Under Event Processor → Monitoring, you can manage monitors to track specific events, patterns, event parameter values, and generalized events or patterns. You can view a summary of registered activations by monitor as a histogram.
You can manage monitors on the Monitors tab. To navigate to the tab, click in the upper right corner of the section.
The tab displays all monitors created in the application, with the following brief information:
Monitor name.
Number of monitor activations on the sliding window.
Monitor subscription type. The following values can be displayed for each monitor:
Parameter values. The monitor tracks the occurrence of certain event parameter values.
Events. The monitor tracks the occurrence of certain events.
Patterns. The monitor tracks the occurrence of patterns in the behavior of the monitored asset.
Unique generalized. The monitor tracks the occurrence of unique generalized events or patterns.
Similar generalized. The monitor tracks the occurrence of similar generalized events or patterns.
Activation threshold: the number of monitor activations on the sliding window that causes the application to send monitor activation alert to the external system when reached.
Period: the sliding window during which the number of monitor activations is tracked.
State: parameter that determines the monitor state.
Monitor ID: unique identifier of the monitor being viewed.
Activations count is number of registered monitor activations on the sliding window.
Date and time of last activation: date and time when the monitor was last activated.
Activation stack size determines the number of most recent monitor activations displayed in the Activation stack table.
Subscription type indicates what is being tracked by the viewed monitor: event parameter values, events, or patterns.
Sliding window indicates the time interval from the current time back to the time sequence for which the number of activations is taken into account. This window shifts synchronously with the passage of time according to the timestamps in events.
Activation threshold indicates the number of activations that must be registered by the monitor on the sliding window before sending an alert about the monitor activation to the external system via the CEF Connector.
Attention head indicates the specific attention head that is the current focus of the Event Processor. This parameter is displayed only when the monitor is activated by a pattern, or unique or similar generalized event or pattern.
Attention subject parameter indicates the specific parameter of the attention subject that is the current focus of the Event Processor. This parameter is displayed only when the monitor is activated by a pattern, or unique or similar generalized event or pattern.
Subscription to events determines whether the monitor is tracking generalized events. This parameter is displayed only when the monitor is activated by a unique or similar generalized event or pattern.
Subscription to patterns determines whether the monitor is tracking generalized patterns. This parameter is displayed only when the monitor is activated by a unique or similar generalized event or pattern.
Activation type determines whether the monitor is tracking new values of event parameters, events, and patterns. This parameter is displayed only when the monitor is activated by an event parameter value, event or pattern.
Filters is a table containing information about filters for event parameters observed by the current monitor to track event parameter values, events, and patterns. The following data is displayed for each element:
Parameter name refers to the name of the event parameter whose values are being observed by the viewed monitor.
Each monitored asset has its own specific incoming events and event parameters. The names of event parameters are defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator during configuration of the Event Processor service.
Filter type determines the type of filter for event parameters that are observed by the current monitor to track event parameter values, events, and patterns.
Value type defines which types of values are being tracked by the viewed monitor: values based on a template, specific values, new values, or all values.
Values refers to the values of the event parameter that is being observed by the viewed monitor.
This table is displayed only when the monitor is activated by an event parameter value, event, or pattern.
Activation stack is a table that contains information about the latest activations of the monitor:
Parameter value ID is the ID of the event parameter value whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event parameter value.
Event ID is the ID of the event whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event.
Pattern ID is the ID of the pattern whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
System parameters is a group of system settings containing the following information:
Event date and time is the date and time when the event is detected in the event stream.
Interval from previous item is the time interval between the current and the previous event in the event stream on the sliding window. Kaspersky MLAD displays the time intervals between events upon the first detection of the pattern containing the events. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for these events.
Total activations is the number of event occurrences in the event stream on the sliding window.
Parameter count is the number of event parameters for which the values were received from the monitored asset.
Last activation is the date and time when the event was last detected in the event stream on the sliding window.
This group of parameters is displayed only when the monitor is activated by an event or an event parameter value.
Attention subject is the attention subject parameter and its value whose detection activated the monitor. This parameter is displayed only when the monitor is activated by a pattern.
Activation date and time is the date and time when the monitor was activated. This parameter is displayed only when the monitor is activated by a pattern.
Event parameter is the value of the event parameter received from the monitored asset. This parameter is displayed only when the monitor is activated by an event parameter value.
Event parameters are the values of the parameters of the event received from the monitored asset. This parameter is displayed only when the monitor is activated by an event.
Event count is the number of events included in the pattern that caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
Total activations: the number of pattern occurrences in the event stream on the sliding window. This parameter is displayed only when the monitor is activated by a pattern.
Statistics on generalized events is a table that contains information about generalized events:
Event ID is the ID of the generalized event.
Activations count is the number of registered monitor activations on the sliding window.
Number of attention subjects is the number of attention subject parameter values whose detection activated the monitor.
Event is the detected generalized event.
Attention subjects are the attention subject parameter values whose detection activated the monitor.
This table is displayed only when the monitor is activated by generalized events.
Statistics on generalized patterns is a table that contains information about generalized patterns:
Pattern ID is the ID of the generalized pattern.
Activations count is the number of registered monitor activations on the sliding window.
Event count is the number of events in the generalized pattern.
Number of attention subjects is the number of attention subject parameter values whose detection activated the monitor.
Pattern duration is the time interval between the first and the last event in a detected pattern. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the events of a pattern.
Pattern is a detected generalized pattern.
Attention subjects are the attention subject parameter values whose detection activated the monitor.
This table is displayed only when the monitor is activated by generalized patterns.
You can view the histogram with a summary of activations on the Histogram tab, in the upper right corner of the section.
in the upper right corner of the section.