Kaspersky Machine Learning for Anomaly Detection
- About Kaspersky Machine Learning for Anomaly Detection
- What's new
- Kaspersky MLAD architecture
- Common deployment scenarios
- Telemetry and event data flow diagram
- Ports used by Kaspersky MLAD
- Installing and removing the application
- Installing the application
- Updating the application
- Checking the integrity of Kaspersky MLAD archive files
- Backing up the application
- Rolling back the application to the previous installed version
- Scenario for restoring Kaspersky MLAD from a backup
- Getting started
- Starting and stopping Kaspersky MLAD
- Switching between Kaspersky MLAD state control modes
- Updating Kaspersky MLAD certificates
- First startup of Kaspersky MLAD
- Removing the application
- Kaspersky MLAD web interface
- Connecting to Kaspersky MLAD and terminating a user session
- Changing a user account password
- Selecting the localization language for the Kaspersky MLAD web interface
- Licensing the application
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the license key file
- Available functionality of Kaspersky MLAD depending on the specific license
- Adding a license key
- Viewing information about an added license key
- Removing a license key
- Processing and storing data in Kaspersky MLAD
- System administrator tasks
- Managing user accounts
- Manage roles
- Managing incident notifications
- Configuring Kaspersky MLAD
- Configuring the main settings of Kaspersky MLAD
- Configuring the security settings of Kaspersky MLAD
- Configuring the Anomaly Detector service
- Configuring the Keeper service
- Configuring the Mail Notifier service
- Configuring the Similar Anomaly service
- Configuring the Stream Processor service
- Configuring the HTTP Connector
- Configuring the MQTT Connector
- Configuring the AMQP Connector
- Configuring the OPC UA Connector
- Configuring the KICS Connector
- Configuring the CEF Connector
- Configuring the WebSocket Connector
- Configuring the Event Processor service
- Configuring the statuses and causes of incidents
- Configuring logging for Kaspersky MLAD services
- Configuring time intervals for displaying data
- Configuring how the Kaspersky MLAD menu items are displayed
- Export and import of Kaspersky MLAD settings
- Managing assets and tags
- About monitored asset hierarchical structure
- About tags
- Create asset
- Change asset settings
- Create tag
- Adding a tag to an asset
- Editing a tag
- Moving assets and tags
- Deleting an asset or tag
- Checking the current structure of tags
- Uploading tag and asset configuration to the system
- Saving tag and asset configuration to a file
- Working with the main menu
- Scenario: working with Kaspersky MLAD
- Viewing summary data in the Dashboard section
- Viewing incoming data in the Monitoring section
- Viewing data in the History section
- Viewing data in the Time slice section
- Viewing data for a specific preset in the Time slice section
- Selecting a specific element of the ML model in the Time slice section
- Selecting a date and time interval in the Time slice section
- Navigating through time in the Time slice section
- Configuring how graphs are displayed in the Time slice section
- Working with events and patterns
- Working with incidents and groups of incidents
- About incidents
- About incidents detected by a predictive element of an ML model
- About incidents detected by an ML model element based on a diagnostic rule
- About incidents detected by an ML model element based on an elliptic envelope
- About incidents detected by the Limit Detector
- About incidents detected by the Stream Processor service
- About anomalies
- Scenario: analysis of incidents
- Viewing incidents
- Viewing the technical specifications of a registered incident
- Viewing incident groups
- Studying the behavior of the monitored asset at the moment when an incident was detected
- Adding a status, cause, expert opinion or note to an incident or incident group
- Exporting incidents to a file
- About incidents
- Managing ML models
- About ML models
- About statuses and states of ML models and their elements
- About ML model templates
- About markups
- About conditions included in markups and diagnostic rules
- Scenario: working with ML models
- Search and filter objects in the Models section
- Working with markups
- Working with imported ML models
- Working with manually created ML models
- Creating an ML model
- Adding a predictive element to an ML model
- Modifying an ML model predictive element
- Adding an ML model element based on a diagnostic rule
- Changing an ML model element based on a diagnostic rule
- Adding an elliptic envelope-based ML model element
- Editing an elliptic envelope-based ML model element
- Cloning of the ML model element
- Removing an ML model element
- Cloning an ML model
- Working with ML model templates
- Changing the parameters of an ML model
- Training an ML model predictive element
- Training an elliptic envelope-based ML model element
- Viewing the training results of an ML model element
- Starting and stopping ML model inference
- Viewing the data flow graph of an ML model
- Preparing an ML model for publication
- Publishing an ML model
- Removing an ML model
- Managing presets
- Managing services
- Troubleshooting
- When connecting to Kaspersky MLAD, the browser displays a certificate warning
- The hard drive is running out of free space
- The operating system restarted unexpectedly
- Cannot connect to the Kaspersky MLAD web interface
- Data graphs or graphic areas are not displayed in the History and Monitoring sections
- Events are not transmitted between Kaspersky MLAD and external systems
- Cannot load data to view in the Event Processor section
- Data is incorrectly processed in the Event Processor section
- Events are not displayed in the Event Processor section
- Previously created monitors and the specified attention settings are not displayed in the Event Processor section
- A markup result is not displayed
- A Trainer service stopped message is displayed
- Training of an ML model element completed with an error
- Email notifications about incidents are not being received
- You need to change the Help localization language
- Contacting Technical Support
- Limitations
- Appendix
- Settings of a .env configuration file
- Settings and example of the Excel file containing tag and asset configuration
- Settings and an example of JSON file that describes presets
- Settings and an example of JSON file containing a configuration for the Event Processor service
- Viewing the Kaspersky MLAD log
- Special characters of regular expressions
- Cipher suites for secure TLS connection
- Glossary
- Information about third-party code
- Trademark notices
Working with the main menu > Working with events and patterns > Managing monitors
Managing monitors
Managing monitors
The functionality is available after a license key is added.
Under Event Processor → Monitoring, you can manage monitors to track specific events, patterns, event parameter values, and generalized events or patterns. You can view a summary of registered activations by monitor as a histogram.
You can manage monitors on the Monitors tab. To navigate to the tab, click 
in the upper right corner of the section.
The tab displays all monitors created in the application, with the following brief information:
- Monitor name.
- Number of monitor activations on the sliding window.
- Monitor subscription type. The following values can be displayed for each monitor:
- Parameter values. The monitor tracks the occurrence of certain event parameter values.
- Events. The monitor tracks the occurrence of certain events.
- Patterns. The monitor tracks the occurrence of patterns in the behavior of the monitored asset.
- Unique generalized. The monitor tracks the occurrence of unique generalized events or patterns.
- Similar generalized. The monitor tracks the occurrence of similar generalized events or patterns.
- Activation threshold: the number of monitor activations on the sliding window that causes the application to send monitor activation alert to the external system when reached.
- Period: the sliding window during which the number of monitor activations is tracked.
You can view detailed information about each monitor if needed. To do so, click the monitor tile.
- Name: name of the monitor being viewed.
- State: parameter that determines the monitor state.
- Monitor ID: unique identifier of the monitor being viewed.
- Activations count is number of registered monitor activations on the sliding window.
- Date and time of last activation: date and time when the monitor was last activated.
- Activation stack size determines the number of most recent monitor activations displayed in the Activation stack table.
- Subscription type indicates what is being tracked by the viewed monitor: event parameter values, events, or patterns.
- Sliding window indicates the time interval from the current time back to the time sequence for which the number of activations is taken into account. This window shifts synchronously with the passage of time according to the timestamps in events.
- Activation threshold indicates the number of activations that must be registered by the monitor on the sliding window before sending an alert about the monitor activation to the external system via the CEF Connector.
- Attention head indicates the specific attention head that is the current focus of the Event Processor. This parameter is displayed only when the monitor is activated by a pattern, or unique or similar generalized event or pattern.
- Attention subject parameter indicates the specific parameter of the attention subject that is the current focus of the Event Processor. This parameter is displayed only when the monitor is activated by a pattern, or unique or similar generalized event or pattern.
- Subscription to events determines whether the monitor is tracking generalized events. This parameter is displayed only when the monitor is activated by a unique or similar generalized event or pattern.
- Subscription to patterns determines whether the monitor is tracking generalized patterns. This parameter is displayed only when the monitor is activated by a unique or similar generalized event or pattern.
- Activation type determines whether the monitor is tracking new values of event parameters, events, and patterns. This parameter is displayed only when the monitor is activated by an event parameter value, event or pattern.
- Filters is a table containing information about filters for event parameters observed by the current monitor to track event parameter values, events, and patterns. The following data is displayed for each element:
- Parameter name refers to the name of the event parameter whose values are being observed by the viewed monitor.
Each monitored asset has its own specific incoming events and event parameters. The names of event parameters are defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator during configuration of the Event Processor service.
- Filter type determines the type of filter for event parameters that are observed by the current monitor to track event parameter values, events, and patterns.
- Value type defines which types of values are being tracked by the viewed monitor: values based on a template, specific values, new values, or all values.
- Values refers to the values of the event parameter that is being observed by the viewed monitor.
This table is displayed only when the monitor is activated by an event parameter value, event, or pattern.
- Parameter name refers to the name of the event parameter whose values are being observed by the viewed monitor.
- Activation stack is a table that contains information about the latest activations of the monitor:
- Parameter value ID is the ID of the event parameter value whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event parameter value.
- Event ID is the ID of the event whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event.
- Pattern ID is the ID of the pattern whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
- System parameters is a group of system settings containing the following information:
- Event date and time is the date and time when the event is detected in the event stream.
- Interval from previous item is the time interval between the current and the previous event in the event stream on the sliding window. Kaspersky MLAD displays the time intervals between events upon the first detection of the pattern containing the events. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for these events.
- Total activations is the number of event occurrences in the event stream on the sliding window.
- Parameter count is the number of event parameters for which the values were received from the monitored asset.
- Last activation is the date and time when the event was last detected in the event stream on the sliding window.
This group of parameters is displayed only when the monitor is activated by an event or an event parameter value.
- Attention subject is the attention subject parameter and its value whose detection activated the monitor. This parameter is displayed only when the monitor is activated by a pattern.
- Activation date and time is the date and time when the monitor was activated. This parameter is displayed only when the monitor is activated by a pattern.
- Event parameter is the value of the event parameter received from the monitored asset. This parameter is displayed only when the monitor is activated by an event parameter value.
- Event parameters are the values of the parameters of the event received from the monitored asset. This parameter is displayed only when the monitor is activated by an event.
- Event count is the number of events included in the pattern that caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
- Total activations: the number of pattern occurrences in the event stream on the sliding window. This parameter is displayed only when the monitor is activated by a pattern.
- Statistics on generalized events is a table that contains information about generalized events:
- Event ID is the ID of the generalized event.
- Activations count is the number of registered monitor activations on the sliding window.
- Number of attention subjects is the number of attention subject parameter values whose detection activated the monitor.
- Event is the detected generalized event.
- Attention subjects are the attention subject parameter values whose detection activated the monitor.
This table is displayed only when the monitor is activated by generalized events.
- Statistics on generalized patterns is a table that contains information about generalized patterns:
- Pattern ID is the ID of the generalized pattern.
- Activations count is the number of registered monitor activations on the sliding window.
- Event count is the number of events in the generalized pattern.
- Number of attention subjects is the number of attention subject parameter values whose detection activated the monitor.
- Pattern duration is the time interval between the first and the last event in a detected pattern. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the events of a pattern.
- Pattern is a detected generalized pattern.
- Attention subjects are the attention subject parameter values whose detection activated the monitor.
This table is displayed only when the monitor is activated by generalized patterns.
You can view the histogram with a summary of activations on the Histogram tab, in the upper right corner of the section.
|
In this section |
Article ID: 248083, Last review: Nov 21, 2024