameter, use the drop-down list to select All parameter values.

      This option is displayed if you specified the attention direction for the current event parameter.

    • To process data only on the new values of an event parameter, in the drop-down list select New parameter values.

      This option is displayed only when the Only new function is enabled for event-based data processing.

    • To process data for a specific value of an event parameter, in the drop-down list select the event parameter value. As you start typing a value, all matching parameter values are displayed in the list.

      If the parameter value is not listed, enter the required value and select Create Value: <event parameter value>.

    • If you need to process data based on an event parameter value template, turn on the Regular expression toggle switch for the relevant event parameter, use the drop-down list to enter the value template with a regular expression, and select Regular expression: <value template>.

      You can use special characters of regular expressions to search patterns using regular expressions.

  11. Click the Create button.

The new monitor is created and displayed on the Monitoring tab.

Page top
[Topic 248084]

Deleting a monitor

Monitor management is available to system administrators.

To delete a monitor:

  1. In the main menu, select the Event Processor → Monitoring section.
  2. Click the Delete button in the cell of the monitor whose information you want to delete and confirm your selection.

The monitor will be deleted.

Page top
[Topic 248085]

Viewing the events history

Kaspersky MLAD lets you view the events that were received from external sources of events. To view events, you need to upload them to Event ProcessorEvent history.

Viewing the event history is available to system administrators.

Kaspersky MLAD displays incoming events as a graph of relations between event parameters. The graph nodes correspond to the values of the event parameters, and the arcs between the nodes correspond to the links between the parameter values of incoming events. You can hover the mouse pointer over the event graph and view information about the event parameters and their values. You can also hover the mouse pointer over the event graph arc and view information about the number of links between the values of event parameters.

You can also view information about the detected events as a table.

  • Event ID is the ID of the detected event.
  • System parameters contain the following information about the event:
    • Last detection in interval is the date and time when the event was last detected in the event stream during the specified period.
    • Detections count in interval is the number of event detections in the event stream during the specified period.
    • Parameter count is the number of event parameters for which the values were received from the monitored asset.
    • Last activation is the date and time when the event was last detected in the event stream.
  • Event parameters are the values of the event parameters received from the monitored asset.

Each monitored asset has its own specific incoming events and event parameters. The list of event parameters is defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a system administrator during configuration of the Event Processor service.

To upload data for viewing incoming events:

  1. In the main menu, select the Event Processor → Event history section.
  2. In the Filters section, click the calendar icon () to select the start and end date and time of the period for which you want to load and view events. To configure event parameters, do one of the following:
    • To load events based on the specific values of the event parameters, select the event parameter value in the drop-down lists. As you start typing a value, all matching parameter values are displayed in the lists.
    • To load events based on a value template, enable the Regular expression option for the relevant event parameters, in the drop-down lists, specify the value template using a regular expression, and select Regular expression: <value template>.

      You can use special characters of regular expressions to perform a search based on regular expressions.

    Each monitored asset has its own specific set and names of event parameters.

  3. Click the Process request button.

    Data on the events found by the application will be displayed as a graph in the central part of the page.

  4. To view the received events as a table, select the Table tab.

    The central part of the page displays a table that contains information on the detected events.

Page top
[Topic 248086]

Viewing the pattern history

Expand all | Collapse all

In the section Event Processor → Patterns history, you can find and view the structure of the new and/or persistently recurring patterns. The Event Processor generates patterns only for specific directions that are defined in the attention configuration by the system administrator.

Viewing the pattern history is available to system administrators.

You can also view the structure of the detected patterns down to the event level. The Event Processor represents patterns, events, and values of event parameters as a layered hierarchy of nested elements. For example, a fourth-layer pattern consists of subpatterns of the third layer. A third-layer pattern consists of second-layer patterns, and a second-layer pattern consists of events, which are first-layer elements. Event parameter values are elements of the null terminal layer.

Each monitored asset has its own specific incoming events and event parameters. The list of event parameters is defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a system administrator during configuration of the Event Processor service.

To view the registered patterns:

  1. In the main menu, select the Event Processor → Patterns history section.
  2. In the Filters section, configure the following settings for displaying patterns on the page:
    1. In the Start of period field, click the calendar icon () and select the starting date and time of the period for which you want to view the patterns.
    2. In the End of period field, click the calendar icon () and select the end date and time of the period for which you want to view the patterns.
    3. In the Pattern type drop-down list, select one of the following values:
      • Stable refers to patterns that were registered by the Event Processor service two or more times.
      • New refers to new patterns registered by the Event Processor service for the first time.
      • All includes all patterns that were registered by the Event Processor service.
    4. To view patterns for a specific attention direction, select Attention for the relevant event parameter.

      You must select one of the attention directions that were defined when configuring the attention settings.

    5. To configure event parameters, do one of the following:
      • To view patterns based on specific values of the event parameters, select the event parameter values in the drop-down lists. As you start typing a value, all matching parameter values are displayed in the lists.
      • If you need to view patterns based on a value template, turn on the Regular expression toggle switch for the relevant event parameters, use the drop-down lists to enter the value template with a regular expression, and select Regular expression: <value template>.

        You can use special characters of regular expressions to perform a search based on regular expressions.

      For the request to be processed correctly, enter the values for the event parameter that is receiving focused attention from the model. If an event parameter that is receiving focused attention has multiple values defined, the Event Processor will generate patterns for each value of the parameter.

  3. Click the Process request button.

    The central part of the page displays a table containing data on the registered patterns.

    • Pattern ID is the ID of the pattern. The first digit of the pattern ID corresponds to the number of the layer where this pattern was detected.
    • Last detection in interval is the date and time when the pattern was last detected in the event stream of the monitored asset during the specified period.
    • Detections count in interval is the number of pattern detections in the event stream of the monitored asset during the specified period.
    • Event count is the number of events in the pattern.
    • Last activation is the date and time when the pattern was last detected in the event stream of the monitored asset or in the sleep mode.
  4. To view the pattern structure, click the desired pattern row.

    The page with detailed information on the pattern opens.

    • Pattern ID is the ID of the selected pattern. The first digit of the pattern ID corresponds to the number of the layer where this pattern was detected.
    • Event count is the number of events in the pattern.
    • Interval from previous item is the time interval between the selected pattern and the pattern detected in the pattern sequence on the current layer before the selected pattern. Kaspersky MLAD displays the time intervals between the elements of the selected pattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the elements of this pattern.
    • Total activations is the number of detections of the selected pattern in the event stream for the specified period.
    • Pattern end time is the end date and time of the selected pattern in the sequence of patterns on the current layer.
    • Last activation is the date and time when the pattern was last detected in the event stream or in the sleep mode.
    • Patterns is a tab that displays a table with information about the patterns included in the selected pattern. The following information is displayed on the Patterns tab:
      • <layer number> layer is a set of tabs for viewing information on the patterns included in the selected pattern on different layers of its structure. The tabs are displayed if you select a pattern detected on the fourth layer or higher. You can view patterns up to the second nesting level.
      • Pattern ID is the ID of the subpattern. The first digit of the pattern ID corresponds to the number of the layer where this pattern was detected.
      • Pattern end time is the end date and time of the subpattern in the sequence of patterns on the selected layer.
      • Total activations is the number of detections of the subpattern in the structure of the selected pattern.
      • Event count is the number of events in the subpattern.
      • Interval from previous item is the time interval between the subpattern and the previous pattern in the table. Kaspersky MLAD displays the time intervals between the elements of the subpattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the elements of this pattern.
      • Last activation is the date and time when the subpattern was last detected in the sequence of patterns on the selected layer or in the sleep mode.
    • Events is a tab that displays a table of events included in the selected pattern. The following data is displayed for each event:
      • Event ID is the ID of the event.
      • System parameters contain the following information about the event:
        • Event time is the date and time when the event is detected in the pattern structure.
        • Interval from previous item is the time interval between the current event and the previous event in the table. Kaspersky MLAD displays the time intervals between the events of the selected pattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the events of this pattern.
        • Total activations is the number of the event repeated occurrences in the structure of the selected pattern during the specified period.
        • Parameter count is the number of event parameters for which the values were received from the monitored asset.
        • Last activation is the date and time when the event was last detected in the event stream.
      • Event parameters are the values of the parameters of the event received from the monitored asset.
  5. To view the structure of a pattern, do one of the following:
    • To view the structure of a particular subpattern, on the Patterns tab in the Nested elements section, click the desired pattern.

      You can return to viewing the top-level pattern structure by clicking the ID of the desired pattern above the Pattern info section.

    • To view the table of subpatterns at a certain nesting level, select the desired layer on the Patterns tab of the Nested elements section.
    • To view the events included in the pattern at the current nesting level, click the Events tab.

    Kaspersky MLAD displays the pattern structure from the top nesting level.

Page top
[Topic 248087]