Kaspersky Machine Learning for Anomaly Detection

Configuring the statuses and causes of incidents

Kaspersky MLAD lets you specify the causes of incidents and the statuses of incidents and groups of incidents.

The status of an incident or a group of incidents is a mark about the status of incident analysis performed by an expert. After installation of Kaspersky MLAD, the following statuses of incidents and incident groups are available by default: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore and False positive. For the Problem closed and Ignore statuses, the Notify about an incident check box is cleared by default. If during registration, incidents are automatically assigned one of these statuses, no email alerts will be sent, and no incident dot indicators will be displayed under Monitoring or History. An incident status can be assigned automatically in one of the following cases:

• If the incident was automatically assigned to a group with that status.
• If the incident is registered by an ML model element that sets that incident status by default.

The incident cause is a mark of the cause of the incident added by an expert based on the results of the incident analysis.

You can add causes and statuses for incidents. The created causes and statuses of incidents will become available for selection in the Incidents section. You can also change and delete statuses and causes of incidents.

System administrators can configure the causes and statuses of incidents.

To add an incident status:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the System parameters → Incidents section.
3. In the Statuses of incidents section, click the Create button.

   The Create element pane appears on the right.

4. In the Value, in Russian field, specify the name of the incident status in Russian.
5. In the Value, in English field, specify the name of the incident status in English.
6. In the Sort field, indicate the sequence number for which the incident status will be sorted in the Incident status drop-down list in the Incidents section.

   The statuses of incidents will be sorted by their names if the sequence numbers of incident statuses coincide.

7. To send incident registration notifications together with the added status and display its indicator in the prediction error subsection of the Monitoring and History sections, select the Notify about an incident check box.

   If you remove the checkbox, no email alerts about incidents that receive the status automatically will be sent, and no incident dot indicators will be displayed under Monitoring or History.

8. Click the Save button.

To add a cause for incidents:

1. In the administrator menu, select System parameters → Incidents.
2. In the Causes of incidents section, click the Create button.

   The Create element pane appears on the right.

3. In the Incident cause field, specify the name of the incident cause.
4. In the Sort field, indicate the sequence number for which the incident cause will be sorted in the Incident cause drop-down list in the Incidents section.

   The causes of incidents will be sorted by their names if the sequence numbers of incident causes coincide.

5. Click the Save button.

To change the statuses or causes of incidents:

1. In the administrator menu, select System parameters → Incidents.
2. To change the parameters of incidents, do one of the following:
   • If you need to change the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Edit button.
   • If you need to change the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Edit button.
3. Make the necessary changes.
4. Click the Save button.

To remove statuses or causes of incidents:

1. In the administrator menu, select System parameters → Incidents.
2. To remove parameters of incidents, do one of the following:
   • If you need to delete the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Delete button.
   • If you need to delete the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Delete button.
3. In the window that opens, confirm the deletion.

Kaspersky MLAD will remove information about the incident statuses and causes from the corresponding tables and will remove them from the information about incidents and incident groups in the Incidents section for which these incident causes or statuses were selected.