Kaspersky Machine Learning for Anomaly Detection
- About Kaspersky Machine Learning for Anomaly Detection
- What's new
- Kaspersky MLAD architecture
- Common deployment scenarios
- Telemetry and event data flow diagram
- Ports used by Kaspersky MLAD
- Installing and removing the application
- Installing the application
- Updating the application
- Checking the integrity of Kaspersky MLAD archive files
- Backing up the application
- Rolling back the application to the previous installed version
- Scenario for restoring Kaspersky MLAD from a backup
- Getting started
- Starting and stopping Kaspersky MLAD
- Switching between Kaspersky MLAD state control modes
- Updating Kaspersky MLAD certificates
- First startup of Kaspersky MLAD
- Removing the application
- Kaspersky MLAD web interface
- Connecting to Kaspersky MLAD and terminating a user session
- Changing a user account password
- Selecting the localization language for the Kaspersky MLAD web interface
- Licensing the application
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the license key file
- Available functionality of Kaspersky MLAD depending on the specific license
- Adding a license key
- Viewing information about an added license key
- Removing a license key
- Processing and storing data in Kaspersky MLAD
- System administrator tasks
- Managing user accounts
- Manage roles
- Managing incident notifications
- Configuring Kaspersky MLAD
- Configuring the main settings of Kaspersky MLAD
- Configuring the security settings of Kaspersky MLAD
- Configuring the Anomaly Detector service
- Configuring the Keeper service
- Configuring the Mail Notifier service
- Configuring the Similar Anomaly service
- Configuring the Stream Processor service
- Configuring the HTTP Connector
- Configuring the MQTT Connector
- Configuring the AMQP Connector
- Configuring the OPC UA Connector
- Configuring the KICS Connector
- Configuring the CEF Connector
- Configuring the WebSocket Connector
- Configuring the Event Processor service
- Configuring the statuses and causes of incidents
- Configuring logging for Kaspersky MLAD services
- Configuring time intervals for displaying data
- Configuring how the Kaspersky MLAD menu items are displayed
- Export and import of Kaspersky MLAD settings
- Managing assets and tags
- About monitored asset hierarchical structure
- About tags
- Create asset
- Change asset settings
- Create tag
- Adding a tag to an asset
- Editing a tag
- Moving assets and tags
- Deleting an asset or tag
- Checking the current structure of tags
- Uploading tag and asset configuration to the system
- Saving tag and asset configuration to a file
- Working with the main menu
- Scenario: working with Kaspersky MLAD
- Viewing summary data in the Dashboard section
- Viewing incoming data in the Monitoring section
- Viewing data in the History section
- Viewing data in the Time slice section
- Viewing data for a specific preset in the Time slice section
- Selecting a specific element of the ML model in the Time slice section
- Selecting a date and time interval in the Time slice section
- Navigating through time in the Time slice section
- Configuring how graphs are displayed in the Time slice section
- Working with events and patterns
- Working with incidents and groups of incidents
- About incidents
- About incidents detected by a predictive element of an ML model
- About incidents detected by an ML model element based on a diagnostic rule
- About incidents detected by an ML model element based on an elliptic envelope
- About incidents detected by the Limit Detector
- About incidents detected by the Stream Processor service
- About anomalies
- Scenario: analysis of incidents
- Viewing incidents
- Viewing the technical specifications of a registered incident
- Viewing incident groups
- Studying the behavior of the monitored asset at the moment when an incident was detected
- Adding a status, cause, expert opinion or note to an incident or incident group
- Exporting incidents to a file
- About incidents
- Managing ML models
- About ML models
- About statuses and states of ML models and their elements
- About ML model templates
- About markups
- About conditions included in markups and diagnostic rules
- Scenario: working with ML models
- Search and filter objects in the Models section
- Working with markups
- Working with imported ML models
- Working with manually created ML models
- Creating an ML model
- Adding a predictive element to an ML model
- Modifying an ML model predictive element
- Adding an ML model element based on a diagnostic rule
- Changing an ML model element based on a diagnostic rule
- Adding an elliptic envelope-based ML model element
- Editing an elliptic envelope-based ML model element
- Cloning of the ML model element
- Removing an ML model element
- Cloning an ML model
- Working with ML model templates
- Changing the parameters of an ML model
- Training an ML model predictive element
- Training an elliptic envelope-based ML model element
- Viewing the training results of an ML model element
- Starting and stopping ML model inference
- Viewing the data flow graph of an ML model
- Preparing an ML model for publication
- Publishing an ML model
- Removing an ML model
- Managing presets
- Managing services
- Troubleshooting
- When connecting to Kaspersky MLAD, the browser displays a certificate warning
- The hard drive is running out of free space
- The operating system restarted unexpectedly
- Cannot connect to the Kaspersky MLAD web interface
- Data graphs or graphic areas are not displayed in the History and Monitoring sections
- Events are not transmitted between Kaspersky MLAD and external systems
- Cannot load data to view in the Event Processor section
- Data is incorrectly processed in the Event Processor section
- Events are not displayed in the Event Processor section
- Previously created monitors and the specified attention settings are not displayed in the Event Processor section
- A markup result is not displayed
- A Trainer service stopped message is displayed
- Training of an ML model element completed with an error
- Email notifications about incidents are not being received
- You need to change the Help localization language
- Contacting Technical Support
- Limitations
- Appendix
- Settings of a .env configuration file
- Settings and example of the Excel file containing tag and asset configuration
- Settings and an example of JSON file that describes presets
- Settings and an example of JSON file containing a configuration for the Event Processor service
- Viewing the Kaspersky MLAD log
- Special characters of regular expressions
- Cipher suites for secure TLS connection
- Glossary
- Information about third-party code
- Trademark notices
Working with the main menu > Working with events and patterns
Working with events and patterns
Working with events and patterns
The Event Processor section provides data on
events
and the structure of A set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment
patterns
detected by the Event Processor service in the event stream received from external sources or from the Anomaly Detector service.
Sequence of events or other patterns identified within the stream of events from the monitored asset.
In the Event Processor section, you can view the history of received events and the registration history of new and/or persistently recurring patterns. You can also configure the display of event parameters and can configure pattern registration settings. On the Monitoring tab, you can monitor specific events, patterns, or values of event parameters, and generalized events and patterns received by the Event Processor within the data stream from monitored assets.
The functionality is available after a license key is added.
If restarted, Kaspersky MLAD restores the state of the Event Processor service and pauses the processing of data received from the CEF Connector. This data is temporarily stored in the internal queue of the application message broker. Until the Event Processor service is restored, the Event Processor section tabs will display a notification informing you that the Event Processor service has stopped. This service restoration process may take several minutes if there is a significantly large number of processed events or registered patterns.
Event Processor section
|
In this section |
Article ID: 248082, Last review: Nov 21, 2024