Scenario: analysis of incidents
This section describes the sequence of actions required when analyzing incidents registered by Kaspersky MLAD.
The functionality is available after a license key is added.
The incident analysis scenario described in this section is not a precisely regulated procedure. The specific scope and sequence of actions taken to investigate an incident and identify its cause depend on the particular subject area, the knowledge level of the process engineer or ICS expert investigating the incident, and the availability of additional information on the monitored asset.
The incident analysis scenario consists of the following steps:
- Viewing information about a registered incident
The Incidents section displays all incidents registered by Kaspersky MLAD, and provides detailed information about their registration time, the ML model that registered the incident, and an expert opinion if one was added. You can proceed to view incident information in one of the following ways:
- Viewing the latest incidents in the Dashboard section
If you want to view a recently detected incident, in the Dashboard section, click the date and time of the relevant incident in the Latest incidents table. In the History section that opens, in the lower part of the page, click the dot indicator in the artifact graph section to view a specific incident. The Incidents section opens showing only the incidents that were registered in the specific time interval represented by the selected dot indicator (the interval is displayed above the incidents table).
- Viewing incidents in the Incidents section
If you know the date and time when an incident was registered, select the corresponding incident in the Incidents section. You can change the time interval for the displayed incidents by using the bar graph or the date selection field in the upper part of the page.
- Navigating from an incident notification received by email
If an incident notification was created for you, you will receive the notification by email when an incident is registered. The email message contains the time when the incident began, the top tag, and a link to proceed to the History section in the Kaspersky MLAD web interface. You can use this link to proceed to the start of the incident in the History section. At the bottom of the History page, click the dot indicator that corresponds to the incident start time. The Incidents section opens showing only the incidents that were registered in the specific time interval represented by the selected dot indicator (the interval is displayed above the incidents table).
When you find a record about the required incident, click the
button to view detailed information about the incident. - Viewing the latest incidents in the Dashboard section
- Viewing information about similar incidents
When two or more similar incidents are detected, Kaspersky MLAD automatically combines them into a group. In the incidents table in the Incidents section, the group associated with the incident is displayed in the Incident group column. If nothing is indicated for the selected incident in this column, this means that Kaspersky MLAD has not yet detected incidents similar to this particular incident.
To view all incidents in a group, select the Groups tab and click the
button next to the relevant group. The table displays information about the incidents assigned to the selected group, as well as an expert opinion if it was added. Read the expert opinions for individual incidents and for the group. - Studying the behavior of the monitored asset at the moment when an incident was detected
Study the behavior of the monitored asset at the moment when the incident was detected.
- Analyzing the incident
Analyze the incident while considering the specific details of incident registration depending on the type of the source that registered the incident:
- Forecaster. A predictive element of the ML model registers incidents when there is a significant discrepancy between observed (actual) tag values and predicted tag values. Based on information obtained when viewing the automatically generated Tags for incident #<incident ID> preset and considering the available expert knowledge on the monitored object, form a hypothesis regarding which tags could have caused the anomaly and select the appropriate preset after studying their behavior. Analyze the graph of the ML model element artifact, move back in time from the moment the prediction error threshold was reached, and examine the behavior of tags at the moment when the prediction error values started to grow.
- Rule Detector. For each incident registered by an ML model element based on a diagnostic rule, the application automatically creates the Tags for incident #<incident ID> preset, which includes the value obtained as a result of the diagnostic rule operation and which caused the incident registration.
- Elliptic envelope. An ML model elliptic envelope records incidents whenever it detects states that are a distance from the center of the normal state cluster equal to or greater than a predefined threshold. When registering an incident, the application generates a Tags for incident #<incident ID> preset that includes the tags whose exclusion from the ML model results in the smallest deviation of observations from the normal state. Analyze the graph of the ML model element artifact, move back in time from the moment the threshold was reached, and examine the behavior of tags at the moment when the deviation started to grow.
- Limit Detector. For each incident that was registered by the Limit Detector, the application automatically creates the Tags for incident #<incident ID> preset, which includes a single causal tag for the incident.
- Stream Processor. The Stream Processor service registers incidents up until telemetry data is transmitted to the ML model for processing. Incidents are registered if data loss is detected or if observations are received by Kaspersky MLAD too early or too late.
- Adding a status, cause, expert opinion or note to an incident or its incident group
For each incident, add an expert opinion or note in which you can specify whether the incident is an anomaly. An expert opinion and note for an incident are displayed only when viewing a specific incident. If necessary, you can specify the status and cause of an incident. The cause of an incident is displayed in the incidents table and when viewing a specific incident. You can also add or edit the status and expert opinion for a group of incidents.
If you know in advance the expert opinion, cause, and/or status of incidents registered by a specific ML model element, you can enter that information in the element parameters. The expert opinion, reason, and/or status will be automatically assigned to incidents at the time of their registration by the element.