Studying the behavior of the monitored asset at the moment when an incident was detected
This section describes the sequence of actions required when studying the behavior of a monitored asset at the moment when an incident was detected.
The functionality is available after a license key is added.
Studying the behavior of a monitored asset consists of the following steps:
- Viewing the history of tags received for a monitored asset in the History section
You can proceed to view incident information in one of the following ways:
- If you want to view a recently detected incident, in the Dashboard section, click the date and time of the relevant incident in the Latest incidents table.
- In the Incidents section, click the date and time of the relevant incident in the incidents table.
- If an incident notification was created for you, you can proceed to view the incident by clicking the link from the email notification. The email message contains the time when the incident began, the top tag, and a link to proceed to the History section in the Kaspersky MLAD web interface.
In the History section, Kaspersky MLAD displays graphs of tags received from the monitored asset for which the selected incident was registered. The graphs display data for the Tags for incident #<incident identifier> preset, generated for the date and time when the selected incident was registered. This preset includes the tags whose behavior led to incident registration. Depending on the type of the source that registered an incident, this may involve the following tags:
- The tags for which the actual values showed the greatest deviations from the ML model's forecast, given that the incident was registered by the ML model predictive element.
- Tags included in a diagnostic rule and the value obtained as a result of the operation of this rule, if the incident was registered by the ML model element based on the diagnostic rule
- The tags whose removal from the ML model results in the least deviations of observations from the normal state, given that the incident was detected by the ML model element based on the elliptic envelope.
- A tag whose value was outside of the set blocking thresholds, if the incident was registered by the Limit Detector.
If necessary, you can select a different preset for displaying data received from the monitored asset at the moment when the incident was registered. The graph uses a vertical blue dashed line to indicate the date and time when the incident was registered.
- Configuring how data is displayed on graphs in the History section
Under History, you can turn on the display of predicted tag values generated by the predictive elements of the ML model. This lets you assess the difference between actual tag values and predicted tag values. Hovering over a tag graph displays tag details, such as the name, description, date and time when it was observed, value, and unit of measurement. You can also enable display of the tag name and description on the left of each tag graph.
- Configuring the time settings for displaying data in the History section
When studying the behavior of tags, you can change the scale of the time axis or move forward or backward in time through graphs. When displaying shorter time intervals on tag graphs, the History section may show more details of the behavior of tags that had been averaged when tag graphs for a longer period were displayed.
- Changing the vertical boundaries for displaying data in the History section
When displaying single graphic areas, the default vertical scale of the graph is automatically determined according to the minimum and maximum tag values within the displayed area. If minimum and maximum permissible values (blocking thresholds) are defined for a tag, you can control graph scale along the vertical axis by enabling Always display blocking threshold. If a tag value is within the permissible range, the vertical scale of the graph will be fixed by limit lines derived from the lower and upper thresholds of the tag graph. If the tag values go beyond the specified blocking thresholds, the vertical scale will be automatically changed to display the tag values exceeding the thresholds.
If graphic areas are displayed for several tags, you can adjust their vertical scale by using the parameters of the corresponding graphic area, which you can set when editing the selected preset.
