An incident is an identified deviation from the expected (normal) behavior of a monitored asset.
Kaspersky MLAD supports incident registration for the following sources:
The registration of an incident may be delayed after the specified threshold is reached, depending on the configuration of the ML model element. When a certain threshold for registering an incident is met, the ML model element starts watching for unusual activity in the monitored asset for a specific period defined in the element settings. If the monitored asset exhibits anomalous behavior for a certain specified proportion of this interval, the ML model element registers an incident.
Kaspersky MLAD can suppress the registration of consecutive incidents from the same ML model element if these occur shortly after the first incident in the series. This uses Period of recurring alert suppression (sec), which you can define in the element settings.
An ML model element may continue to flag the same incident multiple times until the abnormal activity stops. You can control how often repeated incidents are recorded by adjusting the Reminder period (sec) and editing the element.
When a deviation is detected, the corresponding source records the date, time and relevant deviation parameters, and saves this data as an entry in the Incidents section. If incident notifications for users or external systems are created in Kaspersky MLAD, information about an incident is sent to the intended recipients via the corresponding services of Kaspersky MLAD.