About incidents
An incident is an identified deviation from the expected (normal) behavior of a monitored asset.
Kaspersky MLAD supports incident registration for the following sources:
- ML model elements. An incident is recorded when the value of an ML model element artifact reaches the incident registration threshold set for that specific element. Incidents can be detected by predictive, diagnostic rule-based, and elliptic envelope-based ML model elements.
The registration of an incident may be delayed after the specified threshold is reached, depending on the configuration of the ML model element. When a certain threshold for registering an incident is met, the ML model element starts watching for unusual activity in the monitored asset for a specific period defined in the element settings. If the monitored asset exhibits anomalous behavior for a certain specified proportion of this interval, the ML model element registers an incident.
Kaspersky MLAD can suppress the registration of consecutive incidents from the same ML model element if these occur shortly after the first incident in the series. This uses Period of recurring alert suppression (sec), which you can define in the element settings.
An ML model element may continue to flag the same incident multiple times until the abnormal activity stops. You can control how often repeated incidents are recorded by adjusting the Reminder period (sec) and editing the element.
- Limit Detector. The system will record an incident whenever a tag value reaches the upper or lower limit.
- Stream Processor. An incident is recorded when the system notices that telemetry data is missing or when Kaspersky MLAD receives observations too early or too late.
When a deviation is detected, the corresponding source records the date, time and relevant deviation parameters, and saves this data as an entry in the Incidents section. If incident notifications for users or external systems are created in Kaspersky MLAD, information about an incident is sent to the intended recipients via the corresponding services of Kaspersky MLAD.