Kaspersky Machine Learning for Anomaly Detection
5.0
English
Working with the main menu  >  Working with incidents and groups of incidents  >  Viewing incidents

Viewing incidents

The functionality is available after a license key is added.

To view incidents that were registered during a specific period:

  1. In the main menu, select the Incidents section.
  2. In the upper part of the opened page, select the start and end dates of the period.

    By clicking a bar in the bar chart, you can also refine the time period for which incidents are displayed. The column can represent a month, week, or day, depending on the length of the period set above the chart.

  3. If necessary, filter incidents according to the top tag names, incident groups, statuses as well as causes, names and statuses of the ML models that registered the incidents by selecting the values from the appropriate drop-down lists.

The table located in the central area of the page shows the incidents registered during a specific period according to the specified filtering criteria. When you click the Reset button, the table and the bar graph show all registered incidents.

The following information is displayed for each incident in the table:

  • ID refers to the ID of the registered incident.
  • Date and time refers to the date and time when the incident was registered.

    Clicking the incident registration date and time opens the History section, where you can view information about the Tags for incident #<incident ID> preset generated for the registered incident.

  • Top tag name is the name of the process parameter that had the greatest impact on incident registration.
  • Incident cause refers to the cause of the registered incident as entered by an expert (ICS process engineer or operator) as a result of an incident analysis or assigned automatically according to the incident cause specified for the ML model element that registered the incident.
  • Model name refers to the name of the ML model whose element registered the incident. This is absent if the incident was registered by Stream Processor.
  • Detector refers to the type of the registered incident: Elliptic Envelope, Forecaster, Limit Detector, Rule Detector, or Stream Processor.
  • Incident group refers to the name of the incident group to which the registered incident belongs.

    If two or more similar incidents are detected, they are combined into a group that is created automatically by using the Similar Anomaly service. You can view incidents that belong to a particular group by selecting the group name from the Incident group drop-down list above the incidents table.

  • Incident status refers to the status of the registered incident as entered by an expert (ICS process engineer or operator) as a result of an incident analysis or assigned automatically according to the incident status specified for the ML model element that registered the incident.

    You can set the incident status based on analysis results by selecting the appropriate value from the drop-down list. After installation of Kaspersky MLAD, the following statuses of incidents and incident groups are available by default: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore and False positive. If necessary, the system administrator can create, edit, or delete statuses of incidents.

Article ID: 248090, Last review: Nov 21, 2024
Page top