About monitors
A monitor is the source of notifications about patterns, events, or values of event parameters detected by the Event Processor according to the defined monitoring criteria. The monitoring criteria define the attention head, additional filters for event parameter values, a sliding time window, and the number of consecutive monitor activations within that window.
You can create monitors for alerts about the following detections in the event stream:
- Values of event parameters. You can create a monitor for alerts about the identification of new or previously encountered values of a specific event parameter. For example, to track new users on a monitored asset, create a monitor with the Parameter values subscription type and configure it to detect new values for the User parameter.
- Events. You can create a monitor for alerts about the identification of new or previously encountered events. You can also focus the attention of the Event Processor on a specific parameter of events. For example, to track new actions of a specific user at the monitored asset, you need to create a monitor with the Events subscription type and specify the name of the user whose actions you want to track in the User event parameter.
- Patterns. You can create a monitor for alerts about the identification of new or previously encountered patterns. For example, to track regularities in the actions of a specific user at the monitored asset, create a monitor with the Patterns subscription type, focus the attention of the Event Processor on the User parameter, and set this parameter to the name of the user whose actions you want to track.
- Similar generalized events or patterns. You can create a monitor to receive alerts about similar generalized events or patterns. If you want to track overall patterns in the actions of different users on a monitored asset, then when creating a monitor, you need to select the Similar generalized subscription type, choose the generalized attention head for User, and select Subscription to patterns for Subscription to events or patterns.
- Unique generalized events or patterns. You can create a monitor to receive alerts about unique generalized events or patterns. For example, to track new overall patterns in the actions of any user, select the Unique generalized subscription type when creating a monitor. For User, select a generalized attention head with conditions for additional parameters that match your expectations of different users' behavior. Select Subscription to patterns for Subscription to events or patterns. For Sliding window (sec.), specify a time interval for the event processor to wait for a similar generalized pattern for other users. If the event processor does not detect such a pattern, the monitor will send an activation alert.
You can set fuzzy filters in the monitoring criteria. For example, you can create a monitor to track situations when a user (monitoring all values of the User parameter) accessed the accounting server (the value of the Server parameter) more than ten times (the value of the Activation threshold field) in the last five minutes (the value of the sliding time interval).
When events, patterns and event parameter values matching the monitoring criteria are detected in the stream of incoming data, the Event Processor activates the monitor. Kaspersky MLAD displays information about the number of monitor activations when viewing a monitor, and sends to the external system alerts about the activation of monitors when the specified threshold is reached for a sliding window using the CEF Connector.
The custom monitors are displayed in the Event Processor section on the Monitoring tab.