About data provision

The application does not transfer users' personal data to Kaspersky. Users' personal data is processed locally on the computers where the application is installed.

Data transferred to external systems

Data is transmitted to external systems over encrypted communication channels.

If sending email notifications about incident logging is enabled, the application transfers the following data to the SMTP server:

• Incident ID
  

  An identified deviation from the expected (normal) behavior of a monitored asset.

• Date and time of the logging of the incident
• ML model name whose element registered the incident
  

  Algorithm based on machine learning methods tasked with analyzing the telemetry of the monitored asset and detecting anomalies.

• Name of the ML model element that registered the incident
• Registered incident status
• the reason for the registered incident
• Expert opinion on the registered incident 
• Top tag name
  

  The process parameter that had the greatest impact on incident registration.

• Top tag description
• Value of the top tag at the time the incident is registered and its measurement unit
• Name of the detector that logged the incident
  

  Component in the ML model that identifies anomalies and registers incidents.

• Value of the ML model artifact at the time the incident is registered
  

  A sequence of numerical values (time series) generated as a result of ML model inference. An ML model can generate artifacts associated with tag values received from the monitored asset or ML model element artifacts.

• Blocking threshold value exceeded at the time the incident was registered
• Link to the History section at the time of the start of the incident.

If sending notifications about incident logging through the MQTT Connector, AMQP Connector, WebSocket Connector, and/or KICS Connector is enabled, the application transfers the following data to the MQTT broker, AMQP broker, WebSocket server, and/or to Kaspersky Industrial CyberSecurity for Networks:

• Incident ID
• Date and time of the logging of the incident
• Date and time of the incident completion
• Name and unique ID (UUID) of the ML model that logged the incident
• Unique ID (UUID) of the ML model element
• Top tag ID and description
• Name of the detector that logged the incident
• Link to the History section at the time of the start of the incident
• Value of the ML model element artifact at the time the incident is registered (if any)
• Blocking threshold value exceeded at the time the incident is logged (if any)
• Top tag value at the time the incident is logged
• Incident status
• Incident comment (if any)
• Incident group ID (if any)
• Incident group name (if any)
• Expert opinion (if any)
• IDs of the relevant tags
• Reason for the incident (if any)

If notifications about the logged incidents are configured to be sent via the CEF connector, the application transfers the following data to the SIEM system:

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• Date and time of the logging of the incident
• Date and time of the incident completion
• Name of the detector that logged the incident
• Name of the ML model that logged the incident
• Link to the History section at the time of the start of the incident
• Top tag description
• Incident comment (if any)
• Incident group name (if any)
• Top tag value at the time the incident is logged
• Incident group ID (if any)
• Incident ID
• Top tag ID.

If the logged events are configured to be sent via the CEF connector, the application transfers the following data to the SIEM system:

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• Date and time when the event was logged
• Name of the monitor that logged the event
  

  Source of notifications about patterns, events, or values of event parameters detected by the Event Processor according to the defined monitoring criteria. The monitoring criteria define the attention head, additional filters for event parameter values, a sliding time window, and the number of consecutive monitor activations within that window.

• Monitor ID
• Type of the element that caused the monitor activation
• Name of the attention head (if any)
• Name of the daughter attention head (if any)
• Sliding window of the monitor used to track the number of activations
• Threshold of activations that, when reached, cause the monitor to send an alert to an external system
• Number of activations on the sliding window
• Indication of whether the detected element is new to the application
• Contents of the element that triggered the last monitor activation
• ID of the element that triggered the monitor activation

If sending information security event logs is enabled, the application transfers the following data to the Syslog server:

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• ID of the information security event
• Date and time when the information security event occurred
• Information security event type
• Information security event subtype
• Information security event severity level
• Name of the user whose actions resulted in the information security event entry
• IP address of the computer from which the user performed the actions logged into the information security event log
• Information security event outcome
• Brief summary of the information security event
• Detailed description of the information security event.

Data processed locally on the Kaspersky MLAD server

To perform its main functions the application can receive, store and process the following information:

• Information about the full backup copies of the application, if the application has been backed up or updated. The Kaspersky MLAD server stores information about full application backups until they are deleted by the user.
• Information about the backup copies of the Docker volumes that are created during uninstallation of the application. The Kaspersky MLAD server stores information about Docker volume backups until they are deleted by the user.
• Files containing the text of the End User License Agreement of the currently installed application version.
• File named legal_notices.txt containing information about third-party code.
• Certificates for connecting to the application using the web interface.
• Certificates and certificate keys for encrypting the connection between Kaspersky MLAD connectors and services and the external systems.
• Public keys for verifying the digital signature of the distribution package. The Kaspersky MLAD server stores public keys until they are deleted by the user.
• User account data: account ID, last name, first name, middle name, email address, account status (active or blocked), password.

  Values that do not personally identify the user (for example, shop and job title) can be entered in place of the last name, first name and middle name of a user. The information specified in the Last name, Name and Middle name fields for users when creating user accounts is stored in plain text and is not processed by the application.

  The email addresses that are specified when creating accounts are used for the user names when users connect to the web interface of the application. User names are indicated in the information security event logs. Email addresses are used to send notifications about registered incidents.

  Users' email addresses are stored in plain text.

  Kaspersky MLAD does not store user passwords in plain text. The scrypt hash sum calculation algorithm is used to store passwords. Kaspersky MLAD adds salt to the password to prevent decoding. User passwords are not written to application logs.

  The system administrator enters information about user accounts in the administrator menu.

• Data about roles and the rights assigned to these roles: role ID, role name, role status (active or inactive), list of assigned rights, date and time of role creation, date and time of role modification.

  The system administrator enters information about roles in the administrator menu.

• Details of incident notifications: notification ID, notification name, whether incident notifications are enabled for published ML models only, notification state (active or inactive), notification language, email addresses to notify, types of incidents to send notifications for.
  

  A message with information about an incident (or incidents), which is sent by the application via notification delivery systems (for example, via email) to the specified addresses.

  The system administrator enters information about notifications in the administrator menu.

• Information about the license keys uploaded to Kaspersky MLAD.
• Data about Kaspersky MLAD settings:
  • Main application settings: monitored asset name, URLs and IP addresses for generating links to incidents in incident notifications, interval for receiving data from the Message Broker service, interval for receiving statistical data about incidents from the database, and the monitored asset time zone.
  • Application security settings: number of authorization attempts, user blocking period, user inactivity period, information on whether the password must be changed upon the first connection, number of user passwords stored in the history, password validity period, minimum password length, information on whether uppercase, lowercase Latin letters, numbers and/or special characters (_! @ # $% ^ & *) must be used in the password, size and storage time of the information security event logs.
  • Anomaly Detector settings: information on whether to use the Limit Detector, Forecaster, XGBoost, and/or Rule Detector, information on whether to skip data gaps, the maximum number of records requested from the Message Broker service, the number of messages sent in one block to the Message Broker.
  • Keeper service settings: information indicating whether the values of all tags must be stored, and the timeout for receiving tag values, incidents, and metrics.
    

    Variable that contains the value of a specific process parameter such as temperature.

  • Mail Notifier service settings: notification sender email address, SMTP server address and port, user name and password for connecting to the SMTP server, information indicating whether to use a TLS connection, SMTP server certificate and certificate key.
  • Similar Anomaly settings: minimum and maximum number of incidents for the group, maximum interval between similar incidents.
  • Stream Processor settings: uniform grid step, configuration file with Stream Processor settings.

    The Stream Processor configuration file stores the IDs of the tags processed by the service and the values of tag processing settings.

    The values of the tag processing settings are set by Kaspersky experts individually for each monitored asset.

  • HTTP Connector settings: size of the written block, maximum size of the uploaded file, information indicating whether TLS connection and the recommended TLS connection settings must be used, HTTPS server certificate and certificate key, root certificate to verify the signature of the client certificate, and information indicating whether the received tag values need to be scaled.
  • MQTT Connector settings: information indicating whether to use a TLS connection and the recommended TLS connection settings, address and port of the MQTT broker, user name and password to connect to the MQTT broker, root certificate, client certificate and client certificate key, list of MQTT subscriptions to receive tags, MQTT topic for publishing messages, format for processing incoming data, connector configuration file, and information indicating whether to scale the received tag values.
    

    A hierarchical path to the data source used for sending messages via the MQTT protocol.

    The MQTT Connector configuration file stores IDs, names, descriptions, types, and measurement units for tags.

  • AMQP Connector settings: information indicating whether to use a TLS connection and the recommended TLS connection settings, address and port of the AMQP broker, user name and password to connect to the AMQP broker, root certificate, client certificate and client certificate key, AMQP virtual node, names of AMQP exchange points for receiving tag values and publishing messages, list of subscriptions and the queue for receiving tag values, AMQP topic for publishing messages, format for processing incoming data, connector configuration file, and information indicating whether to scale the received tag values.
    

    A hierarchical path to the data source used for sending messages via the AMQP protocol.

    The AMQP Connector configuration file stores IDs, names, descriptions, types, and measurement units for tags.

  • OPC UA Connector settings: connection address, timeout for connection to the OPC UA server, connector configuration file, information indicating whether the received tag values need to be scaled, connection security policy, message security mode, user name and password for connecting to the server, client application certificate, private key of the client application certificate, password for the private key of the client application certificate, root certificate, historical data interval, beginning and end of the historical data period, size of the historical data block sent by the OPC UA server, and size of the historical data block sent to the Message Broker service.
  • KICS Connector settings: communication data package for the KICS Connector, password for the KICS Connector, information on whether to send messages to Kaspersky Industrial CyberSecurity for Networks, the tag sampling frequency, information on whether to scale the received tag values.
    

    A method for adjusting the training set with reference to the time scale steps in the original dataset.

  • CEF Connector settings: information indicating whether to receive events for the Event Processor service, information indicating whether to send registered incidents and/or events to a SIEM system, IP address and port for sending events and incidents to SIEM systems, information indicating whether to send the information security event logs to the Syslog server, transport protocol for sending information security events to the Syslog server, address and port of the Syslog server for sending information security events, information indicating whether to use a TLS connection and the recommended TLS connection settings, server certificate and certificate key, root certificate for verifying the signature of the client certificate, client certificate and certificate key, and root certificate for verifying the signature of the server certificate.
  • WebSocket Connector settings: WebSocket server URL address, root certificate, client application certificate and client application certificate key, incoming data processing format, connector configuration file, information indicating whether to scale the received tag values, information indicating whether to send incidents, and information indicating whether to use the recommended TLS connection settings.
  • Event Processor settings: service configuration file, information on whether to process incidents as events, the maximum number of network layers, the coefficient defining the permitted dispersion of the pattern duration, the interval for receiving epoch events, the epoch size in online mode, the mechanism for saving the Event Processor status, component backup frequency, the backup copy of the Event Processor status, epoch size in sleep mode, alert mode when the monitor is activated in sleep mode, sleep mode frequency and duration, event history interval for processing in sleep mode.
  • Incident status settings: incident status ID, incident status names in Russian and English, sorting sequence number, information on whether to display the registered incidents with this status.
  • Incident cause settings: incident cause ID, incident cause name, sorting sequence number.
  • Logging service settings: logging levels of the services and application connectors.
  • Settings of the time intervals for charts in the Monitoring, History, and Time slice sections: time interval ID, time interval name in Russian and English, sorting sequence number, ID of the user who created the time interval, ID of the user who last changed the time interval, time interval value.
  • Settings for displaying the items of the main menu and administrator menu: information on whether to display the items of the main menu and administrator menu in the application web interface.

  The system administrator defines Kaspersky MLAD settings in the administrator menu.

• Asset and tag data: asset name, asset ID, asset icon, parent asset ID, asset description and type, asset type ID and name, names and values of special parameters of the asset type, asset type description, tag ID and name, tag alternative name, tag icon, tag description, tag type, tag unit of measurement, upper and lower thresholds for blocking, alarms and measurement reliability, comment to the tag, spatial location coordinates of the monitored asset sensor in space along the abscissa, ordinate and applicate axes, name of the device from which the tags from the external system originated, and the offset and multiplier parameters that are used to recalculate the tag values received from the connectors.
  

  A section of a hierarchical structure representing, for example, a plant, a shop, or a separate unit of a monitored asset.

  The system administrator enters information about assets and tags in the administrator menu.

• Preset data: preset name, preset ID, preset icon, names and IDs of tags included in the preset, name and description of the graphic area, axis scaling mode, upper and lower bounds for displaying tag values, additional threshold lines, information about tags included in the graphic area, information indicating whether you need to customize the expression for the Time slice, labels of the abscissa and ordinate axes, name of the expression for calculating tag values, expressions for calculating tag values, and the color of the graph for the preset in the Time slice.
  

  A collection of tags whose data is displayed together by overlapping on a single graph in History and Monitoring sections. A graphic area can display data for one or more tags in a preset.

  

  Set of tags generated by a user in arbitrary order or created automatically when an incident is registered. A set of tags in a custom preset can correspond to a certain aspect of the technological process or a section of the monitored asset.

  Any user can enter data in the Presets section.

• Information about the number of tag observations and events received per second. The application calculates the data based on the data received from external systems.
• Information about the values of tags and events received by the system. Data is received from external systems for which data receipt is configured.
• Information about the generated artifacts. The application calculates the data based on the data received from external systems.
• Information about the application service statuses: the name and current status of the service. The application displays the service status derived from the corresponding components.
• Data on registered incidents and groups of incidents: incident ID, date and time when the incident was registered, top tag name and ID, incident cause, name of the detector that registered the incident, incident group name, incident status, ML model name, ML model element, ML model element artifact value, threshold value, top tag value, blocking thresholds, tag description and measurement units, incident type, date and time when the observation was generated, amount of time by which observation generation is ahead or behind the receipt of this observation by the application, expert opinion on the incident and on the group, incident comment, incident group name and ID, number of incidents in the group, date and time when the incident group was created, status of the registered incidents in the group, IDs of the relevant tags, and the blocking threshold reached when the incident was registered.

  The application generates this data as a result of analysis of the received data and on the basis of the settings specified by the user.

• Settings for displaying charts in the Monitoring and History sections: chart height, preset for going to the History section (only when configuring the chart display settings in the Monitoring section), information on whether to display the observation chart with the selected color, the observation chart color, information on whether to display the prediction chart with the selected color, prediction chart color, information on whether to display the names and descriptions of tags on the charts, the predicted value of the tag and/or an individual tag error, information on whether to display indicators for all incidents on the charts, information on whether to display blocking thresholds and/or additional threshold lines on the charts, ML model element used to generate predicted values, presets, time intervals, date and time for displaying charts.

  Any user can enter data in the Monitoring and History sections.

• Chart display settings in the Time slice section: chart height, ML model element used to generate predicted values, presets, time intervals, date and time for displaying charts.

  Any user can enter data in the Time slice section.

• Settings for processing and displaying data for the Event Processor: ID, name and state of the attention head, attention subject parameters (individual for each monitored asset), information indicating whether to generalize the parameters of conditions, and the parameters of attention head conditions (individual for each monitored asset).

  If the Process incidents as events option is enabled in the Event Processor settings, the application stores and processes the following data:

  • Name of the detector
  • Name of the ML model being used
  • Top tag name and ID
  • Name of the incident group to which the registered incident belongs
  • Top tag value
  • Incident ID.

  Any user can enter the event processor data in the Event Processor section.

• Data on monitoring events and patterns in the Event Processor: monitor name and ID, monitor state, number of registered activations on the sliding window, date and time of the last activation, activation stack limit, parameter that determines what is tracked by the monitor, sliding window, activation threshold, attention head, attention subject parameter, information indicating whether the monitor tracks events or patterns for a generalized attention subject, activation type, names of event parameters whose values are tracked by the monitor, types of filters, types of values tracked by the monitor, values of event parameters tracked by the monitor, ID of the event parameter value, event or pattern whose detection triggered activation of the monitor, date and time of event detection in the event stream, time interval between the current event and the previous event in the event stream on the sliding window, number of event repetitions in the event stream on the sliding window, number of event parameters whose values were received from the monitored asset, date and time of the last event detection in the stream of events on the sliding window, attention subject parameter and its value that triggered activation of the monitor, date and time of monitor activation, parameters of the event received from the monitored asset, number of events included in the pattern that triggered monitor activation, total number of pattern repetitions in the stream of events, generalized event ID, generalized pattern ID, number of monitor activations by the generalized event or pattern, number of events in the generalized pattern, number of values of the attention subject parameter whose detection triggered activation of the monitor, time interval between the first and the last event in the detected generalized pattern, detected generalized event, detected generalized pattern, and the values of attention subject parameters whose detection triggered activation of the monitor.

  The application generates data by analyzing the received data and the settings specified in the Event Processor section.

• Data on registered patterns in the Event Processor: pattern ID, date and time of the last pattern detection in the interval, number of pattern detections in the event stream of the monitored asset for the given period, number of events in the pattern, date and time of the last pattern detection in the event stream or in sleep mode, date and time of the beginning and end of the pattern loading period, type of pattern, attention head, values of the event parameters for which the patterns are registered, template parameters for which the patterns are registered (individual for each monitored asset), ID of the subpattern, end date and time of the subpattern in the sequence of patterns, number of detections of the subpattern, number of events in the subpattern, time interval between the subpattern and the pattern detected in the sequence of patterns in the current layer before the subpattern, date and time of the last detection of the subpattern in the sequence of patterns in the current layer, IDs of events included in the pattern, date and time of event detection in the pattern structure, time interval between the selected event and the previous event, number of event repetitions in the structure of the selected pattern, number of event parameters whose values were received from the monitored asset, and the date and time of the last event detection in the event stream.

  The application generates data by analyzing the data and the settings specified in the Event Processor section.

• Information about ML models and their parameters: ID and unique ID (UUID) of the ML model, name, description, status and state of the ML model, name of the user who last modified the ML model, date and time when the ML model was last modified, name of the user who created the ML model, date and time when the ML model was created or loaded, the names and IDs of its elements, the time interval, and markup for the inference.
  

  The ML model works with telemetry data to detect anomalous behavior.

  

  Tool for selecting time intervals. Markups are used to generate learning indicators and inference of the ML model. A markup may utilize two types of criteria: conditions on the behavior of specific tags (time intervals are selected where these conditions are met) and a time filter (time intervals are selected independently of tag behavior).

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information about the ML model elements and their parameters:
  • Parameters common for all types of ML model elements: ID, name and description of the ML model element, status and state of the ML model element, time interval after which a repeated incident is generated, time interval during which repeated incidents are not registered, anomaly observation interval, anomaly duration share in the interval, incident cause and status, color of the incident indicator points, and expert opinion.
  • Main parameters of predictive ML model elements: element architecture, grid step in seconds, names and IDs of input tags, names and IDs of output tags, incident registration threshold, cumulative prediction error power, cumulative prediction error smoothing factor, number of steps in the input window for the input values, number of steps by which the beginning of the output window is shifted relative to the beginning of the input window, and the number of steps in the output window.
  • Parameters of a neural network element with a Dense architecture: multipliers for calculating the number of neurons on layers, activation on layers, and the regularization coefficient to prevent overfitting of the ML model element.
  • Parameters of a neural network element with an RNN architecture: number of GRU neurons on layers, number of neurons distributed over time on the layers of the decoder, information indicating whether to restore the data received as input to the network, and the regularization factor to prevent overfitting of the ML model element.
    

    A cell of the layer with a recurrent architecture.

  • Parameters of a neural network element with a CNN architecture: size of filters on the layers, number of filters on the layers, regularization factor to prevent overfitting of the ML model element, size of the maximum sampling window, number of neurons on the layers of the decoder, information whether it is necessary to restore the data received as network input.
  • Parameters of a neural network element with a TCN architecture: regularization factor to prevent overfitting of the ML model element, filter size, number of layers in the residual block, number of filters on layers, extensions on layers, type of layer before the output, packet size, and the activation function.
  • Parameters of a neural network element with a Transformer architecture: regularization factor in the encoder, number of attention heads, number of coding blocks, and multipliers for calculating the number of neurons on layers of the decoder.
  • Training settings of a predictive element: training time interval, names and IDs of the training markups, maximum training duration, ratio between the training and the validation sample, maximum number of epochs for training, number of epochs during which there must be no validation losses when training is stopped early, chart resolution to display the training results, size of the dataset for training, number of blocks, inference mode, training mode, automatic data division into blocks, memory size used for training, information indicating whether to initialize the model weights with values from the previous training results and/or shuffle the data, value for pseudo-random number generator initialization, learning rate coefficient, training optimization algorithm, and the loss optimization algorithm.
  • Information about the training results of the predictive element: training queue (IDs and names of ML model elements that are waiting in the queue for training), training status, names and IDs of the elements being trained, number of blocks into which the training data is divided, name of the user who started the training of the element, training duration, date and time of the training beginning and end, duration of the data time intervals in the training set, number of UTG nodes included in the training set, training and validation errors, and the prediction made by the trained ML model on the training set.
    

    An infinite sequence of points in time separated by equal intervals, to which the stream of incoming telemetry data is converted.

  • Settings for elements based on diagnostic rules: information indicating whether to interpret the impossibility of evaluating a condition as rule fulfillment, time filtering settings: interval type, years, days, days of the week, and the time interval during which to validate the input data in accordance with the specified rule; tag behavior condition settings: tag for which the condition is added, tag behavior, rule fulfillment condition, number of UTG steps, tag threshold value, minimum number of times a rule is triggered before logging an incident, trend slope value, time interval between adjacent trend estimates, change threshold value, direction of the tag value change, tag value, maximum tag deviation from the specified value, direction of change in the tag value spread, indicator of whether the rule uses a pause and the pause settings: minimum and maximum timeouts, and the utilized group and logical operators.
  • Parameters of elements based on an elliptic envelope: incident registration threshold, grid step in seconds, and the names and IDs of input tags that must be included in the ML model.
  • Parameters for training an element based on an elliptic envelope: time interval for training, names and IDs of markups for training, sample fraction for estimating the mean and covariance, fraction of outliers in the sample, value for initializing the pseudo-random number generator, resolution of graphs for displaying training results, and information indicating whether to assume that the tag values are centered.
  • Information about the results of training an element based on an elliptic envelope: training queue (IDs and names of ML model elements that are waiting in the queue for training), training status, name and IDs of the elements being trained, name of the user who started the training of the element, training duration, date and time of the training beginning and end, duration of the data time intervals in the training set, number of UTG nodes included in the training set, tag deviation, tag values, tag value distribution and tag correlation.

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information about markups: ID, name and description of the markup, interval used to calculate data on UTG, markup color, method used for the markup to appear in the application, information indicating whether the markup is used as the main inference indicator, time filtering settings: interval type, years, days, days of the week, and the time interval during which the input data should be validated in accordance with the specified markup conditions; tag behavior condition settings: tag for which the condition is added, tag behavior, rule fulfillment condition, number of UTG steps, tag threshold value, minimum number of times a rule is triggered before logging an incident, trend slope value, time interval between adjacent trend estimates, change threshold value, direction of the tag value change, tag value, maximum tag deviation from the specified value, direction of change in tag value spread, indicator of whether the rule uses a pause and the pause settings: minimum and maximum timeout intervals, and the utilized group and logical operators.

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information security event logs: information security event ID, date and time of the information security event, type of information security event, subtype of information security event, severity level of the information security event, the name of the user whose actions resulted in registration of the information security event, the IP address of the computer from which the user performed the actions logged into the information security event log, the result of the information security event, a brief summary of the information security event, a detailed description of the information security event.

  The IP addresses of computers that established a connection to the web interface of the application are indicated in the information security event logs.

  The data is generated by Kaspersky MLAD automatically.

  Kaspersky MLAD stores information security event logs for the time period specified in the Retention time for information security event logs (days) when configuring security settings. The program deletes early entries in the information security event log when exceeding the space allocated for storing information security events set in Volume of information security event logs (MB).

• Kaspersky MLAD container logs: event date and time, event severity level, name of the container for which the event is registered, event description.

  The data is generated by Kaspersky MLAD automatically.

  Kaspersky MLAD stores container logs for two days.

The logging system (Grafana) does not transmit users' data to Kaspersky or any third-party servers. You can read the procedure for storing and processing data in the logging system in the Grafana Logging System User Guide.

Data processed on users' computers

When working with the Kaspersky MLAD web interface, the following data is stored in the browser cookie files:

• Individual JSON Web Tokens to support a user session for connecting to the application web interface. An individualized token is stored in the user's browser cookie files for the user inactivity period defined when configuring the security settings.
• ID of the running Grafana session, if the user views the application logs. The Grafana session ID is stored in the user's browser cookie files for 30 days.

The user browser stores data that is used to display the web interface: the last used localization language of the application web interface, the last used option for displaying the main menu (hidden or maximized display), the last used values of the time interval, preset, date and time, ML model element, and the chart display settings in the Monitoring, History, and Time slice sections, the last used page numbering settings, the last set filters for displaying data in the Event Processor section, the last used values of the incident status and cause in the Incidents section, information about the Tags for incident #<incident ID> presets, generated for a registered incident, information about the current installed version of Kaspersky MLAD. This data is stored in the browser indefinitely. You can delete this data from the browser local storage yourself.

When exporting incidents, the application saves an XLSX file with the following data to the user computer:

• Name of monitored asset
• Period during which incidents were uploaded
• ID of the registered incidents
• Date and time when the incidents were registered
• Registered incidents statuses
• Names of the groups that include the registered incidents
• Names and IDs of the top tags that have the greatest impact on the registration of incidents
• Top tag values
• Top tags measurement units
• Top tags descriptions
• Name of the ML models that registered the incidents
• Name of the detectors that registered the incidents.

When exporting information security event logs from the Grafana logging system, the application saves a CSV file with the following data to the user computer:

• IDs of the information security events
• Date and time when the information security events occurred
• Information security events types
• Information security events subtypes
• Information security events severity levels
• Names of the users whose actions resulted in the registration of the information security events
• IP addresses of the computers from which the users performed the actions stored in the information security event log
• Information security event outcomes
• Brief summaries of the information security events
• Detailed descriptions of the information security events.

When exporting container logs from the Grafana logging system, the application saves a CSV file with the following data to the user computer:

• Date and time when the events occurred
• Event severity levels
• Name of the container for which the events are registered
• Event description.

When exporting asset and tag configuration, the application saves an XLSX file with the following data to the user computer:

• Asset type ID
• Unique name of the asset type
• Names of the special asset type settings (if any)
• Asset type description (if any)
• Asset ID
• Asset name
• Unique name of an asset within its parent asset
• Asset description (if any)
• Name of the parent asset to which the asset belongs (if any)
• Parent asset ID (if any)
• Names of the special asset settings (if any)
• Values of the special asset settings (if any)
• Tag ID
• Unique name of the tag
• Unique alternative name of the tag (if any)
• Tag description
• Name of the parent asset to which the tag belongs (if any)
• Parent asset ID
• Tag type (if any)
• Tag measurement units
• Lower and upper blocking thresholds (if any)
• Lower and upper signaling thresholds (if any)
• Lower and upper measurement confidence thresholds (if any)
• Lower and upper boundaries for displaying the tag values on charts (if any)
• The expression used to calculate the tag value from the value passed to Kaspersky MLAD
• Tag comment
• Location coordinates of the monitored asset sensor along the abscissa, ordinate, and applicate axes (if any)
• Offset value that must be added to the tag value received from the connector
• Multiplier value by which the tag value received from the connector must be multiplied

When exporting presets, the application saves a JSON file with the following data to the user computer:

• Preset name
• Preset ID
• Sequence number for displaying the preset in the Presets section
• List of IDs of tags included in the preset
• Name of the preset icon
• Name of the CSS class for displaying the preset icon
• Information indicating whether the preset should be displayed in the Time slice section
• Graphic area parameters within a preset:
  • Graphic area name
  • Graphic area description
  • Sequence number for displaying the graphic area in the preset under Monitoring, History, and Presets
  • Upper and lower bounds for displaying tag values in the graphic area
  • Parameters of additional threshold lines:
    • ID of the additional threshold line
    • Threshold value
    • Color of the additional threshold line
  • Axis scale mode
  • Method of scaling the chart in single axis mode
  • List of IDs of tags included in the graphic area
  • ID of graphic area
  • ID of the preset to which the graphic area belongs
• When using a preset to display data in the Time slice section, the application saves the following data:
  • Text on the abscissa axis of the chart in the Time slice section
  • Name of the expression used to calculate the tag values
  • Text on the ordinate axis of the chart in the Time slice section
  • Expression used to calculate the tag values
  • Preset chart color in the Time slice section.

When exporting Kaspersky MLAD settings, the application saves configuration files with the following data to the user's computer:

• A file with the settings of the incident statuses, which contains the following data:
  • Incident status ID
  • Name of the incident status in Russian
  • Name of the incident status in English
  • Ordinal number of the incident status for sorting
  • Information on whether to display registered incidents with this status.
• A file with the settings of the incident causes, which contains the following data:
  • Incident cause ID
  • Name of the cause of the incident
  • Sequential number of the cause of the incident to be sorted.
• A file with the settings of the time intervals for displaying data on the Monitoring, History, and Time slice charts, which contains the following data:
  • Time interval ID
  • Name of the time interval in Russian
  • Name of the time interval in English
  • Ordinal number of the time interval for sorting
  • ID of the user who created the time interval
  • ID of the user who last changed the time interval
  • Time interval value in milliseconds.
• Settings of Kaspersky MLAD services and connectors:
  • Settings IDs
  • Names of the settings in the Kaspersky MLAD database
  • Types of the entered values
  • Entered or selected values
  • Name of the group to which the current setting belongs
  • Serial number of the setting displayed in the current section
  • Requirements for the setting value.
• The Stream Processor configuration file containing the following data:
  • IDs of tags processed by Stream Processor
  • Values of the tag processing settings.

    The values of the tag processing settings are set by Kaspersky experts individually for each monitored asset.

• Configuration files of the MQTT Connector, AMQP Connector, and WebSocket Connector containing the following data:
  • Tag IDs obtained from the MQTT Connector, AMQP Connector, or WebSocket Connector
  • Tag timestamp measurement units
  • Type of the received data
  • Template format for decoding the received data type.
• The OPC UA Connector configuration file containing the following data:
  • Tag ID
  • Name of the asset to which the tag belongs
  • Data type passed to the tag value.
• The Event Processor configuration file containing the following data:
  • Rules for mapping event parameters received by the CEF Connector to the names of event parameters to be processed in the Event Processor service
  • List of event parameters to be processed
  • Time and time scale for event processing
  • Order and relationship of the event parameters for display on the relationship graph in the Event history section.
• The communication data package for the KICS Connector containing the following data:
  • Encrypted public key of the Kaspersky Industrial CyberSecurity for Networks server certificate, and the certificate issued by the Kaspersky Industrial CyberSecurity for Networks server for the KICS Connector (with the private key).

    The contents of the file are encrypted with the password that was set when the KICS Connector was added or when a new communication data package was created for this connector.

  • KICS Connector configuration data: the name of the Kaspersky MLAD user for connecting to the Kaspersky Industrial CyberSecurity for Networks server, the KICS Connector ID, and the address of the Kaspersky Industrial CyberSecurity for Networks server for connection.

Page top